Choosing a QSA - tips on how to find some of the better ones...

Penetration Testing Experts


It is well known there is a low barrier of entry for a security company to become a certified QSA Company (QSAC). As long as a reasonable amount of security experience can be documented and an annual fee paid, the resultant QSA examinations are trivial to pass.  This unfortunately leads to a market that is awash with inexperienced auditors, that have made some very expensive decisions on behalf of entities whom have had to demonstrate validation against the standard.  We would recommend you consider the following starting points prior to engaging a QSAC:

  • Insist on a named auditor that you can verify – remember your ongoing face-to-face relationship will be with the QSA Consultant and not the QSAC.
  • Check the auditor's credentials – do they have experience working with companies such as yours?
  • Validate the QSAC and QSA Consultant on the PCI Security Standards website (it's surprising how many people don't) – are they “In Remediation”?  If so, contact the QSA and find out why.  Is this for a minor infringement, or is the QSA soon to disappear off the list?
  • Check the consultant has actually performed a PCI DSS Audit before and ask how many audits they have previously completed.
  • Get written references from the QSA's previous customers.  Not just for the QSA Company, but for the actual auditor you will be using.
  • A good auditor will be able to provide a number of satisfied customers that would be more than happy to take your call to discuss their past performance.
  • Interview your auditor prior to the engagement starting and ensure they understand your technology, infrastructure and business. It has been said that some QSAs don't even know what a POS is!
  • Get familiar and trained with PCI DSS before engaging a QSA and make a head start on documenting cardholder data flows and scope – it's not rocket science to identify where in your organisation cardholder data is being stored, processed or transmitted.
  • Remember that just because payments might be outsourced to a service provider does not mean you are out of scope.  Assess all service providers and connected entities too.
  • Insist that the audit is completed within a set amount of time and at an agreed job rate.  The QSA should know how to structure an audit to save you time and an “open day rate” is inadvisable for audit work, as might indicate the QSA does not have a structured methodology.
  • Keep your Audit, Advisory and Penetration Testers separate.  These should never be the same person.  If using services from the same company, ensure you will be handled in an ethical manner and all conflicts of interest are disclosed prior to engagement.
  • Don't make a selection solely on cost.  An experienced QSA will cost more to start with, but will save you money in the long run by assisting with any payment re-architecture and improvement of business processes.  You get what you pay for!
  • The QSAC might have the flashiest websitemarketing material and accolades available, and claim to have the largest number of QSAs available globally, but do you really want to work with a QSA Consultant you may never see again, perhaps selected from a pool of “salary efficient” individuals with only the minimum required experience?

The PCI SSC are making clear efforts to clean the market up and remove inexperienced QSAs from the program, and also those that have made continual errors and fail quality checks, but they cannot vet everybody and it is essential you perform due diligence prior to engagement, as it's doubtful that anyone else has.

If you are unlucky enough to choose a QSA that's not up to scratch, you are entitled to submit feedback and be treated anonymously on the PCI SSC website.  This would not affect any previous AoC or RoC that has been submitted by the QSA in question, which will remain completely valid until assessment is up for renewal.  In short, if you've got a bad RoC you will not have your compliance status revoked.

If you're still with us, take a moment to review the PCI SSC's own expectations of what to expect from a QSA.  This pretty much sums up what you should be looking for and I do hope other QSA Companies read this and up the bar too!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top