The Dark Side of PCI Compliance — Beware the QSA Sith Lords

Over the years we’ve spent working in the data security industry, we’ve talked to countless QSAs, and companies that have had QSAs audit them.

Observing from a neutral perspective, it became clear to us that how quickly a company can attain PCI compliance (or, how quickly they can get secure), is dependent on the quality of service the QSA provides them.

If you got wrongfully charged for murder, you wouldn’t want a shabby lawyer to represent you in court — you’ll be gunning for the best you could afford.

In the same way, it’s ludicrous to even consider working with a substandard QSA partner. If a hacker catches you being any less secure than you should be, your company is going to be in for a world of hurt.

The most vital deciding factor for how much good a QSA can do for you is this: How much do they care for your security?

Because once a QSA goes rogue, all ethics are off the table, which may lead to some practices that will be detrimental to your state of security.

We’ve heard of all kinds of terrible QSA partners; some make no secret of the fact that they are in it only for the money, and others who just want to ‘get it all over with’ and move on to their next client.

These QSAs are willing to go where no QSA should go: incentivizing their employees to perform more audits instead of prioritizing thorough checks, letting their clients write their own onsite reviews and simply signing off on them nonchalantly, and even outsourcing parts of the job to low-cost countries, who will not provide the level of attention you require.

What A Good QSA Looks Like

When you pick a QSA partner to work with, keep an eye out for these gleaming traits.

A good QSA will maintain a vested interest in you, and for the sake of your security, is willing to be tough, yet fair. Imagine a super nanny-type relationship: if you try to cross the line or cut corners, you’ll get the naughty stool.

They’re willing to go the mile because they know that if you get hacked, it’s damage to their reputation.

Perhaps most importantly, they see themselves as being an extension of your business — your security partner.

Remember, not every QSA is run by upstanding boy scouts who are out to make your security their priority. Perform a thorough background check, including checking their LinkedIn company profile, which should give you a good idea of their manpower, and dedication to the craft.

No doubt that it’s easier and quicker to just let a bad QSA run its course, but never forget that the entire point of PCI compliance is being secure- it’s so much more than just being a hurdle to leap over.