PCI DSS compliance is no longer an annual project. New requirements this year are ensuring that businesses are monitoring their compliance on a continuous basis. So, is your QSA an expert that you can turn to throughout the year to ensure your organisation is doing all it can to comply with the regulations? Or might it be time to consider your options?
Ask yourself: how many of the following sound familiar?
1. No presence on site
If you can’t remember the last time you saw your QSA on-site, or they have only contacted you via telephone or email, this will need addressing post haste. A QSA should take pride in understanding your business and this requires some on-site effort.
2. A lack of listening skills
Consultancy should be based around communication and should always have that ‘human’ element. If your QSA seems to be singing from their own hymn sheet and appears to have tunnel vision, this is a red flag. A collaborative approach shows understanding and is usually found in QSAs that have ‘real world’ knowledge of PCI DSS.
3. The output isn’t aligning with time quoted
Unless you are satisfied that the assessment process is backed by a tried and tested methodology, this unfortunate (but frequent) issue may raise its ugly head. A QSA with a solid history and a broad depth of experience across more than one industry should be more than happy to be open about the shape of a typical assessment and the associated timelines. Should anything change mid-assessment, their reasons for this should be communicated to you clearly and any additional work should not commence without proper sign off by the client.
4. No remediation advice
Whilst there is an understanding that the responsibility for all post-project remediation work belongs to the client, the role of the QSA is to ensure that the client never hits a roadblock. If your QSA isn’t bought into your business goals and is dismissive of giving any form of guidance, it’s worth looking at the marketplace.
5. Future Proofing
QSAs should be well informed and keep their skills and knowledge up to date. The payment landscape is changing, and the PCI DSS is evolving over time to keep pace. There may be changes in the industry that, whilst they don’t affect compliance now, may have a bearing on your projects in the future. Is your QSA highlighting these issues for you up front and helping your Information Security program to remain agile?
If any or all of these points ring true, the SRM team can offer an exploratory conversation with no obligation. We have an upcoming webinar where our principal QSA, Paul Brennecker, talks us through his real-world PCI experience. Register at https://register.gotowebinar.com/register/230352478534420994