PCI – Choosing your Auditors carefully….Part II

Posted on September 5th, 2007 by Drazen Drazic

I’ve added this as a direct response to questions I have received to clarify comments from previous posts. (See link below). I hope this helps but as usual, am open to suggestions, thoughts and criticisms of my take on this.

—————-
If you have already started to head down the PCI compliance path, you know it is a time consuming and costly exercise. If you’re about to, trust me, it is a time consuming and costly exercise. There’s no short cuts. While there are quite a few certified organisations to help you, and to provide required services like quarterly scanning and onsite Audits, you need to be careful when assessing who can actually do a good job. I know this will upset some of the other “certified” guys and some who previously were certified but no longer are, but; there’s a lot of guys out there who really can do you a disservice. We know, because we have seen the results of their work.

Choose Your PCI Auditors Carefully

When looking for a PCI certified organisation (QSA) to assist you, ask the questions. If you are getting quotes from a few parties, ask the question why some quotes maybe double, triple or more the cost of someone else. Understand what it is they are proposing and why – make sure you are comparing apples with apples. Alarm bells should ring if someone quotes you 5 days for an onsite Audit for your complex environment and another party quotes 30 days! Trust me, the latter may be closer to the actual time required to do the job right! The above link highlights the issues and costs you may be faced with later by trying to save a few bucks today.

Some questions to ask QSAs:
- How long have you been involved with PCI DSS work?
- How much PCI work have you done? (Not a big one but worth knowing – some guys have done much less than others but are far better at it!)
- How many experts and certified staff do you have in Australia (add you own country here)? (Many promote their global numbers but that means little here – they are overseas, not here!).
- What background and expertise do your staff have?
- What is your approach to the Audit? Do you just ask questions or do you get down and dirty and test?….and how and to what level?….. get them to explain their methodology! (Many will just interview – for an onsite Audit and to get the assurance you need from a risk perspective, this is just not good enough!)
- Get your best technical guys to pick apart some of the technical areas in the standard and throw some detailed technical questions on encryption and key management (as a couple of examples) at the QSA. You would be surprised how many will be stumped! If they can’t answer the questions, how can you expect them to help you become compliant?
- Company X proposed Y days for the work but you proposed Y/3. How can you do the work in that time and still give us the assurance that you will cover everything?
- And one for the dummy’s – what does “safe harbour” mean?

Obviously you’ll have your own questions also and this is just a start but as I said, the risks to your organisation can be huge if something happens. Don’t get me wrong, even the best guys will never get everything but the bad guys do and will miss the bleeding obvious!