If you are required to have a QSA On-Site Assessment annually as a part of your PCI DSS compliance, you are likely already familiar with the fact that meeting PCI requirements is a complex process, and no easy feat. To prepare you, we want to help you understand what to expect before, during, and after your QSA on-site assessment. One of our core values at Triaxiom Security is to partner with our clients. We want you to view us as an extension of your security team and, as such, we want to help you through this process as much as possible. So with that, let’s look at some of the things you can expect.
Before the Assessment
Once contracts are in place, we will officially start the assessment with a kick-off call. During this call, we will look at schedules, key contacts on both sides, and the rules of engagement to set expectations for the assessment. This call is the official start to the assessment.
Once the project is officially started, your QSA will likely schedule an orientation call shortly after the kickoff call, or even combine the two into one. During the orientation call, the QSA will try and become familiar with your organization structure, your business processes, and the various ways credit cards are accepted (mail order, phone, in-person, e-commerce, etc.). Additionally, the QSA will likely want to walk through your network diagram and your data flow diagram to gain an understanding of the scope of your cardholder data environment (CDE). All of this will allow the QSA to adequately plan their assessment and plan any sampling that may be necessary.
In addition to the QSA becoming oriented with your processes, the QSA will make sure you are familiar with our secure messaging/file transfer portal and provide you with a list of items we will need. This list will include things like policies and procedures, configuration files for any network devices in scope (firewalls, switches, routers, etc.), and network diagrams. Finally, during this initial orientation call the QSA will go over the plan of attack for the on-site portion of the audit. They will provide you with a basic schedule of interviews and who needs to be present during those scheduled times. Typically it works best if there is one main point of contact for your organization that is present throughout the assessment, but for many of the topics we will need to pull in various other employees (e.g. Human Resources).
After this call, the QSA will begin reviewing everything provided prior to showing up on-site and as questions arise, they will reach out to try and get answers ahead of time. The on-site portion of the audit is very time intensive, so the more the QSA is able to prep and validate controls prior to arriving, the better the assessment flows while on-site.
During the Assessment
The on-site assessment will follow the agreed upon schedule covered in the orientation call as much as possible, in order to minimize the disruption to your business. The length of the on-site assessment will vary depending on the number of locations we’ll need to visit and the complexity of the scope, but you should plan for an assessor to be on-site for approximately a week for most organizations. The QSA will likely structure this time with two to three meetings per day, with analysis and documentation taking place in between these meetings. As such, it is very helpful if a conference room or spare office can be allocated to the QSA for the entire week.
One thing that is unique about a QSA assessment is that we, as the assessing organization, may be audited by the PCI Council at any time. As a QSA company, we are required to keep evidence of our audit and evidence that your organization meets all required security controls for a period of three years. As such, the QSA needs to have justification and applicable evidence for every PCI DSS requirement. This equates to a lot of screenshots. Your QSA will work closely with you to collect all of these screenshots and any other required evidence to ensure they are indexed appropriately for tracking purposes.
Before leaving the on-site assessment location, your QSA will have a wrap-up meeting with you. During this meeting, the QSA will let you know how everything looks and set expectations regarding the state of your security controls and whether it looks like you will receive a passing score. If there are things preventing you from reaching compliance, your QSA will make sure you understand them, assist you in creating a plan of attack to reach compliance, and try to plan a time for us to validate the fixes. Additionally, during the wrap-up meeting, the QSA will go over any outstanding items still need to be addressed or artifacts we need from you prior to the end of the audit.
After the QSA On-Site Assessment
After the on-site portion of the assessment, the QSA will work to finalize the documentation, review any remaining policies or configurations, and ensure all the controls are properly reported in the RoC. Once the QSA is finished with all documentation, the Report on Compliance and Attestation of Compliance will make their way through our internal quality assurance (QA) process. During QA, another certified QSA will look over all the work and applicable evidence to ensure the assessment was conducted consistently and that the appropriate evidence is retained. During this process, your QSA may have to reach back out to you for required follow-up information or questions.
Once the QA process is complete, we will jump on a call with you to deliver the reports and explain any findings. If you have met all requirements, this is likely just a quick call to go over the format of the documents. However, if you did not pass, this call will explain why and assist you in coming up with a game plan to reach compliance.
Hopefully this helps give you an understanding of what to expect before, during, and after a QSA on-site assessment. As always, if you have any questions or feedback, we would love to hear from you.