When you need a Qualified Security Assessor (QSA) for your annual PCI DSS assessment, you’ll find plenty to choose from. As of this writing, the PCI Security Standards Council currently lists 385 QSA companies worldwide, and more than 180 PCI QSAs are doing business in the United States alone!
But not all QSAs are the same… So how do you find the best PCI QSA for your company? What criteria do you use to evaluate proposals and choose the QSA best equipped to fulfill your current needs?
Here are the top 6 criteria I recommend you use when searching for a new QSA partner.
1. Experience in your industry
Payment card environments vary significantly from industry to industry, just as business structure and culture do. IT systems are configured differently. Data structures and payment platforms vary. As a result, auditing in one vertical can be quite different from auditing in another.
It’s very important your QSA understands your organization, what you do in the market, the technologies prevalent in your vertical, and the compliance best practices in your industry. Only then will your QSA be able to quickly comprehend—and explain to you—how the PCI DSS applies to your specific situation, and how you can best comply with it.
2. QSA consultant experience
To hire the best PCI QSA, you need to find experienced people, not just an experienced company. You don’t want to explain your environment and payment platforms to juniors who are just out of college.
Ask for the names and qualifications of the QSAs who will service your account. You need an assessor who’s been around the block a few times—one who doesn’t just identify problems, but also brings solutions to the table.
3. Low consultant turnover rate
Along with individual consultant experience, you should also weigh companies’ consultant turnover rates. Some QSA companies have turnover rates as high as 80%. With those firms, even if you’re assigned senior consultants, they may be gone the next year or you may even lose your assessor during a project. It’s hard to build a relationship when there’s no stability on the partner side.
Ask for QSA turnover rate as part of your RFP. Expect it to be available and provided by someone who knows. If it’s not available, or the company makes an excuse for not providing it, it’s probably too high.
4. Well-defined delivery methodology
A clear description of your QSA company’s delivery methodology should be part of their proposal. That description should be phase-by-phase, step-by-step, and very explicit. It should clearly explain what each phase means, project roles and responsibilities, and what data will be needed.
If you have questions, ask. A good QSA will be happy to explain their methodology to you. It’s important you know what to expect. Only then can you work smoothly with your QSA, respond in a timely manner, and not waste your own time or theirs.
5. Customer renewal rates and/or references
Be sure to ask prospective QSA companies for their contract renewal rates, some client references, or both.
As PCI assessments are an annual event and there are many QSA providers out there, clients usually go shopping if they’re not happy with their current QSA. So, renewal rate will give you an idea of how satisfied clients are with the QSA company you’re considering.
Bear in mind that boards often impose limits on how long companies can work with a given QSA. It’s quite common for such companies to sign a 3-year or 5-year contract, then change partners. So, if a QSA company reports a renewal rate over 50%, they’re probably doing something right. Over 80%: Their clients like them a lot!
6. Availability for delivery
Finally, you need to factor in the company’s availability for the job you need done. If you've been given a November deadline for submitting your report, for example, a QSA who can’t start your assessment until October probably won’t be much help to you.
Your best PCI QSA will be capable of scheduling in a way that will help you attain your goals. Discuss your specific needs and situation with them. Be sure to ask when they will be available to start your project, and how long they normally take to perform first-time assessments for clients in similar circumstances.
Want to learn more about preparing for your PCI QSA assessment? Check out our newly-published white paper, “Preparing for Your First PCI QSA Assessment: 7 Steps to Uncomplicated Compliance.”