We just got the budget approved to bring in a PCI DSS compliance consultant to help us prep for our assessment. What factors should we consider when evaluating PCI consultants?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Consultants can be invaluable partners for organizations seeking to navigate the waters of the Payment Card Industry Data Security Standard (PCI DSS). They often have valuable experience interpreting the standards in a variety of settings that can be adapted to help your organization choose a compliance approach and make difficult decisions about the best way to interpret PCI DSS in your business context. For that reason, I think the two most important criteria to evaluate when considering a new consulting partner are their experience with PCI and their comfort with operating in your business environment.
The first of these, experience, is a sine qua non for a PCI consultant. You're paying them to provide you with PCI expertise, so they should be able to clearly demonstrate they have deep experience applying the standard in real-world settings. If you have doubts about a firm's PCI experience, that's a clear red flag you should look elsewhere. Take some of the tougher questions you are tossing around internally and pose them to the firm. While they will not likely want to give you concrete answers for your situation without having conducted a complete assessment, they should be able to provide you with examples of similar situations they've encountered in their work.
The second criteria, comfort in your business context, is likely going to be what sets a handful of firms apart from the pack. Notice that I use the phrase "business context" and not "industry" or "solution category." You should take some time to think about what characteristics make you different from other organizations when it comes to PCI, and then look for firms that have experience in that area. This might be your industry -- perhaps you're looking to find a firm with particular experience in health care, education, retailing or e-commerce -- but could just as easily be some other characteristic. For example, if you're about to embark on a major mobile payment initiative, you might want to find a firm that has already overcome that particular learning curve. Similarly, if you've invested heavily in virtualization, find a consulting partner that has several projects under their belt that involved implementing the PCI DSS Virtualization Guidelines.
Choosing a consulting partner is a serious, hopefully long-term decision, and you should take the time to choose a firm well-suited to your business needs.
This was first published in May 2013