The Quality Security Assessor (QSA) a Merchant chooses will dramatically impact on how the Merchant achieves compliance.
In simple terms the right advice and guidance saves time and money whilst reducing risk and achieving compliance. The wrong advice or guidance could prove extremely costly.
SANS: “The independent white paper in this security KnowledgeVault is just one of the resources to help you make the right decision. It details the top 5 questions to ask a prospective QSA firm and offers guidelines on everything from making sure they adequately handle compensating controls to assessing their expertise with virtualization”.
The 5 questions are
- For what types of organizations have you performed PCI DSS assessments?
- What is your background?
- Who will be performing the work?
- How do you validate and assess compensating controls?
- Are there examples of your assessments being used to improve security for clients?
Reading the white paper and asking these question could prove vital to the succesful completion of a PCI DSS project.
Download the white paper here. Registration is required.
Source: Dell and SANS
Brian Pennington 
13/05/2011 at 3:29 pm
As a PCI services vendor of Trustwave, I couldn’t agree more Brian. It’s troubling how many organizations tell me things like “My web hosting company is PCI compliant so my website is too”, which couldn’t be further from the truth. Then a local merchant will say “my POS system is compliant so I’m compliant”, which says nothing about the hundreds of credit card records they keep on site. It’s so simple for level 3 and 4 merchants to become PCI Compliant (https://www.secure128.com/trustwave-trustkeeper-pci-compliance.aspx) but the monitoring of the level 4 merchants is nearly non existent at this point.
Hopefully, Federal guidelines will take shape soon and require banks to reign in the practices in the “Wild Wild West” of level 4 merchants!
LikeLike