Selecting the Right QSA For Your Business

Penetration Testing Experts


PCI has been around for years, yet I've seen very few papers on how to choose the right QSA for your business. At least not the ones that aren't completely biased. You would think both the card brands and the SSC would want to help you achieve compliance in line with your business needs and ensure that the QSA companies providing these services have met, and continue to meet, the standard of service expected.

Well, they actually do, but their hands are somewhat tied. Any attempt to provide this guidance would automatically exclude several QSA organisations that cannot adequately meet some and in a few cases any, of the criteria below. A good thing you might say, but it also stifles competition. With the right due diligence, separating the wheat from the chaff is a fairly simple process.

Having been a QSA for as long as there have been QSAs and being in a position to be as objective as I can ever be, I thought I'd try my hand at providing some of this guidance.

What is Security

Before the questions you ask the candidate QSAs will make any sense, we must first put PCI into a little perspective. And you as the reader will need to accept, with maybe a few personal amendments, my description of a security program done correctly.

Security Plan Elements

  • Review Business Plan/Goals
  • Risk Assessment
  • Business Impact Analysis
  • Policy & Procedure Formalisation
  • Security Control Implementation
  • Management Systems Implementation
  • Hand-Off to Governance Committee
  • Change Control Integration
  • Disaster Recovery & Business Continuity
  • Initiate Information Security Life Cycle
  • Begin Business As Usual


  • Unless you know what the business wants, and HOW it does business, you cannot design an appropriate security program;
  • Without a Risk Assessment and Business Impact Analysis, you have no idea what your data is worth, and cannot define an appropriate budget;
  • You will implement ONLY those controls that are in line with the risk assessment, regardless of compliance;
  • Security Controls without management systems to KEEP them in place will support neither security nor compliance;
  • Governance and change control go hand in hand, and affect business-to-IT communications and continuous compliance respectively;
  • Compliance and security are meaningless if you don't stay in business, so DR and IR all feed into Business Continuity Planning and Business as Usual; and
  • The above steps are non-linear, cyclical, and never-ending

oin us for one of our PCI DSS Training Days in March, April and May where we will explore where PCI DSS v4.0 will take us and what you need to do NOW to get set. Find out more and sign up HERE.

Scroll to Top