Independent Contractors and PCI DSS Programs

Achieving and maintaining PCI DSS compliance is a lengthy and costly journey. Those who have experience with payment standards are well aware of this. There are plenty of activities leading to the formal PCI DSS assessments, such as:

• Cardholder Data Environment (CDE) scope definition.
• A compliant network design and implementation.
• Security controls design and implementation.
• Policies and procedures development.
• Gap analysis or readiness assessments
• Remediation activities.

The above activities take time, and depending on the size of the PCI DSS Program, they could take from weeks to long months (or even years) before they are concluded.

PCI SSC offers three different qualifications for all individuals wishing to work with the payment standards professionally. These qualifications are:

• PCI Professional (PCIP)
• PCI Internal Security Assessor (ISA)
• PCI Qualified Security Assessor (QSA)

All three certifications put the whole payment security community together to achieve the same goal - to protect cardholder data in line with PCI DSS mandates.

It is important to note that only Qualified Security Assessors (QSAs) and Internal Security Assessors (ISAs)* are authorised to conduct formal PCI DSS assessments.

*For ISA - assessment conducted only for a single entity, sponsoring PCI ISA qualification. Only some types of PCI DSS assessments can be conducted by the PCI ISA. For more details, please refer to the payment schemes websites.

However, Independent Contractors specialising in PCI DSS services can assist with many activities highlighted above that lead to the formal PCI DSS assessment. The preparation phase is often far longer and more complex than the PCI DSS assessment itself.

What are some benefits of utilising Independent Contractors in your PCI DSS Program?

1. Lower rates - reduce the cost of preparing for the final PCI DSS assessment and spend the budget elsewhere. You can save up to 50% of your project budget.
2. Access to a broader talent pool - QSAs are busy. Consider widening your search and include Independent Contractors (PCI Professionals) who can help your organisation in most PCI DSS activities before the QSA is booked for the final assessment. Look at the global talent pool; most PCI DSS activities can be done remotely.
3. Experience matters - hire contractors-specialists with previous experience in technologies and solutions implemented at your organisation. Not all QSAs specialise in all technologies, and not all QSAs have equal technical background. It might be wiser to partner with an experienced contractor to do the groundwork and leave the final assessment to the QSA.
4. Flexibility - fixed or rolling contracts give you freedom and preserve your budget to spend it on securing other parts of your business.

Jake Eliasz is an Independent Cyber Security Advisor working under his own brand Cipherlex | Cyber Security Consulting . For nearly 20 years, Jake has been helping global businesses juggling between ever-growing cyber threats, compliance, and security of their most valuable assets. Jake holds a Master’s Degree (MSc) in Information Security along with several industry-leading certifications such as CISSP, ISSAP, CCSP, CISA, CEH, QSA.