What we learned after switching PCI DSS Qualified Security Assessor (QSA)

After six years of working with the same PCI DSS QSA firm, it was time for a fresh pair of eyes.

Now I know what you are thinking – danger, right? Yes, there are some risks to changing QSA, but there are potentially great opportunities for security to be improved along the way! Our business had worked with the same PCI DSS QSA firm for the last six years. We began our journey in the early days of PCI DSS 2.0 and saw it through with our original QSA right up until PCI 3.1. That's quite a bit of time to spend together! Over that time the QSA had come to understand our business and how to adapt the PCI compliance model to fit a telecommunications company that sells managed services to the mid-tier market.

In the early days of our relationship, there had been a lot to talk about and much put into practice – everything from our FIM software and RBAC, through to our policy matrix that needed to be established.

After six years, however, I started to suspect that we had gotten a little too comfortable with one another and that our security stance could benefit from a set of fresh eyes.

The problem, of course, is that every building block of our PCI compliance architecture had been already approved by our first QSA! When interviewing new QSA candidates, we took the time to be very clear to them that whilst we were open to change, this would have to happen at a pace that made sense for the business as a whole. Changing processes or software tools can be quite a challenge for a growing business that is focused on its product development. For our seventh annual PCI certification, we selected a security consulting business that not only does PCI DSS certification but is also an Approved Scanning Vendor (ASV). Additionally, our new QSA is also qualified to deliver the required penetration testing! So yes, we put a few of our ‘security eggs' into the same basket.

Changing QSA has been no easy task, but the change has been a positive one for our business. Here are some of the key lessons learned along the way:

Having a single QSA and ASV provider has brought efficiency to our operations

This was a big positive for us because the maintenance of ASV required quarterly scans has always been a challenge for our business - both from a timeliness perspective - and the need to chase down seemingly endless 'false-positives'

Our penetration testing process is quicker and more eff ective

Because our new QSA firm can provide penetration testing, our business has been a more coherent approach from our QSA on what IP address ranges actually need to be scanned. This is now more closely aligned with our agreed PCI scope, which ensures that we get better value from the money that we spend on 'pen-testing'!

There are cost-savings from combining our QSA, ASV and pen-testing

Speaking of money - and this always the case when trying to enhance security - the combining of our QSA, ASV and pen-testing into a single vendor has even enabled us to save a little along the way.

We’re seeing things a​ little differently

The biggest benefit that we have found, however, after making the change is that our new QSA has bought fresh ideas, energy and rigour to our overall approach to PCI DSS. This has happened organically as we have had the chance to re-examine the many decisions that we have made along the way on our PCI 'journey'. In the end, the change has been a positive one for our business. We have a renewed confidence in our approach to PCI compliance and I am certain that this will lead to enhanced security for the company. Now that's really a breath of fresh air!


Author: Jim Nielsen (Chief Operating Officer)