So, you have been notified by a client, card brand, or your acquiring bank that you have to engage a third-party QSA company to perform a QSA-led PCI DSS assessment. There are some things that you need to know, or need to consider before moving forward.
As someone who has worked with quite a few clients, there are some pretty clear patterns with organizations that are prepared—and those that are unprepared—for my visit. While it’s always easy to share the “horror stories” I’ve seen, it’s equally important to recognize the good along with the bad.
The goal of this post, along with my upcoming webinar, is to help you understand the clear path of getting it done right.
Don’t check the box.
If your goal is to “check the box” on your compliance assessment, then my advice is to shop only by price and only choose organizations with immediate availability all day every day. You should also go buy extra cyber-liability insurance, or some sort of breach protection coverage.
I don’t say this because the PCI DSS is a complete answer to being breached, I say this because it’s a sign of the culture within the organization. It’s ugly, but it’s out there. Being compliant does not make you secure, but it does ensure that you have the minimally expected set of controls in place specific to a scope or set of data. So, keep in mind that being budget conscious and “doing the minimum possible” are two very different concepts.
Plenty of organizations do this correctly, though. Organizations with a security framework in place when I visit have a much higher chance of obtaining “authentic compliance.” PCI DSS does indeed map to many of the known security frameworks, making everyone’s life that much easier. The goal is to understand the intent of each requirement, and ensure that the vulnerabilities it helps mitigate are truly mitigated within your environment.
I don’t know of a single QSA who relishes writing a non-compliant report. You work with a client, grow to know and in many cases like them, so the last thing you want to do is see them spend tens of thousands of dollars on a report that tells them they are non-compliant. The saddest part is it’s going to cost them lots more money than they expected at the start (fines, fees, new audit, quickly implementing controls, etc).
“I need this assessment done for one of my clients in 6 weeks…No I’ve never been through this before, I’m not even the technical guy.”
Pump the breaks on that right there and slow down. A successful QSA assessment includes your being realistic about what’s involved.
Recently, on a scoping call for a PCI assessment, our contact admitted that they had never reviewed the PCI DSS and heard it was a lot to do, but had no choice to get it done in a few weeks. We worked with them to contact the authority asking for the report, explained where we were in the proposal process and what an expected schedule would look like. At that point the authority’s point of contact agreed that they could not get it done in that amount of time, accepted an engagement letter that outlined expectations and dates, and gave them the time they needed to get it done right.
Clients and banks do sometimes use PCI as a hammer and not a nail; however, the majority want you to do it right and protect their data. They just want to understand their risk and make the right decisions based on the QSA-led PCI DSS assessment.
In my years as a QSA, I’ve seen the good, the bad and the ugly when it comes to QSA-led assessments. What I’ve learned is that solid preparation on your part goes a long way to saving you time and your company money.
There are 7 things you can do to be ready for your QSA-led PCI DSS assessment. Join me on Thursday, June 21, 2018 for an educational webinar on this topic.
Along with the 7 ways to uncomplicate your assessment, you’ll learn:
- How to view your payment card environment through the eyes of a QSA;
- Why a “corporate understanding” of payment data security is business critical;
- Which key security processes must be documented; and
- How to engage the right QSA at the right time.
And, I’ll be taking questions directly from the audience.