Problem solve Get help with specific problems with your technologies, process and projects.

The cost of an audit: Choosing a competent PCI DSS QSA

Choosing the least expensive PCI DSS QSA for your PCI audit might seem like common sense, but not all auditors know what they're doing. In this expert response, Ernie Hayden describes what to look for in a competent QSA.

We're in the process of engaging a QSA service and I've been surprised by the divergence in price among the services. As they're all claiming to offer the exact same service, is it a good idea to go for the cheapest one?

For the readers who don't know, a QSA is a Qualified Security Assessor. While the PCI SSC claims all PCI DSS QSAs...

are equally trained and qualified according to their validation requirements (.pdf), I would not necessarily go with the cheapest one.

For instance, the failure of a QSA to provide a quality, accurate and adequately deep assessment could result in substantial fines and difficulties with your acquiring bank and the card companies. As such, I would want to know about the reputation of the QSA service, as well as its willingness and financial culpability should a problem arise.

So, when looking for a PCI DSS QSA, some questions to consider are:

  • Does your acquiring bank have any QSA services they have vetted and recommend?
  • How long has the QSA service been around?
  • How many QSA assessments has the company done? Are there any examples of corrective actions that were required following their assessments, or reviews by the acquiring banks?
  • What do other companies -- preferably in your industry -- have to say about the QSA service in question? Would they recommend it?
  • Does the QSA service have any example remediation checklists you can review, even if sanitized following use at other companies?
  • What is the financial depth of the QSA service? Is it underwritten by a larger company, or is it a smaller shop that could suffer greatly from one major corrective action?

In summary, you may decide to pick the cheapest one, but you need to understand that sometimes you get what you pay for. When you need help answering questions from your acquiring bank, or if a credit card data breach has occurred, you don't want to struggle with a QSA service that has gone out of business or doesn't have the depth to support you in your crisis.

This was last published in April 2010

Dig Deeper on IT security audits and audit frameworks

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.