PCI SSC (Payment Card Industry Security Standard Council) compliance is meant to protect customer and client card data from theft and unauthorized disclosure. Businesses and organizations that process credit card information must ensure that their systems are secure and that clients’ data is well protected. For a business or organization to earn a PCI compliance certificate, their systems must be audited by a QSA (Quality Security Auditor) to ensure they meet the various requirements that are set. Ensuring an organization or business is PCI compliant often falls on the organization’s CTO or IT personnel, or can be outsourced.
Whereas a Quality Security Auditor’s job description is to audit your network and information systems, a Quality Security Auditor should preferably act as a PCI consultant for during a business’ or organization’s PCI compliance effort. An organization could also hire a PCI consultant prior to bringing in a QSA for an assessment to ensure a business is more likely to be certified. Bringing in a QSA too early can make management and personnel demotivated due to meeting too few requirements.
A company’s CTO or IT personnel can determine roughly if an organization is ready for an audit. However, even if they are well-informed on the subject, they are likely to be less objective than a third-party assessor would be. A competent QSA would be agreeable to taking a gap analysis and/or a pre-audit assessment before carrying out an audit. A pre-audit analysis, a PCI consultant or QSA will usually go over the details of the compliance process before they carry out the audit. It will usually be done while they are offsite. A pre-audit assessment is less comprehensive compared to a gap analysis, and should be carried out after gap analysis.
A gap analysis measures the gap between the business’ or organization’s compliance state against the required state. A qualified PCI consultant is able to determine fairly quickly how far a business is in terms of PCI compliance. Seeking a PCI consultant who gets along with your compliance team and who offers suggestions instead of simply pointing out what is not working will greatly speed up the process. Doing a pre-audit assessment and a gap analysis saves the organization a lot of time and money. It also serves as a source of information of what needs to be fixed and a way determine how far along an organization has come.
It is always best to ensure that there is no conflict of interest when hiring penetration testers and the Quality Security Auditor/ Approved Scanning Vendor (ASV) or the PCI consultant acting in an advisory role. Since PCI compliance is an ongoing process, one of the most important factors in selecting a PCI consultant who with you for the whole year. This is to help your organization attain compliance as well as retain it.
An important factor to consider is a QSA company’s and the individual auditor’s qualifications and past experience. Ensure that they QSA company is approved and check the auditor’s approval too. Try to get an auditor who has experience and a QSA firm that has done at least 10 Reports of Compliance in the last 12 months.
Technical expertise and great analytical skills are other qualities to look out for when hiring a PCI consultant. Keep up with the more contentious issues in PCI compliance is a great way to test a PCI consultant. The idea is to determine their knowledge and confidence more than to determine if they answer correctly.
Cost, though important, should never be an overriding factor in selection of a PCI consultant, though it is important.