Common mistakes made by QSA during the PCI assessments.

I have been a QSA for the past 6 years and before that I have been involved in managing PCI programs for more 3 years in the banking environment. So it is fair to say I have experience PCI from QSA ,and merchant/issuer point of view. During this time I have worked with a pool of QSAs and I have conducted a handful PCI assessment covering organisations in different industries including healthcare, retail, insurance, TV/media, government/public, mobile service providers and many more.

regardless of the complexity of the environment and payment channels, most of the organisations either service providers or merchant have fundamental technologies e.g. database, virtualisation, cloud computing, networking etc which should comply with the PCI DSS standard. So the QSA is expected to understands these technologies at least to the basic level i.e. understand how it works prior to go onsite and conduct the assessment, the reason being, is you understand the technology, processes and people that you are going to audit. Whilst this sounds common sense, you will be surprise how many QSAs do not take this into consideration. Below are the five common mistakes made by QSA.

(1) Dont understand the scope of the assessment

(2) No enough time allocate to conduct the assessment.

(3) Not understanding the underling technologies used by the audited organisation i.e merchant / service provider.

(4) Do understand the in-scope payment channel and the applicability of PCI requirements / eligibility as per SAQ.

(5) Do not follow the audit procedures on the PCI DSS reporting template.

I will expand on each of these mistakes one by one in the updated post. For now I would like to make you aware of a nice PCI blog by PCI Guru here — goes into details to specific requirements and guidelines or any discussion in regards to PCI DSS.

Author: kinyoka

A certified Information Security professional, with demonstrated experience spanned more than 10 years in financial, banking, consulting, and payment card industries in managing Information Security System Management ISMS. A post graduate degree holder in Information Security Management (M.Sc); Certified Information Security Manager (CISM), Payment Card Industry Qualified Security Assessor (PCI QSA), SABSA Chartered Security Architect (SCF), ISO 27001 Lead Auditor, CREST Registered Technical Security Architect (TSA), CREST Registered Penetration Tester (CRT), and a member of ISACA. Demonstrated to be reliable, trustworthy, and meticulous person; working in a controls-focused environment, multinational, and multicultural organisation over the years and gained a good understanding of what is required of the Information Security professional. . Specialties: ISMS based on ISO/IEC 27001/2 Payment Card Industry (PCI) DSS - QSA led services - PCI Scoping, Gap Analysis and Formal Assessment (RoC) IT Governance, Risk and Compliance (GRC) Management Cyber Security Penetration Testing Enterprise Security Architecture Technical Security Architecture

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: