4 Ways to Get the Most from Your PCI QSAs

In response to Heartland CEO Robert Carr's claim that his qualified security assessors (QSAs) missed key weaknesses during a PCI security audit of his company, security experts offer tips to get the most from an assessment.

. What's this?

By , Senior Editor

September 09, 2009CSO

In an interview with CSOonline last month, Heartland Payment Systems Inc. CEO Robert Carr lashed out against qualified security assessors (QSAs) who audited his company for PCI security compliance, claiming they missed key network holes that ultimately enabled a massive data security breach. Readers hit back, slamming Carr for not owning up to problems rampant in his IT security operation -- for one example, read One Man's View: Heartland CEO Must Accept Responsibility.

Also see Heartland CEO on Data Breach: QSAs Let Us Down


In response to the response, CSOonline polled security experts who have performed and received assessments in an effort to create a brief checklist for getting the company-QSA relationship off to the best possible start. Here are four key suggestions:

1. Choose your vendor wisely
One common problem is that the QSA is chosen too hastily because the company wants to get the process over with as quickly as possible. The result is that the company hires an assessor that isn't as well versed in the issues unique to their environment.

Mark Allison, vice president of information security at Las Vegas-based Global Cash Access, said companies must conduct a thorough vetting of all QSA providers to ensure whoever is chosen specializes in the problems most common in their particular industry.

"Ensure the vendor has SME's that meet your needs and don't be alarmed if some vendors subcontract with other qualified entities to build a comprehensive response," he said. "Like you, professionals leverage their strengths and shore up limitations by hiring expertise. Do your homework and assess the credentials of all vendors and participants and understand how blending their efforts into a comprehensive plan can lead to successful execution."

2. Lay the groundwork
One thing that's certain to get a company's security assessment off to a bad start is a lack of planning, Allison said. Therefore, he recommends starting with a self assessment. That way, the company has a pretty good idea of where the weak points are before the QSA arrives. On day 1, security administrators should brief the QSA on everything they know up to that point. That way, the QSA can sharpen his/her focus on particular problem areas and come up with a more productive action list.

"Obtain the latest self-assessment questionnaire from the PCI DSS website," Allison said. "And remember that anything less than complete candor will impede your assessor's ability to complete their work efficiently and effectively."

3. Give the QSA access to key players
Another thing that can cripple the assessment process is that the company tries to limit the QSAs exposure to as few people as possible. This might be because management doesn't want the QSA getting poor direction from employees that don't necessarily have a full grasp on things. But it's always better to give the QSA access to all the key players, said Daniel Wallace, a Detroit-based consultant and information security project manager. Wallace recently wrote a comprehensive post on the subject in the Information Security Resources blog.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER