QSA’s are friendly… As long as you pick the right one… (Part 2)
QSA Partner. Continuation from Part 1…
Selecting a QSA partner
Back to the joys of selecting a QSA partner! I know when I contact them they are all going to want to know a lot of details about my business, including technical configurations. This is because of a PCI audit like many other audit frameworks needs to verify the policy and configuration details of just about, every component of your business and networks to properly scope the amount of work for your environment. This includes standard server images hardening process to firewalls, antivirus, change management, software development, physical access, visitors, vendors, policies, etc.
When I was a QSA, I was privy to many audits. Some as small as a simple web and database configuration to full retail businesses that spanned multiple countries. Each of these audits is so different in scope, that the QSA needs to really understand the business to be sure they have the resources to provide the quality of service necessary for the job and the qualifications to service the job.
However, at ZZ Servers we were lucky as we were only a USA based company but because PCI is segmented by regions any company that goes into Europe, Latin America, Asia, .. need to work with a QSA that is authorized to audit and report in those regions. Understand that not all QSAs service all regions of the world, so as you search the SSC QSA search portal be sure you select the region you are in so you don’t waste the QSA and your time.
Prepare your Org. for the QSA Partner
Knowing that the QSA Partner is going to ask a lot of questions, there are several things I prepare before contacting my short list of providers:
- NDA – You are going to share a lot of details. The QSA may want to use their NDA but most will be happy to sign yours. This way you are able to define the controls and restrictions on any information you share with them.
- Network diagram, including card data flow. If you have flow diagrams for more of your network that would be extremely helpful as well! Many people only document their cardholder network. However, you may find a good QSA will ask about your non-PCI network as well to understand your configuration better. Plus many firms may not realize that domain controllers, mail servers, syslog servers and other traditional corporate resources may actually be “in-scope” for PCI and the QSA is responsible for ensuring the definition of the audited cardholder network is properly scoped.
- A detailed system and service inventory. This inventory includes all of the servers and applications running in your cardholder network. Hopefully, that inventory matches the network diagrams and data-flows from the last step.
- Policies and procedures for everything. You do have policies right? And procedures defining “what” you do based on those procedures? Extra points if you reference the PCI (SOC, FFIEC, …) reference # (or at least an index for) each policy and procedure fulfills so the auditor can easily review and check off that the policies are all in-place. Nothing like having to reach a new policy at each company that’s 100+ pages and having to manually validate a cross-reference every PCI policy requirement. That adds hours and $$$ onto your project.
- Business description and how the business stores, processes and transmits cardholder data. ZZ Servers is a managing hosting service provider so while we do validate our payment systems our level 1 validation is on the services we provide and how they can be used by merchants or service providers to ensure compliance of their businesses. Be ready to discuss this with each potential QSA. If you can’t describe how cardholder data is used they will have to discover it and chances are that won’t go well for anyone.
- A list of all locations the business processes card data. For ZZ we have data-centers in San Jose and Washington DC along with our NOC in the Hampton Roads area. A QSA can sample locations but may also want to visit all locations. We usually work on a 2-year cycle with each QSA with each year the NOC being reviewed along with one of the data-centers per year. A larger network could involve significant travel and time.
- Details about employees and business functions. The audit will include HR, Legal, Finance in addition to the technical requirements.
- Information about the in-house software development processes and procedures.
- Change control process and systems used
Questions to ask QSA Partners
Here are a few ideas to get you started with questions to ask potential QSAs you want to work with:
- Find out if they have any business specialties. Some QSAs specialize in the Internet of Things (IoT), some in Banks, some in e-commerce businesses.
- Do you need a multi-lingual QSA?
- Can you contact any prior customers or references?
- Does your team present or do research that is publicly available?
- How much community work does the company or employees do?
- How much of your core team is focused on your core services?
- What was your worst customer experience and how would you work with them next time?
- Which of your services can be performed remotely?
- What other services do you provide that can help my business?
- What is the largest challenge the PCI industry and businesses are working with this year?
- What is your business practice on overbooking and scheduling of service?
- What is the largest project your company has ever worked on?
- What is the smallest project your company has ever worked on?
Some partnerships are more than technical skill and availability. A cultural fit is also important and usually, allows for better communication. Remember your QSA Partner IS your partner. Helping you find anything you may have missed, but also helping validate those areas you are succeeding in. The goal is to protect the customer and data.
So back to my QSA Partner story
I’ve prepared my RFQ questions and answers and have contacted my handful of QSAs and now I wait. Sometimes I have to contact a few more and re-contact the original list. Not all QSAs are large consulting firms and in many situations, the owners and operators are also the sales team. There are arguments for working with larger “well established” firms, but a good auditor isn’t restricted to the largest firms. I’ve found incredible auditors and consultants working in many small firms around the world.
Eventually, 3 or 4 of them contact me. We set-up meetings and within a week I’ve met with each and spent my 60-90 minutes with each going through everything at a high level. They don’t need the policies now, just need to know they are there and indexed. It still takes time with each and after the meetings, I know have to wait for them to discuss internally and figure out how much they want to bid on the job.
With ZZ Servers we are not a large company or have “bank” or other similar association and I feel the 2 or 3 quotes I receive are somewhat honest quotes. Yes, banks and large corporations are larger but sometimes the price of success is you end up with higher bids because firms know you have the money.
The Interview with the QSA Partner
So after starting with 6 possible QSAs, adding 2 or 3 more in the process to a total of 9 contacted, I ended up having interviews with 4 of them and only got 2 quotes back! Makes me glad I only have to do this once a year!
Out of the few quotes I received, I select a QSA to work with for this year’s audit and get ready to spend the next few weeks diving deep into all of those gathered details, documents and servers for our Level 1 status.