How to Make Your QSA-Led Assessment Go Smoothly

If your business collects, transmits, stores, or processes any type of payment card information, then you already know that compliance with PCI DSS is a fact of life. You — or your security team — most likely knows the standards inside and out, and spends a great deal of time ensuring that your business is doing everything possible to adequately protect your customers’ data.

For most small business, maintaining compliance requires an annual self-assessment, or a Report on Compliance. Depending on the credit cards that your business accepts, you may need to submit up to five questionnaires to prove that the organization is taking every necessary precaution to adhere to the standards. For larger businesses, or those that do more volume each year, the process is a bit more involved. Level 1 merchants — those who process more than 6 million transactions per year — must undergo a compliance assessment by a Qualified Security Assessor, or QSA. An independent third party, QSA’s conduct assessments and help businesses develop plans for remediation of issues and ongoing compliance.

While a QSA-led assessment can feel intimidating, the assessor is on your side and wants to help you achieve compliance. With that in mind, there are some things you can do to ensure that the process goes smoothly.

Tip #1: Conduct a Pre-Assessment

While you cannot submit a self-assessment to the PCI Council as a Level 1 merchant, you can conduct a preliminary assessment before the QSA assessment to identify and correct issues beforehand. Conducting a pre-assessment can also help you define the scope of the audit, which will save time and hassle down the road. As you work through the self-assessment questionnaire, approach each item honestly and thoroughly, and avoid leaving anything out. If you aren’t sure whether something falls under the scope of the audit, make a note to discuss it with the QSA.

Tip #2: Conduct Penetration Tests and Scans in Advance

One of the requirements of PCI DSS is that the business conducts penetration tests and vulnerability scans of all client-facing applications — and fix any issues — within a 12-month cycle. Waiting until audit time is only likely to put you out of compliance.

Tip #3: Be Prepared for Pushback

There are likely to be cases in which you and your QSA will disagree about the interpretation of a standard or control. This is especially likely in cases where you cannot comply with a standard in the exact way that PCI DSS requires, but where you have compensated for it with an equivalent measure. However, your assessor may not agree that the substitute control is adequate, and you need to be prepared to make the case and demonstrate exactly how your compensating control protects cardholder data.

Tip #4: Get Your Documentation in Order

Your assessor is going to request documentation of all your controls and processes. A proper Report on Compliance is not simply a matter of checking things off the list, and a reputable QSA will not simply take your word for it when it comes to compliance. Be prepared to produce documentation to support your claims and compliance; it’s best to keep everything organized and updated at all times.

Tip #5: Realize that Compliance Isn’t Guaranteed

While you are paying the QSA, and he or she is on your team when it comes to evaluating compliance, this does not guarantee that you will be found compliant. You are not paying for a compliant assessment; you are paying for an assessment. If you are non-compliant in any fashion, you will have the opportunity to remediate the problem within a certain timeframe, but your assessor has no control over that deadline and cannot simply move dates around to make you happy.

At times, a QSA-led assessment can feel like a burden, and a lot of extra paperwork and meetings, but it’s an important part of a complete security plan. It’s also only the first step in maintaining compliance. Remember: QSA assessments are an annual requirement, and a compliant report one year does not necessarily guarantee a compliant report the following year. It is simply part of your process of continuous compliance, and will help you identify risks and make chances to ensure that your business — and your customers — are protected from data breaches.