The Payment Card Industry Data Security Standards (PCI DSS) defines the framework for protecting cardholder data. The framework was developed by the Payment Card Industry Security Standards Council (PCI SSC) and enables organizations to assess how well they are protecting cardholder data, training staff, and conducting PCI DSS audits.
PCI compliance and accepting credit cards go hand in hand. PCI DSS is a good baseline for any cybersecurity and information security program, regardless if they take credit cards. The PCI security standards council bases PCI DSS compliance on industry best practices and enables Qualified Security Assessors (QSA) to grant organizations PCI compliant status.
Most wonder, what does a typical PCI auditor interview look like? If you are choosing someone who holds the power to grant compliance, it is important to know more about them.
What kinds of questions should you ask your soon to be QSA before the audit starts?
Questions to ask your PCI auditor
What level of qualifications does the QSA auditor have? A PCI auditor should have a background in information technology and experience in auditing. Becoming a QSA does not mean that the candidate has a strong technology background. Someone with a good technology background will be better suited for offering sound advice on how to improve upon the program they are evaluating.
Look for a QSA that understands the impact that phishing and malware have on IT security.
What experience do you have in the industry?
The auditor should also know the industry of the company they are auditing. There are subtle differences for example between manufacturing, e-commerce, and energy companies.
An auditor with previous auditing experience in an industry is more likely to complete an audit quickly as they have “seen it before.” They need to understand the security controls that matter and the best way to determine that is with experience.
What is the delivery methodology of the QSA?
PCI assessors bring their own unique blend of methods to perform an audit. Firms should be more than happy to walk through the way they perform an audit. Some need a great deal of access to people, processes, and technology. Look for the best blend of hands-on and hands-off to fit your unique business requirements.
Will security improve after the audit?
The whole point of an audit is to assess the information security environment and to look for areas of compliance and improvement.
What sets a good QSA apart from the rest is one that will provide remediation steps to areas that they find are not meeting requirements.
Some PCI auditors simply point out that they discovered an area of non-compliance and that it needs to be remedied, but not how to remedy the problem and how to make the overall cybersecurity footprint better. It is important to look at a sample anonymous PCI audit from your assessor to validate it contains instructions for remediation.
Who will perform the assessment?
It is common practice for organizations to bring the “A” team for initial sales calls. Often, once the customers sign the contract and the audit commences, a different team shows up.
Organizations need to make sure they meet the team and evaluate skill sets before they sign the contract. Make sure you have a good understanding of the PCI firm’s background as well as the individual QSA that will assess the organization.
Are assessments all that the firm does?
Many QSA firms have other parts of their business focused on security. Whether the firm is selling products or other services, beware of the cross-and-upsell. Organizations look for opportunities to “land and expand” with current and future customers. Make sure you are prepared for the inevitable upsell or instead, focus on a firm that only scopes for the PCI audit.
What references does the auditor have?
Make sure that the PCI auditor has a plethora of references in your industry or a related industry. Check for rankings and testimonials on the auditor’s website and also ask to speak with a past customer to get a firsthand account of the end-user experience.
Be wary of organizations that have a minimal online presence or few QSAs on staff. The auditor should be a good match for the size and scale of the organization they will assess.