How to use a QSA assessment to secure a cardholder data environment

Read Mathieu Gorge’s top five tips to prepare for a PCI QSA assessment, and learn how that preparation enables a secure cardholder data environment.

In the world of the Payment Card Industry Data Security Standard (PCI DSS), merchants and payment service providers are always interested in recommendations as to how to deal with -- and, ideally, work harmoniously with -- Qualified Security Assessors (QSAs). 

Yet, most entities at level 1 (that process more than six million transaction per year and must use a QSA), and entities at levels 2, 3 and 4, who voluntarily elect to use a QSA to help them with PCI DSS compliance, complain about the interaction, citing challenges ranging from lack of security knowledge on the QSA's part and lack of flexibility over compensating controls, to assessors who don't understand de-scoping, and even sometimes QSAs' unethical over-recommendations of technical products they sell.

So how do entities go about choosing the right QSA and building a good working relationship? What additional benefits of working with a QSA can organisations expect? Below are my top five tips for preparing for and working with a QSA.

Tip #1: Understand the PCI DSS accreditation process before the QSA has to explain it.

There are typically five steps in the lifecycle of the initial accreditation. They can be summarised as follows:

  1. Education – Ensuring your PCI DSS team, C-level managers, IT and operation staff fully master the requirements of the standard and the validation mechanism that applies to your organisation.
  2. Pre-assessment – The organisation needs to perform a self-governed audit to benchmark its current security posture against the controls mandated by PCI DSS.
  3. Remediation phase – In order to be fully ready for PCI DSS certification, your organisation will require a mix of:
    • Policies and procedures
    • Technical products
    • User awareness training
      This is the most time-consuming phase, as it involves taking corrective action and potentially implementing changes to the network (for instance, segmenting the network to reduce PCI DSS scope), which requires allocating budgets and adds man-time to the project.
  4. Actual QSA assessment takes place.
  5. Continuous compliance – The organisation must have a process to ensure it remains in compliance at all times. This involves regularly performing self-governed audits, upgrading technologies, performing ASV scans and pen tests, updating policies and procedures, training new hires and retraining existing staff.

Demonstrating to your QSA  you are in full control of the accreditation process is key to ensuring you build a good working relationship with him or her. It also helps your organisation manage time, effort and cost related to the QSA assessment.

Tip #2: Perform due diligence on your QSA.

A good place to start when researching QSAs is the Visa list of PCI DSS-validated service providers. This list not only shows which customers have successfully completed a PCI DSS assessment, but also, more importantly, the QSA involved in those assessments. This gives insight as to how many assessments have been carried out by your prospective QSA, and offers an idea of how large those  assessments were and the QSA's overall experience level. In addition, it provides names of companies that have already been through the PCI DSS assessment with that QSA --companies with whom you can check references and perform your own due diligence on the assessor.

Tip #3: Demonstrate to your QSA you are in control of your cardholder data environment.

Make sure you have network diagrams, ecosystems diagrams, penetration tests -- both external and internal -- policies and procedures, and all other documents required for the assessment ready and at hand. Make sure all people who may be needed for interviewing are available when the QSA is on site. Remember: As part of the assessment, QSAs should randomly interview in-scope staff (those covered by requirement 12.6), as well as IT and management staff. All of these staff members need to be briefed and fully aware of all policies and procedures applying to them as part of their awareness training. Also, make sure all logs and devices needed for the assessment can be readily accessed.

This kind of demonstration has a twofold effect. First, it makes the process of the PCI DSS assessment smoother and faster; second, it shows a level of professionalism toward the assessment that will convince the assessor you know what you are doing.  A lot of companies only see the assessment from their point of view rather than from the assessor’s point of view. QSAs also have something to lose, if, for example, a company they passed their inspection was later compromised. Thus, making the assessor feel you understand and have thoroughly prepared for the assessment will help if a situation arises – and they usually do -- wherein your interpretation of a requirement does not exactly match  the assessor’s interpretation.   

Tip #4: Be prepared to handle objections from your QSA.

As mentioned above, it is highly likely that you will have at least one requirement where you and the assessor’s interpretation differ slightly. There is also the possibility that, for reasons beyond your control, some requirement cannot be satisfied in the manner outlined by the PCI DSS requirements. For example, you cannot encrypt a proprietary database you use. When this happens, you need to put in place and document a compensating control that can perform the same function, as the PCI DSS requirement.

Compensating controls are the most difficult part of an assessment for the assessor.  The assessor will have to evaluate the organisation's solution and decide if it satisfies the particular PCI DSS requirement’s intention. Most other requirement checks basically involve the assessor making sure the recommended technologies and processes are in place and set up correctly.  This process is fast enough. Checking a compensating control, however, requires assessors to make a judgment call. They have to be totally convinced that it fulfills the spirit of the control for which it is compensating before they will allow it to pass. So make sure you have mastered and documented the compensating control thoroughly.

Also, remember: PCI DSS compliance is an ongoing process; logs have to be updated and analyzed on a daily basis; any changes to access permissions have to be documented; internal and external scans need to be run quarterly, etc. QSAs must come back every year to revalidate compliance, as the cardholder data environment might have changed since their last assessment. Therefore, the organisation cannot treat the assessment in isolation; it must be treated as an ongoing process. Good QSAs will quiz an organisation about the continuous compliance aspect of its PCI DSS strategy, which can lead to interesting conversations for which you need to be fully prepared.

Tip #5: Consider splitting the QSA audit lifecycle into different phases handled by different QSAs, and, Keep your eyes on the prize: protecting cardholder data

All PCI DSS assessments begin with a gap analysis to compare the present security setup with the required PCI DSS setup. Next comes the remedial phase, wherein a company is expected to close this gap, and then the PCI DSS assessment can take place.

Whilst allowing the same QSA organisation to handle all phases of this process has obvious benefits in relation to passing the PCI DSS assessment, it is not the best way to implement PCI DSS. It amounts to letting the same people who do your accounts also audit those accounts -- i.e., auditing one's own work, which questions the impartiality aspect of the process. Employing a different QSA to do the actual PCI DSS assessment will ensure a more rigorous assessment, as they will be more objective and less complacent than might be the case if the same QSA that implemented the remedial actions where to do it. Try to remember the underlying objective of the assessment is to secure cardholder details, not just to pass.

Keep in mind that PCI DSS assessments are only point-in-time assessments; they do not replace audits for continuous compliance. The real goal of PCI is to achieve and maintain compliance at all times: not only to comply with contractual agreements with your merchant bank, but also protect cardholder data and, therefore, protect your brand and reputation. Taking a slipshod approach to compliance -- or working with a QSA who does -- will distract you from the real intent of PCI DSS and will hinder your efforts to protect data. Following the aforementioned steps and working with a knowledgeable and conscientious QSA will help you comply with the standard, as well as protect your data and organisational image in a timely and effective manner.

About the author:
Mathieu Gorge is the CEO and founder of VigiTrust. He specializes in PCI DSS, HIPAA & ISO 27001 and speaks regularly at international security conferences.

Read more on Regulatory compliance and standard requirements