This is the first chapter in a series about preparing for and going through a PCI assessment;

1.      Part One - Introduction to PCI onsite assessment & QSA selection process
2.      Part Two - Preparation for an onsite assessment and what to do first!
3.      Part Three - Defining your scope so you know what you’re assessing
4.      Part Four - Authoring a PCI Onsite Assessment RFP
5.      Part Five – Selecting a QSA to conduct an onsite PCI assessment
6.      Part Six – Preparing your Company and I.T. department for the assessment
7.      Part Seven - Important documents to have to manage your assessment

After recently going through the preparations for an onsite PCI assessment and QSA vetting and selection process (again for the third time) I figured I would pass on some of my experiences, opinions, tips and useful documentation to others.First let me say I think I have completely different perspective than 95% of the other PCI compliance bloggers out there. Second off to my knowledge the vast majority of other bloggers, but more specifically to PCI are either QSA’s or external consultants. I have yet to find any others (and I am sure they exists) that speak to PCI from the merchant’s point of view, whether it be from the compliance management or ground level I.T. security aspects.

When I first was tasked with seeking out a QSA, authoring a RFP, designing a scoring matrix to grade them ect.I quickly realized (I really knew this already) that this is nothing like trying to figure out which enterprise SEIM solution you want, or selecting a database solution. I would dare to say selecting (speaking from I.T.s view) a firm for and scoping a SOX audit is nothing compared to scoping a PCI assessment and selecting a QSA to perform it. I know because I have scoped and led SOX 404 audits as a compliance manager. Also when going out and searching the web for assistance, I found very little help or resources for merchants that spoke to these subjects such as the QSA selection process.

Yes we all know what the requirements are, and testing procedures blah blah blah, but when trying to author a RFP, defining a deliverables management process, timeline, conducting QSA selection process/interviews, what questions  to ask to best gauge their practical experience with PCI and payment systems,  scoping the engagement properly, I found very little. Here’s a shot out to the PCI guru for allot of help I got from him during this process back in the day.