To 3C or not to 3C? That is the business question. Should you have a QSA attest your PCI-SSC SAQ or not? That is a decision business.
Lately, we at Silent Storm Security have seen an influx of companies requesting a QSA signature to their PCI-SSC SAQ (Payment Card Industry Security Standards Council Self-Assessment Questionnaire). In section 3C of any SAQ there is a section that asks if a QSA assisted with the SAQ. While this is not required by the PCI council (although I’m sure they would prefer it), many of our clients are getting it done due to a request from their customer(s). With all of the data breaches in the news, it would make sense that many companies want to engage with vendors who have had at least an independent licensed QSA confirm what is in the SAQ. Many companies are also very strict in regard to who they will engage as a vendor, and for many, no 3rd party licensed QSA attestation is a red flag (and a loss of business for you).
Many companies reading this might say: “Well, we don’t have any companies requesting a SAQ sign our SAQ, so why waste the money?”. The answer to that is simple. As mentioned earlier, many of our customers are coming to us with potential business for them (and therefore revenue) in the balance and are scrambling to get their SAQ reviewed and signed by a QSA. So just because you might not be getting requests now, having it in place will provide the following:
- Instant availability to provide a QSA signed SAQ to a potential customer/client.
- Provides a business advantage to those companies who do not have a QSA signed SAQ.
- Being able to provide the QSA signed SAQ to your customer/client will let them know that you went the extra mile and are dedicated to your compliance.
If you are interested in SAQ assistance/attestation, please reach out to us at firstname.lastname@example.org
Author: R. Scott Pierangelo
Silent Storm Security|Founding Partner MSCS, QSA, PMP, CISSP, CISA, CISM, CRISC, CGEIT, PCIP