There’s a reason that organizations get nervous when the annual PCI DSS compliance cycle comes around every year. It isn’t fun to be on the hot seat with your Qualified Security Assessor (QSA) — and if you don’t have your act together, that’s exactly what will happen.
Many organizations find themselves on the hot seat more often than not, but it doesn’t have to be that way. Most QSAs aren’t interested in playing the bad cop, but they do have a job to do and it’s their reputation on the line.
So how do you avoid ending up in hot water with your Assessor? It isn’t hard, but it does require commitment and discipline (and a good compliance management system). Here are TCT’s top tips to avoid getting in trouble with your Assessor.
Get TCT’s complete guide to PCI DSS Certification
Take Compliance Seriously
In many cases, the motivation for becoming PCI compliant is not out of a concern for security and compliance, but because an important client says you need to do it. And because you’re effectively obligated to get it done, your executive leadership just wants to get the box checked.
When all you want to do is get PCI compliant as quickly as possible and move on, you’re often motivated to take all manner of approaches to getting that done — including cutting corners.
As a result, you’re not likely to be completely open and transparent with the Assessor, but only give them as little as humanly possible because they believe that will shield them from additional exposure.
It’s very hard to keep up appearances, because PCI DSS has hundreds of line items, and they all have to align with each other. You’ve got to keep your story straight over a large breadth of items, which is extremely difficult to pull off. It won’t take long for your QSA to sniff it out, and soon you will get busted. An experienced assessor knows pretty quickly that they aren’t really getting the whole story.
At that point, your Assessor will start asking more questions. They’re going to start digging deeper and they’re going to ask for more evidence. And your PCI assessment actually becomes a more painful process for you to go through as the Assessor follows their intuition and starts tightening the screws.
Assessors want to see that your organization cares about security and compliance and has your act together. They want to work with companies that care about doing things appropriately and correctly.
I’ve experienced some organizations where certain people were literally fabricating evidence to support their objective of just checking off the box, but they quickly got themselves in hot water.
Don’t enable a culture of checkbox compliance. Don’t enable a culture of not caring about this stuff. If you actually care about security and compliance at all levels of your business, then it will show through in the way you approach your compliance and thereby impact your relationship with the Assessor.
Be Prepared for the PCI Assessment
Don’t go into your engagement with the Assessor only partially ready to go. Have all of your evidence generated and make sure it’s up to snuff. Every individual line item should be accounted for and ready to go.
There are various reasons that an organization isn’t prepared for their engagement. It may be their first foray into PCI DSS. A corporate-level disaster may have struck. Or, more commonly, the client organization didn’t plan well, because they assumed compliance could be managed between other tasks.
Count the cost before you start your PCI journey. Plan appropriately for the time it’s going to take your internal personnel to complete their work.
Otherwise, you’ll find yourself desperately trying to materialize evidence that doesn’t exist — right in front of the Assessor.
It’s an impossible situation to try to address your QSA’s inquiries when your PCI engagement is only partially complete. It’s unbelievably difficult to just wing it. And yet I’ve seen a number of organizations that seem confident walking in that they can pull it off.
Related: 9 Must-have Resources to Make PCI Compliance Easier
Don’t Create a Rat’s Nest for Your Assessor
Things quickly go from friendly to frustrating when the Assessor realizes they’re dealing with a client living in chaos.
I’ve seen organizations that set up a schedule for the on-site visit, but the necessary people aren’t available when they should be. There’s no backup personnel, and so the Assessor’s time is being wasted.
It gets more uncomfortable when the client organization struggles to have things at their fingertips. Assessors don’t like it when the client is unprepared or can’t readily produce documents.
I’ve been in some really uncomfortable experiences where the QSA asked for this or that evidence, and everybody is looking at the person to their right. Oh crap, where is that, where did we put it?
They can’t even put their fingers on the appropriate evidence being requested.
What is the confidence level of the Assessor if the organization can’t operate in a compliant manner? It doesn’t bode well.
