Redundant QSAs: Working Smart, Side-Stepping the Rabbit Hole & Streamlining

Are your QSAs wasting your time (and money)?

Your QSA shouldn’t just be ensuring you are PCI DSS compliant. They should be side-stepping the potential rabbit hole, creating a value-added service, and making their roles (sort of) redundant. The result? Control reduction (does 240 to 21 sound acceptable?) The benefit? You save money, time and energy – allowing you to focus your efforts on driving the business forward.


PCI DSS compliance means meeting multiple controls to showcase your data is secure. Standards are high, and often likened to a rabbit warren: try to meet every control and you can enter a bleak hole of increasing cost, time and energy.

Meeting every single one of these controls can be cumbersome. Too often, companies shape their cardholder data to meet each and every control out there. However, unless the sole purpose of your organisation is to protect the capture, storage, processing and/or transmission of cardholder data, then it is a protracted task that is quite possibly unnecessary and, arguably, unrealistic.


Your QSA should be focussed on providing a first-class service: the primary concern should be delivering accurate advice in relation to PCI standards and auditing them appropriately.

However, there are many ways to skin a rabbit (if you’re that way inclined). Meeting Every. Single. Control. may be satisfying but, unless required, it just adds to the total number of billable days and not much else. QSAs are intelligent people, who should be working smart.

The trick to avoid the PCI DSS rabbit hole? Meet only the controls that you need to.

As always however, it’s not quite that simple. There is an art in understanding how you can reduce the number of relevant controls while still meeting the rigour of the standard.  But, put simply, re-shape the payment landscape, define the scope, justify the applicable controls … you’re plain sailing.


We like to boast every now and again, and this is one such example: our QSAs have reduced their workload with one of our long-standing clients. 110 controls to 6. 15 days billable to 4. The result? One happy client.

Why did we choose to reduce our revenue? Simple. Integrity is a core value here at One Compliance. We build strong relationships based on trust, and there is a complicit understanding throughout the entire team that we will do what is right. We work as a true extension of our client’s team, which means that we look for efficiencies where we can, and not a fat paycheck. The hard truth of it is that we only succeed if our clients do.

Though we like to brag, the reality is that scope reduction should be standard. It’s what we strive to do for every single one of our clients, and what your QSA should be aiming for too.

#WINNING. Scope Reduction & Options Analysis

It is par for the course: QSAs should be securing your PCI environment in the best way possible, not just ticking off a long list of controls.

Maintaining the rigour of the PCI DSS is absolutely the main aim. 100%. But, applying the art of reducing applicable controls can save you big time. Money, effort, risk. You streamline whilst being fully compliant.

It is not uncommon for us to review a new client’s compliance programme and see poor advice written all over it. Often asked to do a ‘Gap Analysis’ in these scenarios, we (again) see wasted resource: checking the payment landscape against the entire standard is looking at it from the wrong way. Red ink against controls that the company is not necessarily required to meet.

An Options Analysis, however, starts at the other end. Looking initially at the payment landscape, the analysis offers a variety of solutions, including the possibility of reducing complexity and, in return, your PCI DSS scope. We all know that reduced scope results in less billable days, and ultimately a cost saving. #winning.


Our QSAs (some of the best in the world) live & breathe PCI data security standards. Not only some of the highest qualified, they think and work smart too. They provide a value-add service and side-step the rabbit warren whenever they can – our client’s payment environment is not only PCI DSS compliant, but is streamlined too.

Call us today on +44 (0)20 3855 0895, let us help you avoid the potential rabbit warren that is PCI DSS. Let our world-class QSAs made their roles (sort of) redundant.

One Compliance is a trusted data privacy and cyber security specialist who focus on increasing the robustness of your security. Our qualified team of consultants and QSAs help reduce complexity, mitigate risk and ensure your data is both secure and compliant.

more insights