After my last post on the Lack of Understanding in QSAs, Brad emailed me and asked how much a QSA or ISA should look behind the curtain for someone like an Iron Mountain (analogy used in the post). I feel like a bad consultant/blogger because I only pointed out a problem, but didn’t point out a solution.

It’s OK though, I’m over it now.

How deep is deep enough? Here is a basic guideline:

  • Is the service provider currently on the PCI DSS Global Registry of Service Providers, and is their listing current? If so, I think most QSAs would look at how the data is handled prior to the handoff, make sure that the handoff and contracts are compliant with PCI DSS (encrypted if over public networks, tracked if sent by courier, and 12.8) and accept the current listing as evidence that they are taking care of business on their end.
  • Black Metal Mine, by Florian

  • Does the service provider have any audit or assessment results to share? SAS 70s are by no means perfect, but if properly scoped, the results (Type II preferred over Type I) could be used as a way for a QSA or ISA to understand what is being done with the data once it enters their control. Again, scope is EVERYTHING here. If all of the relevant controls are not checked, QSAs and ISAs must go back and evaluate the specific requirements missed. In addition, QSAs or ISAs should spot check the SAS 70 report as part of a normal diligence process.
  • Has the provider had a breach recently?Not that we should add to the dog pile they are already dealing with, but any provider that suffered a breach should go through additional checks. QSAs and ISAs may need to visit the site.
  • Is there nothing available on the vendor? QSAs or ISAs should just plan a day or more to go on-site and investigate their practices.
  • What if the contract does not have a right to audit provision? First, fire your head of procurement. Next, create some best practices in accordance with Requirement 12.8.3, and run your current vendor list through that diligence list (to get all of your documentation current). Finally, you have to work with the vendor to get some information out of them. Requirement 12.8.4 says that QSAs or ISAs must verify that the company being assessed has some kind of way to monitor their service providers’ compliance status, and do it at least on an annual basis. If you need to make a change, do it. Most vendors have heard of PCI DSS by now (unless you are their only retail customer) and have had to make some adjustments.

This post originally appeared on