I have been a QSA for the past 6 years and before that I have been involved in managing PCI programs for more 3 years in the banking environment. So it is fair to say I have experience PCI from QSA ,and merchant/issuer point of view. During this time I have worked with a pool of QSAs and I have conducted a handful PCI assessment covering organisations in different industries including healthcare, retail, insurance, TV/media, government/public, mobile service providers and many more.
regardless of the complexity of the environment and payment channels, most of the organisations either service providers or merchant have fundamental technologies e.g. database, virtualisation, cloud computing, networking etc which should comply with the PCI DSS standard. So the QSA is expected to understands these technologies at least to the basic level i.e. understand how it works prior to go onsite and conduct the assessment, the reason being, is you understand the technology, processes and people that you are going to audit. Whilst this sounds common sense, you will be surprise how many QSAs do not take this into consideration. Below are the five common mistakes made by QSA.
(1) Dont understand the scope of the assessment
(2) No enough time allocate to conduct the assessment.
(3) Not understanding the underling technologies used by the audited organisation i.e merchant / service provider.
(4) Do understand the in-scope payment channel and the applicability of PCI requirements / eligibility as per SAQ.
(5) Do not follow the audit procedures on the PCI DSS reporting template.
I will expand on each of these mistakes one by one in the updated post. For now I would like to make you aware of a nice PCI blog by PCI Guru here — https://pciguru.wordpress.com/which goes into details to specific requirements and guidelines or any discussion in regards to PCI DSS.