You readers know that I used to run one of the larger QSAs, and I took pride in the team we built, the work we did, and what our customers said about our experience. Yes, we actually had customers tell us that they LIKED their QSA. How rare is that today?

Oops, by Victoria-Ann

Since getting out of that business, I have spent quite a bit of time helping my customers operate more securely, and in conjunction with that, comply with various standards like PCI DSS. The only time I’ve heard more colorful language describing someone is when my wife screams at the TV during football. BARELY more colorful.

Earlier this month, the PCI SSC announced they were revoking the QSA and PA-QSA status of CSO, and did so by releasing a four page FAQ on what that means for their customers. Unless I missed something, this is the first time that the status has ever been revoked in the five year history of the Council. It’s not to say that QSAs or PA-QSAs have left the ranks on their own accord. This one looks pretty serious.

Frankly, I don’t think it should have to come to this as a busy QSA that has their status revoked impacts a huge number of companies. Is this evidence that the Q/A Program is working? Perhaps. But it also may be evidence of two trends I identified years ago: opinion shopping and getting assessed only on price.

If you chose this company to perform your assessment, you are now out more work, more money, and potential revenue delays due to your payment application certification coming later than predicted. Due diligence on your QSA is important to do BEFORE you sign your contract. When I was winning deals at my old company, there were many times that I felt like I was going on a job interview with the prospect. It was FUN! I enjoyed helping the customer understand the real issues, and they enjoyed kicking the tires (or my ribcage) to see what their experience might be like.

What do you readers think about this? Should we be punting more QSAs? We’ve all heard the horror stories. Is it just shop talk over beer, or should the Council revoke more?

If you want a fun read, go check out my article The Seven Deadly Sins of a QSA for more on badly behaving QSAs!

This post originally appeared on

Possibly Related Posts: