PCI Compliance audit by a Qualified Security Assessor (QSA): what to expect, how to prepare, and what to keep track of?

The acronym ‘QSA’ and the term ‘audit’ evoke images associated with fear, anxiety, anger, confusion, expense, exhaustion, and the list can go on.  How about ‘hacker’ and the term ‘breach’?  Do they conjure up images related to nightmare, exposure, penalty, loss, downfall…?  Clearly, we all know who the enemy is and retailers should truly panic only about the never-ending impact of a breach.

A QSA’s job and intentions are not to intimidate but to partner with the retailer by making sure that security is preserved in a business’s card data environment (CDE).  With this premise, let’s begin an organized exercise.
 
What should the retailer expect before bringing in a QSA?
 
The retailer should expect requests for:

1. Policies – Written policies detailing how data is protected, log reports to support them, and evidence showing that what is written in the policy is indeed what’s followed in practice.
2. Documentation – Step by step written documentation with proof they are followed.
3. Network diagrams, infrastructure, connected devices, wireless connections.
4. Review of technologies used such as – firewalls, routers, switches, web servers, application servers, anti-virus, anti-malware, secure remote control access solutions, file integrity monitoring, etc…
5. Detailed logs from all store systems, devices and servers.

Read the rest of the answers to questions above.