For the readers who don't know, a QSA is a Qualified Security Assessor. While the PCI SSC claims all PCI DSS QSAs...
are equally trained and qualified according to their validation requirements (.pdf), I would not necessarily go with the cheapest one.
For instance, the failure of a QSA to provide a quality, accurate and adequately deep assessment could result in substantial fines and difficulties with your acquiring bank and the card companies. As such, I would want to know about the reputation of the QSA service, as well as its willingness and financial culpability should a problem arise.
So, when looking for a PCI DSS QSA, some questions to consider are:
- Does your acquiring bank have any QSA services they have vetted and recommend?
- How long has the QSA service been around?
- How many QSA assessments has the company done? Are there any examples of corrective actions that were required following their assessments, or reviews by the acquiring banks?
- What do other companies -- preferably in your industry -- have to say about the QSA service in question? Would they recommend it?
- Does the QSA service have any example remediation checklists you can review, even if sanitized following use at other companies?
- What is the financial depth of the QSA service? Is it underwritten by a larger company, or is it a smaller shop that could suffer greatly from one major corrective action?
In summary, you may decide to pick the cheapest one, but you need to understand that sometimes you get what you pay for. When you need help answering questions from your acquiring bank, or if a credit card data breach has occurred, you don't want to struggle with a QSA service that has gone out of business or doesn't have the depth to support you in your crisis.
Dig Deeper on IT security audits and audit frameworks
Related Q&A from Ernie Hayden
In this Ask the Expert video, Ernie Hayden answers the question of what 'big data' is and outlines big data security issues in this video. Continue Reading
Every firm needs a security conscience, according to expert Ernie Hayden, who says it is critical among key CISO responsibilities. Continue Reading
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.