Choosing an assessor is a lot like choosing a car. Some of them get you there quickly, some of them are reliable, and your mileage may vary. There are a number of factors to consider, including:
Ask to See Your QSA’s Resume
There are A LOT of people in the information security space, and their backgrounds vary pretty wildly. Make sure that you are comfortable with the skillset of your assessor, his or her work experience, and their knowledge of PCI. Also, make sure that the person who shows up is in fact the person who’s resume you reviewed. You may want to interview them as well to insure that they have a knowledge level that you're comfortable with.
Talk to other Merchants
There are people out there who have gone through this multiple times, and have probably used more than one assessor. Ask them what they thought about the assessor meeting their expectations in terms of technical abilities, and delivery timeframes.
Timeframe to Completion / QSA Availability
What is sales willing to commit to on paper in terms of having an assessor at your facility? How long will the assessment take? The answer may surprise you. If you’re a level 1 service provider, and they’re only going to spend 3 days reviewing your security controls, you may want to keep shopping. On the other hand, if its going to take 6 months to complete the assessment, that's probably less than optimal as well.
Your assessor should be able to start within 30 days, and given that there are 200+ requirements that need to be answered for with interviews, observation, and direct evidence gathering, the process will take some time. For an average level 1 merchant , 60-90 days is a reasonable expectation if you've been through the process before and are prepared.
Perform a “Pre-Assessment” Yourself
Understand what the scope of your environment is, and try to anticipate the results of your assessment. This will allow you to speak to the issues with confidence. In the event that you disagree with your assessor on a particular technology or architecture, you’ll be able to defend your position on its deployment without having to use your bank as an intermediary.
(Shameless Plug: We help a lot of people with this.)
Talk to your bank
Do they have a solid reputation with your acquiring bank and/or the card brands that you work with? Banks have to review a lot of scan reports, ROCs, and self assessment questionnaires. They see the cumulative results of many different assessors, and can provide you with valuable input as to who has delivered consistent, quality assessments. On the other hand, some assessors have a practice of "partnering" with banks, and those banks use that assessor as their "preferred assessor," making the recommendation somewhat worthless, because the answer is always the same, irrespective of the situation.
No comments:
Post a Comment