There are enough horror stories floating around about experiences working with Qualified Security Assessors for audit checking, (QSAs) that retailers are wondering if hiring a Qualified Security Assessor (QSA) is really necessary to help their companies stay secure. Are QSAs there to give businesses a hard time to prove their own value, or are they really interested in helping you the retailer understand the security gaps you may be unaware of?
If you get past the taint surrounding QSAs and look at them as counsels and partners, the whole process of an audit will appear to be a process rather than a punishment.
The very thought of an audit is stressful, and more so if companies are doing it for the first time. The only obvious answers they may have at the starting point are the many unknowns such as:
- Who is their QSA?
- What are the gaps?
- What is required to address them?
- What additional expenses are involved?
- Who is going to knowledgeably guide them to completion?
- How to get through the process as pain-free as possible and get their Report on Compliance (ROC)?
Finding a QSA
A known fact is that to a customer the person who they buy a product from is more important than the product itself; similarly to retailers what truly matters is selecting the right QSA while the company they work for is less meaningful. Companies are going to be assessed by an individual who should have the ability to understand that particular company and environment to guide them through an audit.
The first year in most situations, is difficult. Look for an experienced, reputable QSA who has worked with other retailers and comes with high recommendation. People know people in the retail space so word of mouth will help.
Surviving the audit – Year one and every year thereafter
Seriously though, to a retailer which is important? A piece of paper with checked boxes and a signature, or a proper security assessment from an auditor who will be a partner in evaluating how effective the current security measures are at your company and advice you on how to secure your infrastructure? The answer of course is security after verification and validation, followed by compliance.
The audit process sometimes is a nightmare that retailers just want to get their Report on Compliance (ROC) done and move on. The bigger picture whether retailers like it or not is data security for their company so they can stay in business, grow, have customers trust them with the understanding that their credit cards will not be compromised and continue purchasing from them.
Here are a few recommendations to help ease the anguish of an audit:
- QSAs understand the first year’s pains and are more than happy to answer questions, give the proper guidance to help you get the evidences they are looking for. Approach them like a partner and not the enemy. This could help even after the first audit is done to stay on top of the game.
- Get a pre-assessment done with the help of a firm like Omega. Omega’s experience can allay the anxieties by closing most of the gaps prior to bringing in a QSA. Your expenses would be just a fraction of the cost that would otherwise be incurred.
- Security assessments and PCI Compliance are huge but necessary goals for a company. Expenses that come along with it are worth every cent. They may be insignificant compared to the expenses, fines and tarnish of reputation if an actual breach takes place. So, if you as the head of security need to appeal for more funds to invest in technology or infrastructure, this is a good time to do it. Let decision makers know that you will not pass assessment without some sensible spending. If everybody’s goals are aligned, there shouldn’t be a problem.
- Surviving the yearly audit and maintaining compliance – Yes, the first year is tough. Once controls are put in place the first year, one would hope it is just maintenance from there on. The second year can be easier if things don’t slip. Every policy statement added to the Information Security Policy has to be constantly revisited so any documentation that has been signed off on at the first year’s audit is maintained and followed through for the second year such as logs, reports, scans, updates and patches. Second year audit will be judged on what was done at your companies when the QSA was not around pointing things out or asking for evidentiary support to claims.
A final word
Look at data security and PCI Compliance as ‘how to keep your company’s data more secure’ versus ‘how to pass an audit’. Definitely get a gap analysis done through a subject matter expert partner like Omega ATC. Omega ATC can manage the process by breaking the mountain down to smaller chunks in advance of the onsite audit. This should start at least 3-6 months before a QSA comes in. It will result in fewer things to work on during the audit, saving money and time. Contact Omega for a free 30 minute pre-assessment and we will promptly get back to you.