
Organizations that require an annual PCI compliance audit have many options when it comes to choosing a Qualified Security Assessor (QSA) company. While the PCI Security Standards Council validates each QSA company’s adherence to the PCI DSS, there are still differences between QSA companies, their approaches to the audit process, and the resources they can provide.
The key question: Is the audit firm on the official PCI Qualified Security Assessor (QSA) company list?
Due to the structure of compliance as defined by the council, an organization cannot obtain an official Attestation of Compliance (AOC) from any company that is not a QSA company. If you cannot find the audit firm you are evaluating on this list, do not proceed!
Once you have selected a current QSA company, below are other key areas to consider.
Knowledge and Experience
- How long have they been doing PCI assessments?
- Have they audited companies like yours?
- Do they have experience in similar industries?
- Do they do more than one type of audit?
Attitude
- Do they see themselves as your advocate?
This is a key distinction in how the role of the QSA is defined for the PCI audit. The PCI council directs that all QSAs should view themselves as the advocate for their clients. The relationship should never feel “adversarial!” - Do they want to educate and inform or just look for issues?
- Are they open to communication outside of the audit event?
Compliance is an ongoing journey, not a point-in-time event. Most auditors welcome a continuous discussion throughout the year to ensure there are no surprises during the annual audit event.
Strategy
- Do they approach the audit process from a risk-based perspective, or do they view the PCI DSS as a “checkbox activity?”
- Are they familiar with the use of compensating controls?
- Do they have their own internal controls for the audit process?
- Do they involve multiple people in the assessment process?
Other general questions to ask include:
- Do they have references or client recommendations?
- Have they ever provided a failing Report on Compliance to a company? If so, how did they help the company achieve a passing Report on Compliance?
- Has their company ever experienced a data breach? If so, how did they respond?
- Does their company have any complaints filed against them with an entity like the Better Business Bureau?
Bottom Line
Choosing a QSA company is a key decision in your organization’s compliance strategy. Ensuring that your QSA company is officially validated by the PCI Security Standards Council is critical and required. Ultimately, organizations should choose a QSA company that compliments their
experience, skills, abilities, and approach to PCI compliance.
To learn more about choosing a QSA company for third-party audits, contact Acumera at sales@acumera.net or 512.687.7410.
Acumera Resources
Secure edge computing drives ROI for multi-site businesses
Edge computing can increase efficiencies and drive ROI through many innovative and practical uses. The value of edge computing is that it speeds up data processing and saves bandwidth costs by locally processing computations, storing data and delivering services. Edge computing reduces latency and the time …
Choosing a PCI Compliant, Level 1 Service Provider
Organizations can improve their compliance status and reduce the internal burden of compliance by carefully choosing PCI compliant service providers. Selecting the right provider for your company requires careful attention to detail since there is a wide variety of service providers and levels of services they …
Secure, remote connections to POS, ATG, DVR and other devices for fewer onsite tech visits and faster issue resolution
In the current environment of social distancing and uncertainty, as a store or restaurant operator, you are focusing on protecting staff, customers and your business. However, it’s also critical to make sure you don’t let your guard down when it comes to protecting your network. Even …