It comes back to the preparation of the organization. When you walk into that engagement, make sure everyone knows what is expected of them. Anticipate what the Assessor will be requesting of you. Have backups ready to roll. Show the QSA that you have your shit together. The difference in your assessment experience will be like night and day.
Don’t Game the System
I’ve seen more than a handful of engagements where the target organization believes they can game the system in their favor. Typically, this plays out by deliberately slowing down the on-site visit.
The client organization is under the belief that the less they get to while the Assessor is on-site, the fewer potential issues that could be discovered. They think it will make things easier for the company because they didn’t expose as much as they otherwise would have.
Essentially, they’re trying to waste the Assessor’s time.
They’ll throw in a bunch of breaks, and then magically people aren’t getting back when they’re supposed to. Gee, I guess we’ll have to move on to the next requirement, right?
I’ve seen all sorts of crazy approaches. All it does is poke the bear and the Assessor is simply getting increasingly frustrated.
I was on one engagement where the organization picked a place to go out to lunch. It was located at least 35 minutes away, at a restaurant that served a multi-course meal. The grand total time away from the office was about three and a half hours — nearly half a day.
These companies think they’re rigging the system, but what they don’t understand is that just because you delayed and wasted the Assessor’s time during the on site visit, it doesn’t reduce your exposure. It just means that the QSA needs to do one of two things (likely with a change of scope in addition to expenses, since on-site activities were being stretched out):
- They could schedule a second on-site visit. And they’ll keep doing as many visits as it takes — ratcheting up the cost to the client organization.
- They could schedule additional remote working sessions with screen sharing.
Assessors aren’t idiots. They’ve been down this path before.
Meanwhile, this kind of tactic only signals to the QSA that there’s something to find. They’re going to take a deeper dive into your evidence. So instead of cutting yourself a break, you actually end up shooting yourself in the foot with a longer engagement and more scrutiny — which results in more remediation items.
Don’t Delegate Compliance to IT
One of the biggest myths about compliance is that your IT personnel know how to do IT stuff securely — and therefore, they must be proficient in security and compliance certifications like PCI DSS.
Most people in IT are generalists. They know how to operationally make things work and function, and they can do their job well. But that doesn’t mean that they know how to do it securely or in a compliant manner.
It’s one of the biggest mistakes organizations make, and it’s a double-edged sword because the leadership of the organization has this expectation that their IT people know how to do their work securely.
That in turn forces the internal IT crew to carry on the ruse, because they don’t want to appear to be deficient. So when the management comes and asks if IT staff can navigate your company through a PCI engagement, of course those IT people want to step up and show the boss they can do the job.
IT staff are used to digging into difficult problems and solving them, so it’s natural for them to believe they can rise to the occasion. But what they don’t realize is that compliance can’t be simply figured out with a Google search.
We’re talking about expertise across hundreds of line items that cover everything from your scope, your networking, your firewalls all the way to at the other end of the spectrum — HR and background checks and legal agreements. And there are hundreds of things that you need to know.
When you walk into an engagement with your Assessor, you put your IT personnel in a no-win situation, and you set your Assessor up for a long and painful engagement that promises more work than it should take.
It’s a completely different story when you rely on a seasoned compliance Consultant who’s been around the block a multitude of times who knows how to lead organizations through successful compliance engagements. Assessors immediately see the difference, and it sets a completely different tone for your work with them.
Related: Make Your Next Annual Compliance Audit No Big Deal
Make Your Assessor Your Ally
You’ll probably never feel gleeful anticipation about heading into your annual PCI assessment. But you can avoid getting yourself into hot water with your QSA. Take compliance seriously, do your due diligence, be well prepared, and you’ll make your Assessor an ally. Not only that, but your compliance engagement will actually go smoother and quicker for you.
Need to get your company in a better position for your next PCI assessment? TCT can help you be fully prepared. Contact us today!
Featured eBook
Straight Talk on Getting Your Sh*t Together for PCI DSS
This kick-a$$ ebook helps streamline your compliance the right way.
