In our time as a QSA firm, we’ve attempted to listen to any client issues with QSAs. Below is a rundown on some primary ones we’ve heard about, and our response.
‘They hardly come onsite’
The PCI Council are really looking hard for this as there’s a few whispers that some QSAs hardly go onsite to assess an entity. It’s important to be onsite to not only assess the technology, but understand that people and processes are also compliant. If infrastructure is cloud based, being at the entity’s head office is still important and we will always be there.
‘When they’re onsite, we don’t know what they’re doing’
We’ve heard this one a few times, predominantly when a QSA is helping with remediation. That doesn’t make sense to us and you need to be actively assisting. Time efficiency is important, along with setting clear objectives. We aim to find the balance between performing a thorough job, but also keeping time efficiency.
‘QSAs won’t give advice to de-scope’
This is ethically wrong. We’re all invested in avoiding a card data breach and attempting to reduce the risk profile of an organisation is important. But if the scope reduces, so does the amount of work for a QSA, so we have heard examples of no de-scoping advice forthcoming. From our perspective, if we think you can de-scope in line with your business profile, we’ll definitely recommend it.
‘QSAs are expensive’
The immediate cost of engaging a QSA is much more efficient than spending countless internal hours trying to interpret the PCI DSS. But some QSAs try to sign you to contracts, even on the initial engagement. We believe in having to earn your stripes and offer tailored quotes commensurate with your environment. We feel that if we prove our expertise, you’ll have no need to leave and understand the benefit outweighs the cost.
‘They don’t give advice’
What good is a QSA who doesn’t give advice? We’re meant to be the industry experts and organisations look to us for advice and support. Just ticking boxes doesn’t really help anyone. We not only assess but advise on effective solutions when appropriate.
‘QSAs can’t communicate’
You need to be well rounded to be a QSA and being an IT genius doesn’t necessarily make you a good one. If the client cannot understand their requirements, the value of a QSA diminishes. Our team is hand-picked to have sufficient knowledge, excellent interpersonal skills, solid report writing abilities, and overall good character.