First impressions do count. We’re told over and over how important it is to leave a good first impression. That applies not only to your business and personal relationships but to your PCI-DSS (Payment Card Industry – Data Security Standard) Assessment as well. While organizations often feel that a PCI Audit does not commence until the kickoff meeting has taken place onsite, the fact is, that the support one receives prior to the onsite assessment sets the tone.
The QSA notices when stakeholders have to postpone or cancel a meeting without designating someone to attend in their place. Are they taking this seriously? The QSA also notices when someone is more adept at challenging the assessment as opposed to wanting to understand the intent. Unfortunately, in those real world examples the tone has been set. What makes a successful and productive PCI DSS Assessment is the cooperation and willingness of the organization to complete the PCI Audit in a timely fashion.
The QSA also has a responsibility to ensure the timely completion of the PCI assessment. How is this accomplished? By observing current procedures in place that are relevant to the PCI Audit without having to specifically setup a meeting. By working in the background, much as a process does on your workstation, we can limit the disruption to your company’s normal business operations.
For example, companies often assume that the PCI assessment doesn’t start until all stakeholders have met and exchanged introductions during the kick off meeting. However, a well trained QSA starts the assessment the moment he or she showed up at your location.
Is an access card required to enter the facility? Where are the security cameras? Why wasn’t I challenged when I pressed the intercom to gain access to the facility? The receptionist might be pleasant but why wasn’t I asked for identification before being issued a badge? Once issued, why wasn’t I asked to sign into a log? Why was I buzzed into a secure area without an escort? A review of Requirement 9 covering Physical Security will show you that a number of requirements were tested prior to our kickoff meeting taking place. Like a process running in the background, requirements were tested by the QSA without a meeting to all physical security elements. Since the requirements were already tested and the results well known, they become points for further discussion throughout the week.
Throughout the documentation review prior to coming on site as well as the moment we step onsite, we’ve already started evaluating compliance and identifying the issues that may keep the PCI Assessment from flowing smoothly. In the end, first impressions do count.