In some of my posts, I have been somewhat critical of the PCI-QSAs. My biggest frustration is when you cannot get a clear answer from an assessor on complex scenarios and complex technologies. I have made comments related to ‘not all QSAs are created equal’, ‘the value add that QSAs do not deliver on’ and probably a few others that make QSAs and their pool of certified assessors grit their teeth and think negative things of me.
From the QSA perspective, I can appreciate the frustrations they have in getting adequate information from a merchant. The way I see it, that frustration is part of the job they signed up for. Maybe it is a Marine thing – but I have high expectations of professionals that are the subject matter experts of a beast like PCI-DSS. I want to deal with QSAs that actually know technology, understand security controls, are able to contextualize a security control as applied to a technology, and are willing to tell you that you are either right or wrong – not some of this wishy-washy, not willing to take a side approach that leaves as much uncertainty about a scenario then when you first started seeking feedback.
I recently had an opportunity to collaborate with a QSA that really impressed me. The company is called Payment Software Company (PSC); based out of San Jose, California. PSC is a boutique firm that specializes in the payment technology niche.
The folks at PSC know the “payment card industry” and have been a part of it long before PCI-DSS became what it is today; I would even say that is part of their value proposition. From my perspective this is a powerful differentiation between QSAs that have assessors that only know PCI-DSS and are jumping on the PCI-DSS make a quick buck band wagon and not providing as much value.
Another observation I would make about PSC is that they really understand how technology and security work together and what it means from a PCI-DSS perspective. The *leaders* of the company know technology and security at a very granular level; to an extent most reasonable folks would not anticipate. The reason this is important is because it helps with understanding the intent of some of the PCI-DSS requirements as well leveraging compensating controls when there may be a gap.
For fear of sounding repetitive, the PCI Security Standards Council encourages merchants to choose their QSA wisely. I have only worked with a handful of assessors from various QSAs, some good and some not so good. The PSC team easily stands out from all the others – an example of PCI QSA goodness.
I really hope I cross paths with the PSC team again – sooner rather then later!