How to choose your PCI QSA?

When you’re subject to PCI DSS, choosing the right PCI QSA is one of the most important decisions you can make. Ultimately, all QSAs will assess you against the same standard. But having the right QSA can make your life a much more pleasant place to be. Let’s explore how the right QSA can help you achieve your goals, and how to go about selecting the right now.


What is a PCI QSA?

A PCI QSA is a Qualified Security Assessor. They are approved by the PCI Security Standards Council to perform assessments against PCI DSS and other standards.

When people talk about their PCI QSA, they can be talking about two different things:

  1. The QSA Company (“QSAC”) they have contracted with to provide services related to PCI DSS; or
  2. The lead Qualified Security Assessor on their account team.

When you contract with the same QSAC for multiple years, it’s common to find the individuals on your account team changing over time. This is a security best practice to ensure multiple pairs of eyes have visibility into your systems and practices.

Do you need a PCI QSA?

Not everyone who has to comply with PCI DSS requirements actually needs to contract with a QSAC. The card brands all publish their own requirements, defining “levels” of merchants and service providers. Only those entities at the top levels actually require a QSA-led PCI assessment. For everyone else, the need for a QSA is more complicated.

If you are not automatically required to have a QSA-led PCI assessment due to your level, there are other reasons you may still need or want to work with a QSA. Perhaps you entered into a contract with some party who requires a QSA-led assessment. Or, if you are eligible to do a Self-Assessment Questionnaire (SAQ), you can still contract for a QSA to perform this on your behalf.

There’s value in having a QSA perform your SAQ:

  • access to specialist knowledge of what the standard really requires;
  • assistance from the QSA in quickly remediating any gaps they identify;
  • a higher degree of confidence in the SAQ results, the ultimate work product for the assessment.

A QSA-led self assessment is likely to be significantly less expensive than a full level 1 assessment, and establishes a working relationship for the future.

Selection Criteria

What are the key factors you should consider when choosing a QSA firm to work with? Everyone will have their own specific requirements, but the following should always be taken into consideration.

Which regions are they registered?

Not every QSA is registered to perform work in every region. For most people, this is not a concern because you will work with a local QSA who has no issues providing the services you need. But if you’re either:

  1. considering using an offshore QSA to keep costs down; or
  2. have a business operating in more than one geography

You need to make sure that the QSAC firms you are considering can actually perform the work in the regions you need. To do this, you can review the QSAC list on the PCI SSC website. Here, there are listings for each accredited QSAC together with the markets they serve.

If you are operating a larger business in multiple markets there is another option to consider. Rather than choosing a single large, globally registered firm and doing a consolidated assessment, you can contract with multiple local firms. You effectively do multiple PCI assessments by going this route; whether it makes sense depends on how tightly coupled your business units are. If they all operate separately anyway, perhaps subjecting each one to its own PCI assessment is the correct approach.

Do they offer additional PCI Services?

QSA firms are rarely in the business of conducting PCI DSS assessments only. It’s common to find these firms providing both adjacent PCI services, and also unrelated services in the assurance space.

What are “adjacent PCI services”? Those can also be looked at as two distinct categories:

  1. services used by companies subject to PCI DSS; and
  2. performing assessments against other standards published by the PCI SSC.

Companies subject to PCI DSS are required to perform various activities every quarter or year, and some of these must be done by approved vendors. The most obvious example is the need for quarterly vulnerability scanning by an Approved Scanning Vendor (ASV). Many QSAC firms are also registered as ASV companies, so you can use a one-stop-shop approach for both of these needs.

Another service frequently needed by companies with PCI DSS scope is that of penetration testing. If you have Internet facing infrastructure, you’ll likely need to perform penetration testing of these assets both annually, and after any significant change. Many QSACs also have a group which performs penetration testing for their clients on a contract basis, streamlining this aspect of the process.

