Having recently come from my annual QSA re-certification class, it was obvious to me that there are some very large chasms in the interpretation and service level of offerings by QSA vendors. There are some very large companies that are basically selling you a check-box, and in reality are doing nothing to meet the intent of the PCI-DSS. They staff their engagements with very junior people, try to pull data, and then have their QSA “manage” the project and basically sign off on the engagement. You get a report, you get some helpful information, and you get a check-box. What you don’t get is someone that is vested in you making your security better.

I liken it to going to a doctor, and the least expensive doctor will ask you the questions they learned, and ultimately come to a diagnosis based on expedience (i.e., they want your money and really don’t care if they get the right diagnosis). A better doctor will have experience, and when you answer the typical questions, have the ability to catch nuances and has the experience to detect problems where you might not. They are vested in an accurate diagnosis, and ultimately improving your health. In the short term, the first doctor is less expensive, but in the long term, the experienced doctor will save you money.

I am convinced more than ever that THE critical part of choosing a QSA is the level of business and security experience in the staff that will do the engagement. As in many things, you are likely to get what you pay for when selecting QSA vendors. This does not mean that the most expensive is the best, but I would argue that the company with the most experienced security staff would likely be the best long term bet. I have yet to have this last thought disproven!