For the readers who don't know, a QSA is a Qualified Security Assessor. While the PCI SSC claims all PCI DSS QSAs are equally trained and qualified according to their validation requirements (.pdf), I would not necessarily go with the cheapest one.
For instance, the failure of a QSA to provide a quality, accurate and adequately deep assessment could result in substantial fines and difficulties with your acquiring bank and the card companies. As such, I would want to know about the reputation of the QSA service, as well as its willingness and financial culpability should a problem arise.
So, when looking for a PCI DSS QSA, some questions to consider are:
- Does your acquiring bank have any QSA services they have vetted and recommend?
- How long has the QSA service been around?
- How many QSA assessments has the company done? Are there any examples of corrective actions that were required following their assessments, or reviews by the acquiring banks?
- What do other companies -- preferably in your industry -- have to say about the QSA service in question? Would they recommend it?
- Does the QSA service have any example remediation checklists you can review, even if sanitized following use at other companies?
- What is the financial depth of the QSA service? Is it underwritten by a larger company, or is it a smaller shop that could suffer greatly from one major corrective action?
In summary, you may decide to pick the cheapest one, but you need to understand that sometimes you get what you pay for. When you need help answering questions from your acquiring bank, or if a credit card data breach has occurred, you don't want to struggle with a QSA service that has gone out of business or doesn't have the depth to support you in your crisis.
This was first published in April 2010