Want to Save Money On PCI Compliance? Don’t Cheap Out On Your QSA.

Analogy: A family member needs surgery, and you have two doctors in a side-by-side bake-off. One is respected, enormously experienced, and expensive. The other is fresh out of residency, inexperienced, and cheap.

Whom do you go for?

Unless you’re a sociopath, you pay for the one with the greatest expectation for success. So by a similar (though far less dramatic) extension, why would you cheap out on your choice of QSA? Or any consultant that matter.

Not only that, you probably expect the same results from every QSA, right? They all went through the standard training, so they should all be the same, right?

Are all doctors the same?

Like any profession, you have a MINIMUM standard to achieve before you start. For QSAs it’s 5 years in security (no-one lies on CV’s/resumes, right?), OR a CISA/CISM/CISSP (anyone can read a book and pass a multiple choice test), AND pass the QSA test. I can, quite literally, take ANY person and get them to a point they can pass that test in one week.

Instead of focusing the QSA test on their domain knowledge (networking, encryption, policy formation etc.) it focuses on merchant / service provider levels and bunch of other stuff that does not test the consultant’s skills in any fashion that makes sense to me. Can they read a firewall ruleset to determine if they have met the intent of requirements 1.X? Can they look at a netstat and see if their OS configuration standards are being followed per requirements 2.x?

The answer to those questions is; not necessarily, and while I cannot think of one security consultant who is an expert on all 12 DSS sections (I suck at encryption and anything to do with coding for example), you need someone with real-world experience to measure your compliance against not only the standard, but its intent. And if that intent does not align with the goals of the business in question, the process falls apart.

When it comes to PCI, you’re paying for experience / guidance / been-there-done-that, otherwise you’re better served doing it yourself. At least you know the business better than the QSA ever will.

I wrote something resembling a white paper on Selecting The Right QSA For Your Business a few months ago, and will be building on this process over the next few months. Anything is simple if you know how to do it, but that’s the point; YOU probably don’t know how to do PCI, nor would you then know the right questions to ask to find someone who does.

This may sound like I’m trying to push you into hiring only the expensive guys, but that’s not it, it’s never just about the money, it’s about VALUE for, and appropriate USE of, money. The issue most often is that businesses choose their QSA based on price. They didn’t want to do PCI compliance in the first place (believe me, no-one WANTS to do PCI), and therefore settled for the lowest bidder.

In my fairly significant experience, the cheapest QSA up front rarely ends up being the cheapest in the end. These are the top 5 things to watch out for, and reflect the SOPs of some of the less scrupulous vendors;

  1. Scope Creep – A proposal written in such a way that you THINK you’re buying what you need, but you end up having to buy additional services from them to finish the job.
  2. Cheap Labour – You get what you pay for, and if you pay pennies, you’ll get the least experienced QSA at their disposal (this one serves you right by the way)
  3. Pushing Other Services or Products – Some of the larger QSAs have entire suites of products and services they try and push your way. They will sell the QSA for cheap hoping to massively up-sell/cross-sell the more profitable managed services / products etc. This is permissible under the SSC regs., but hardly best practice, and in some cases even ethical, especially when the products don’t even support your compliance.
  4. Lack of Appropriate Guidance – Achieving PCI compliance the first time is a project, staying complaint is a process. At no time during the assessment should there be roadblocks that are a direct results of the QSA’s inexperience. Projects that should take months often take years, and the additional costs can be significant.
  5. The True Cost of Compliance – Usually the most significant cost of a PCI project is the labour cost of internal resources. Performed correctly, PCI can have significant benefits in terms of improved security posture, but unless the resources are used efficiently, the cost to the business can be very significant, especially in terms of availability for initiatives related to transformation or innovation.

In the end, you will get what you pay for, and if you have not chosen your QSA based on best-fit, you deserve what you get. Choosing a QSA / consultant is relatively simple, and I believe that It Takes A Consultant, To Hire A Consultant.

If you need help, do your homework, then ask the opinion of someone with zero vested interest.

2 thoughts on “Want to Save Money On PCI Compliance? Don’t Cheap Out On Your QSA.

  1. There are a couple variables that you do not seem to count too much. First, PCI is a mandatory audit. If you are hiring a consultant for your business like for a new project. You are making a choice to hire the consultant. But PCI is mandatory. If you meet certain criteria then you are obligated to do a PCI audit. In situations where something is mandatory then I disagree with you that one should avoid hiring based on price.

    The other variable is experience. You do touch on this a bit in the second half when you mention a PCI audit for the “first time.” This is important because after multiple PCI audits, it is literally the same thing each year. Especially, if your business has not changed with regard to cardholder data handling.

    This leads me to a great reason to “cheap out” on your QSA. Having been through five level 1 PCI audits, I can tell you first hand, that if you are a professional company and take security seriously, the PCI audit is complete BS. You will pay a fortune for someone to read a bunch of your stuff and cross a bunch of things off a list.

    So if you have no experience and no idea what you are doing, then I agree with you. But if you have knowledge then aiming for a low price is just being smart.

    • Hi David, and thank you for your comments.

      While I somewhat agree with your points, the fact that PCI is ‘mandatory’ is meaningless. As long as you are working towards compliance PROPERLY, the card schemes are very reasonable. They care nothing for compliance, they only care about NOT losing cardholder data, so any organisation who chooses to achieve compliance on the WAY to real security will get a lot of leeway. That takes a real consultant, not a QSA, and any organisation who gets tick-in-the-box compliance just because it’s mandatory are incompetent.

      As for the cheap QSAs 5 years down the road, I agree, but my blogs are not really aimed towards those who know what they are doing. Any organisation doing security properly is PCI compliant all day every day, compliance is just a validation exercise and report that any QSA can do.

      In 10 years of doing PCI-esque work, no organisation is that good.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.