unix and linux commands - unix shell scripting

  Part Five - Selecting a QSA!

This is the fifth chapter in a series about preparing for and going through a PCI assessment;...

1.      Part One - Intro to a PCI on-site assessment & the QSA selection process
2.      Part Two - Preparation for an on-site assessment and what to do first!
3.      Part Three - Defining your scope so you know what you're assessing
4.      Part Four - Authoring a PCI On-site Assessment RFP
5.      Part Five - Selecting a QSA to conduct an on-site PCI assessment
6.      Part Six - Preparing your Company and I.T. department for the assessment
7.      Part Seven - Important documents to have to manage your assessment

Selection; Start off by researching about 5-9 QSA firms online via forums, networking and reputation, you can find the authorized list of QSA's here. I split my selection process into 2 phases; first one is researching and contacting 6-7 QSA's and having high level summary conversations with them. During this stage I try to find out about their core businesses/services, how long they have been performing PCI, professionalism, how interested they are in doing business with my organization, and things of that nature.

The second phase is after I have narrowed that list to 3 that I start to try and get a in-depth understanding of their qualifications and whom I think would be the best fit for this relationship. Yes I said relationship, this is I believe the most important aspect of your decision making, this can be (especially if it's your first) a long stressful process that has the potential to kick off dozens of very expensive remediation projects. You are going to want a QSA that not only does his job well, but can have a great working relationship with your organization to help guide and recommend remediation and compensating control options. Having a good working relationship in what can be a 6-9 month assessment for some is critical to the success of the whole thing.

Below is a summary of critical things I look for in a QSA;

1.      A good fit for a business relationship and partnership
2.      Practical application of PCI requirements and controls in real world situations
3.      Strong background and experience with payment systems
4.      Ability to get to the core intent of a requirement
5.      In-depth expertise in subject material and ability to test controls
6.      Strong technical understanding of risks and information technology

o (Not some financial audit guy turned PCI auditor)

After you have gotten your list down to 3, prepare both subject areas and specific questions to discuss, I would also recommend you get input from your engineers and managers that own your payment systems.  Next develop interview/meetings questions and weight both the questions and answers. This will help you quantify and qualify your decision, see this “QSA Selection Scoring Matrix” as a template to help you get started, but I would recommend you add and update your own questions. Understand this is a VERY VERY subject decision, it's hard to quantify but this should help.

Prior to setting up meetings between your engineers and theirs, request the QSA give you a hard list of which team members will be dedicated to this assessment and request they be on the calls. Many QSA firms will tell you they can't promise you who will be available when the assessment comes around, and I understand it's hard for them to do so. But demand that both the engineers that are on the calls and are in essence the ones selling the QSA firm to you, are also be the ones that will be performing the assessment.

Don't let them switch on you, hold them to it and/ or get it in writing, I have seen this in the past where you will have meetings between your engineers and their best experts, build a strong confidence in their ability to conduct the PCI assessment, and then after they get the contract they switch their team, taking those guys off and adding less experienced staff. Can you say bait and switch?

Now you are ready to setup meetings between some of your engineers and there's. Remember ask the questions in your scoring matrix and score their responses. Don't be scared to go into a few areas you know you are going to have problems in, this will not only help you assess their practical PCI expertise, but give you an idea of are they going to be a partner, or would this be a combative relationship. Also test the waters on arguing a few requirements with them as far as what they feel is the intent of the requirement, and argue a few areas you feel you may have compliance challenges, this will help you gauge where their head is.

During these meetings go over your RFP and environment make sure they are both well understood. Ask what their experience is related to your environment, applications, databases, payment systems and what background their engineers have with these systems. Have they only audited them, or have they administered these in the past as engineers, that's an important distinction. Also ask questions about the experience of the QSA project manager that will be in charge of the assessment on their end.

Remember this is not an exact science, but with any auditor selection it's important to try to get it right, because this could be a long relationship.






More...