In order to ensure optimal levels of quality in assessments of compliance with PCI SSC standards, it is highly recommended (and sometimes mandatory) to implement a periodic rotation of the advisor or QSA company. But what are its advantages and disadvantages?

For some time now it has been discussed in the different forums of the PCI SSC the idea of establishing a formal requirement for rotation of advisers or QSAs Companies after they have carried out a certain number of assessments or worked with the same client for a specific period. However, that idea is currently maintained as a recommended practice (at least for the standard PCI DSS), but it is not more than companies affected by compliance with these controls incorporate it within their own compliance policies, in order to avoid the loss of quality in evaluations due to the over-familiarization of advisors with the environments to be evaluated.

MasterCard suggestion related to the rotation of advisors. Source: https://www.mastercard.com/content/dam/public/mastercardcom/globalrisk/pdf/Q22023PCIQuarterlyNewsletter.pdf

Basically, the objective is that the entity that requires an evaluation of any PCI SSC standard (PCI DSS, PCI SSF, P2PE, etc.) chooses to implement an internal policy that allows it to change the QSA advisor that has carried out previous audits or change the company that offers this service according to acceptable time parameters. For example:

  • Changes of Lead Advisor: The same QSA advisor cannot lead more than X audits in a row in the same company. This implies that at the end of this period a new QSA advisor from the same company will have to enter the project to lead the audit activities.
  • Changes of company QSA (QSAC): The same QSA company cannot be hired for more than X years in a row to perform audit actions.

In either of the two cases listed above, it could be assessed whether or not the lead advisor or the previous QSA company is allowed to participate in other activities related to the implementation and maintenance of certification (such as training, execution of security tests, conducting differential analysis, etc.).

The advantages and disadvantages of this procedure as a critical element for an organization to incorporate into its compliance program will be listed below. It is important to add that the applicability of this practice can be extrapolated to any service provider and not only to QSA advisors or companies. It is also applicable in companies that are assessed using internal resources (Internal Security Assessor – ISA), which can rotate their internal evaders with external evaluators.

Advantages of rotation of QSA advisor or company

  • Identification of potential weak areas: All QSA advisors and companies must comply with a series of requirements strict enough to be able to execute assessments of any of the PCI SSC standards. However, each professional is different and may have a main area of experience that allows him to delve into one area more than another: database management, software development, operating systems operation, etc. With the entry of a new professional to the team with a different area of expertise, the compliance assessment can identify points of improvement that have not been detected previously thanks to a "fresh" point of view.
  • Avoid falling into preconceived valuations: After several audit exercises, a QSA advisor could "predict" the outcome of compliance with a particular requirement given their knowledge of a company's environment and minimize the requirement in the assessment. Or, conversely, a customer could also "predict" the areas in which the QSA will place greater emphasis on reviews, as they know their behavior from previous compliance assessments, preparing some controls more than others. To manage this inconvenience and ensure global coverage of the environment, the rotation of the advisor or QSA company will overturn the audit process with different and not preconceived criteria.
  • Different points of view with the same objective: The controls of compliance with a standard are explicitly defined and their objective is that they do not lend themselves to subjective interpretations. However, the assessment methodology of each requirement varies depending on each QSA advisor or company: the way of conducting interviews, obtaining evidence, performing observation tasks, generating sampling, etc. With the combination of different methodologies with the same objective (assessment of compliance) we can highlight weaknesses in the organization that can be enhanced to improve global security levels.
  • New knowledge and improvement options: Aside from audit tasks, each QSA professional brings their expertise to the companies they audit and can recommend improvements or alternatives for optimizing compliance controls. With the periodic change of advisor or QSA company, the contributions in terms of professional experience and advice will be greater and potentially cover other areas.

Disadvantages of rotation of QSA advisor or company

On the other hand, not everything can be good. If a QSA advisor or company rotation is implemented, the following drawbacks can be addressed:

  • Use of additional time in interviews, meetings and obtaining evidence: Due to the absence of previous experience, the new advisor or the new company will have to obtain the information of the environment practically from scratch. This implies that the entity's staff involved in the assessment process will need to spend more time and effort to inform the advisor about the status of implementation of their controls.
  • Adaptation to new methodologies, processes and / or tools used by the company QSA: As mentioned above, each QSA company uses different strategies to obtain evidence and for its subsequent centralization, catalog and analysis. Likewise, different tools can be used for the management of agendas, communication with the client, etc. In this case, the evaluated entity must invest additional time to adapt to the work format of the new company

Compliance programs with mandatory rotation of QSA companies

Even though standards like PCI DSS or its related validation programs do not require a regular rotation of advisors or QSA companies, there are a couple of exceptions implemented by Visa in this regard:

  • For evaluations of the PCI 3DS and PCI Card Production standards, Visa requires a mandatory rotation of the consulting company after two evaluations in a row.

Posted by David Acosta

Qualified Security Assessor (QSA) for PCI DSS, PCI PIN, PCI 3DS, P2PE and PCI TSP. CISSP, CISA, CISM, CRISC, C|EH, C|HFI.

Leave to Reply