How to Deal with a Power-Drunk QSA
Above all, remember that he’s just a guy. He’s trying to do his job, just like you are trying to do yours. If you allow the situation to heat up, everyone will suffer. Play the game, work with the guy a little bit. Listen to what he has to say. Ask for suggestions on how you might meet the requirement in his eyes ((You may have to enable him further to diffuse the situation.)). Overall, he’s probably not a bad guy. Maybe he’s having a bad day and taking it out on you in an unprofessional manner, but that’s a bump in the road that can be overlooked.
Time out, in the corner, by Ken Wilcox
The first step is to remember the “No Asshole Rule.” ((https://secure.wikimedia.org/wikipedia/en/wiki/The_No_Asshole_Rule)) Your negative behavior will be amplified and mirrored back at you, most likely escalating the situation out of control. Do the right thing to avoid conflict. If you know that something does not comply with PCI, don’t argue for the sake of arguing. Accept that you need to do some work and gather information on how to tackle the problem. Don’t let your boss play the “push back and see what happens” card.
If you have clearly met the burden of compliance, don’t be afraid to stand up in a calm way. Have a well thought out, well documented argument before engaging the QSA in the discussion.
If you are not getting anywhere with the QSA in this situation, escalate to his manager. Going over someone’s head is a very delicate process, and there are only a few ways to get it right while there are hundreds of ways to get it wrong. If you are just playing the odds, this escalation will not go over well. You really need to get your house in order before escalating. If things are still not working well, replace the teams on both sides of the table. Get a fresh project manager on your side, and ask for a new QSA team on their side. Doing so will probably slow things down, put project timelines in jeopardy, and potentially add more cost to the engagement but may be required to have a successful assessment.
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?