We just got the budget approved to bring in a PCI DSS compliance consultant to help us prep for our assessment. What factors should we consider when evaluating PCI consultants?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Consultants can be invaluable partners for organizations seeking to navigate the waters of the Payment Card Industry Data Security Standard (PCI DSS). They often have valuable experience interpreting the standards in a variety of settings that can be adapted to help your organization choose a compliance approach and make difficult decisions about the best way to interpret PCI DSS in your business context. For that reason, I think the two most important criteria to evaluate when considering a new consulting partner are their experience with PCI and their comfort with operating in your business environment.
The first of these, experience, is a sine qua non for a PCI consultant. You're paying them to provide you with PCI expertise, so they should be able to clearly demonstrate they have deep experience applying the standard in real-world settings. If you have doubts about a firm's PCI experience, that's a clear red flag you should look elsewhere. Take some of the tougher questions you are tossing around internally and pose them to the firm. While they will not likely want to give you concrete answers for your situation without having conducted a complete assessment, they should be able to provide you with examples of similar situations they've encountered in their work.
The second criteria, comfort in your business context, is likely going to be what sets a handful of firms apart from the pack. Notice that I use the phrase "business context" and not "industry" or "solution category." You should take some time to think about what characteristics make you different from other organizations when it comes to PCI, and then look for firms that have experience in that area. This might be your industry -- perhaps you're looking to find a firm with particular experience in health care, education, retailing or e-commerce -- but could just as easily be some other characteristic. For example, if you're about to embark on a major mobile payment initiative, you might want to find a firm that has already overcome that particular learning curve. Similarly, if you've invested heavily in virtualization, find a consulting partner that has several projects under their belt that involved implementing the PCI DSS Virtualization Guidelines.
Choosing a consulting partner is a serious, hopefully long-term decision, and you should take the time to choose a firm well-suited to your business needs.
Related Q&A from Mike Chapple, Enterprise Compliance
The HHS security risk assessment tool is designed to help healthcare providers meet the HIPAA security requirement. Expert Mike Chapple explains how ...continue reading
PCI DSS requirement 6.6 demands application security compliance through one of two options: an application firewall or a code review. Expert Mike ...continue reading
Are HIPAA-compliant hosting services a better option for compliance than a secure storage API? Expert Mike Chapple analyzes.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.