Going beyond this, some QSACs offer security management services, from log review and escalation management, all the way to vCISO services. With these you need to be more careful: having a department of one firm assess the security-critical work of another department can create conflict of interest considerations. Before outsourcing significant aspects of your security management to a QSAC you should have a conversation about how they handle these conflicts. Phrases like “Chinese wall” should come up in that conversation.

Can they help you meet other regulatory requirements?

QSACs are often well placed to help you with your compliance requirements beyond just the PCI space. Some QSA firms are also CPAs, and are therefore able to conduct assessments such as SOC2 themselves. Others partner with CPA firms, allowing them to collaborate on an approach to assessing their clients against frameworks such as PCI DSS and those of the AICPA.

Some countries have very specific requirements around the management of various components in the payment system. A good example: Australia requires that all payment HSMs comply with a local standard established by the APCA. If you are requred to be assessed against such a standard, having a PCI QSA who can do both has some potential cost savings.

Even if the quote for a combined assessment from a QSAC is no cheaper than two separate assessments, consider that there may still be opportunitites for savings when going this route. If it will be the same team on the QSAC side, and the same team on your side, then there’s less overhead in getting everyone acquinted with your business and its operations. You may save time on your side by doing all the evidence collection in one series of interviews, rather than two separate ones. Remember to look beyond the raw numbers when doing the cost/benefit analysis of one firm for multiple assessments.

Can you work together?

As you have your discussions with multiple QSA firms, one question you should always be thinking: is this someone I want to work with? To get a good answer for this, it’s better if the people you are speaking with during the sales process will also be on your delivery team after you sign the contract. You want to be able to assess how knowledgable and reasonable the members of your team will be, and frankly how pleasant they will be to be around.

For me, not being able to speak with the person who will ultimately be my lead QSA, pre-contract, is a red flag. I am going to spend many hours on the phone with this person over the year, and need to be able to have effective conversations with that person.

If you are not able to speak with the actual individual who will be your QSA, there are some other indicators available to you. What is your impression of their overall culture? Are they listening to you, and crafting a custom proposal that is tailored to the specifics of your situation? Or are you getting a one size fits all proposal, where they’ll worry about the details if you sign?

You should be prepared to ask some questions that have specific, detailed answers. Maybe ask about their approach to sample selection and their evidence gathering approach. How do they respond? Do they take the time to go into the detail with you? Perhaps ask them to walk through a scenario where they’ve found something non-compliant in your environment. How do they raise it with you? What do they look for you to do, and what assistance can they provide?

This aspect is very similar to hiring an employee. They will be in your space for a while, and have a big impact on how your project is likely to go. Does your gut tell you they’ll be a source of solutions, or problems?

Do your Due Diligence

The PCI DSS requires that you conduct due diligence on any parties able to affect the security of CHD. Start out as you mean to go on with a formal due diligence process when selecting your QSA.

What does this due diligence process look like? Ultimately you’re going to define a checklist of items that each candidate will be measured against. You need to understand what criteria are important to any company in your position, and also whether you have any specific needs beyond this. You can start with the items listed above in this article, and expand from there.

  • Can they perform PCI DSS work in your region(s)?
  • Do they provide additional services you’ll need to be PCI DSS compliant?
  • Have they assessed companies with a similar size and business to yours?
  • Do they do crossover work, such as SOC 2 assessments?
  • Is their proposal fixed cost? How do they handle scope creep or overruns?

As you go through your list of items, gather the evidence in each area and collect it in one place. You want to have this material to hand as you go through your decision making process.

Once you feel you have all the information needed to make a decision, write a report on what should be done. Do this because the act of writing a report forces you to organize your thoughts and see potential issues in your arguments. It doesn’t have to be a large report, but you should be able to justify how you made a big decision like this.

Finally, you should keep a copy of your report plus the material you gathered in a secure location. You want to maintain this for several years past the end of the contract in case any disputes arise. It’s always helpful to be able to go back and be reminded why decisions were made, based on what information.