Most organizations will turn to a QSA when undertaking a PCI Compliance project. A Qualified Security Assessor is the guy you need to satisfy with any security measures and procedures you implement to meet compliance with the PCI DSS so it makes sense to get them to tell you what you need to do.

For many, PCI Compliance is about simply dealing with the PCI DSS in the same way they would deal with another deadlined project. When does the bank want us to be PCI Compliant and what do we need to do before we get audited in order to get a pass?

PCI Compliance project However, this approach can lead to problems further down the line, because of course, PCI compliance isn’t simply about passing an audit but getting your organization sufficiently organized and aware of the need to protect cardholder data at all times. The cliché in PCI circles is ‘don’t take a checkbox approach to compliance’ but there is more than a grain of truth in this. Focusing on passing the audit is a tangible goal, but should only be a milestone along the way. The real goal is to mature internal processes and procedures sufficiently in order to operate a secure environment every day of the year, not just to drag your organization through an annual audit.

The QSA Moral Maze

Still, for a significant number of organizations, the QSA is hired to ‘make PCI go away’ and this can sometimes present a dilemma. QSAs are in business and need to compete for work like any other commercial venture. They are typically fiercely independent and take their responsibility seriously for providing expert guidance. At the same time, like all of us, they also have bills to pay.

There have been occasions where QSA firms have ended up being cornered by the conflict of interest between both advising on the implementation of measures required for PCI compliance, and offering to supply the goods required. This presents a difficult choice for the customer – go along with what the QSA says and buy whatever they sell you, or go elsewhere for any kit required and risk damaging the valuable relationship needed to get through the audit.

Whether this is for new firewalls, scanning and Pen Testing services, or FIM and Logging/SIEM products, too many Merchants have been left to make difficult decisions. The simplest solution may be to separate your QSA from supplying any other service or product for your PCI project, but each situation needs to be treated on its own merits.

Another reported conflict of interest is one that affects any kind of consultant. If you are being paid by the day for your services, would you want the engagement to be shorter or longer? If you had the opportunity to influence the duration of the engagement, would you fight for it to be ended sooner, or be happy to let it run longer?

This isn’t to be over cynical about this – despite paying widely differing amounts for their QSA services, the overwhelming majority of Merchants have been delighted with the value for money received. But one client recently related a problem whereby their QSA had asked for repeated network and system architecture re-designs, recommending that firewalls be replaced with more advanced versions providing better IPS capabilities.

One can see that the QSA is giving accurate and proper advice, however, the unfortunate side-effect of doing so is that the Merchant delays implementation of other PCI DSS requirements. The result, in this case, is that the QSA actually delays security measures being put in place, in other words, the security expert’s advice is to prolong the organization's weak security posture!


The QSA community is a rich source of security experience and expertise, and who better to help navigate and organization through a PCI Program than those responsible for conducting the audit for compliance with the standard. However, it may be astute to separate the QSA from any other aspect of the project.

Secondly, self-educate and help yourself by becoming familiar with security best practices. It will save time and money if you can empower yourself instead of paying by the day to be taught the basics.

Finally, don’t delay implementing security measures. You know your systems better than anyone else, so don’t pay to prolong your project! Seize responsibility for de-scoping your environment where possible, then apply basic best practices to the remaining systems in scope: Harden and patch systems, implement change controls then measure effectiveness using file integrity monitoring and audit trails of all system activity. It’s simpler than your QSA might lead you to believe.



The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)

[email protected]

United Kingdom

5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023

 [email protected]
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.