I’m writing this from the lovely (and quite steamy today) Terminal 3 of London’s Heathrow Airport after spending a week talking to clients, partners, and industry professionals about information security issues in Europe.  It’s clear that PCI DSS is one of the biggest issues facing security professionals in Europe, and will likely dominate many of their lives for the next 12-24 months1.

Oops, by Victoria-Ann

My question to you is, “Have you found YOUR QSA?”

PCI DSS is something we’ve lived with for many years now in the US, and if there is any piece of advice that I’d like to impart to my friends across the pond, it’s that your most important investment will be a good quality QSA to guide you to that compliant ROC. Good QSAs are hard to find, as many horror stories from the US will illustrate.

If you have never worked with a QSA before, how do you know if they are good? For one, you have your peers on your side.  You are probably not the first person you know that has had to hire one, so ask around!  Most importantly, remember that the INDIVIDUAL QSAs are more important than the consulting firm that employs them.

Next, interview your QSA before you bring him on board.  Pick hot button issues and things you know that will need to be addressed in your environment and ask him about it. Compare answers from his peers.  DON’T select the one that guarantees an easy pass. Choose one that most closely reads the requirement correctly.

Finally, use the plethora of resources available to you on the PCI Council Website and the blogosphere.  Don’t go into this blind, and be sure to pay for quality!

This post originally appeared on BrandenWilliams.com.

  1. Another bonus, our book sold out at Infosec Europe, and has apparently been a very big deal in the EU.  Someone even told me they bought it IN A BOOKSTORE!  Never seen it in a bookstore in the US. []