Read more to hear expert advice from VP of Enterprise Sales Jason Leland about the pros and cons of renewal, how to evaluate your first experience, and what to establish for a successful, long-term partnership.
If you’ve successfully completed your first PCI DSS audit, you might have forgotten that your one-year renewal mark is approaching. Four to six months before your renewal mark is a great time to decide whether you should renew your contract with your current PCI audit vendor, or start searching for a new one.
Read more to hear expert advice from VP of Enterprise Sales Jason Leland about the pros and cons of renewal, how to evaluate your first experience, and what to establish for a successful, long-term partnership.
No matter which way you look at it, you’re probably going to save some time and money if you choose to renew with the same vendor.
When you first chose your PCI audit firm, your assigned QSA had to learn your environment and specific needs, which typically takes a good chunk of time. This time has a cost attached to it, which is included in your current year’s audit cost, so you won’t have to worry about this if you’re renewing.
If there were some aspects of your first audit experience that you didn’t appreciate, if you choose to renew, you risk having that same experience again.
True, there’s always the chance that you resolved any issues and this year could go smoother.
But if you choose a partner who was a bad fit for you, you might save time and money, but you risk another disappointing audit experience.
A major reason customers renew is the continuity and familiarity they have with their current QSA (Qualified Security Assessor).
Your QSA already understands your environment, people, and processes, and has a rapport with your team. This can significantly reduce the time and effort needed for the next audit.
As SecurityMetrics VP of Enterprise Sales Jason Leland notes, “Having the same assessor year-over-year saves customers time and money because they avoid the learning curve associated with a new assessor, who would need to understand the company's environment, processes, and goals.”
While convenience is a major benefit, a new QSA might offer a fresh perspective and uncover issues or compliance gaps that your current vendor has overlooked.
Continuing with a vendor who simply "checks boxes" for compliance might not align with your broader security goals.
Another risk is becoming overly reliant on one vendor, potentially missing out on new services or competitive pricing from other firms.
Jason Leland recommends that “your decision to renew should largely depend on your overall experience. This is the most crucial part of your decision-making process.”
Use this actionable checklist to evaluate your first audit.
“It’s been a great partnership during my ten years working with SecurityMetrics. I appreciate the knowledge of the assessors and compliance experts and how they work well with all the departments at USC.
If I have questions, I get answers quickly from SecurityMetrics support.
I feel more peace of mind partnering with SecurityMetrics because of their extensive background working with universities and their complex environments.”
-Richard Mariscal,
Merchant Services and PCI manager,
USC Treasury Department
If you decide to renew, you may want to see what your PCI audit firm will do to make your next year even better. Here’s how to have that conversation.
It's important to set clear expectations for the coming year.
This includes establishing a schedule for proactive engagement, such as quarterly check-ins or interim meetings, to ensure you're maintaining compliance throughout the year.
You should also agree on a process for your vendor to review your remediation progress on an ongoing basis.
Pro Tip: A reputable PCI audit firm should prioritize your deadlines as a returning customer. See what their policy is for helping you meet your exact dates.
Ensure the scope of work is clearly defined. Check for any new services or add-ons that might benefit you, and discuss the pricing structure.
Pro Tip: Most PCI Audit firms aren’t going to offer a financial discount for returning customers, however they will oftentimes be willing to negotiate discounted rates for bundling other services you need or let you decide who your assigned QSA is.
The shift in PCI DSS version 4 from a "snapshot in time" audit to continuous compliance makes your ongoing relationship with a QSA even more critical.
Discuss how the vendor will help you implement PCI DSS v4 requirements and best practices, such enhanced authentication measures.
“I don’t think it was much harder, and I have to equate that with SecurityMetrics helping us out with version 4. I believe we were one of the first version 4 assessments your team did.
Our team and your team were on top of communicating things that were changing and how requirements were unfolding.
We got instructions on things that had to be approved and what evidence was needed. The PCI DSS certification process starts months before your actual assessment, so we had a good conversation going and we set expectations for audit timing”
-Ryan Kuenneke,
Anedot Director of Engineering
Anedot
Use this list of questions to have a productive conversation with your current vendor or to evaluate potential new partners.
“I appreciate that you guys are always there for us to contact if we have questions. As things change and new technologies come out, we can always bounce ideas off of our assessor or other SecurityMetrics professionals for advice.
We can ask if new technology can be used and what we should be looking out for so we stay in compliance.”
-Martin Kenney
Senior Systems Engineer
Infosend
Jason Leland explains that “while budget cuts can sometimes lead to non-renewals, the decision often comes down to the overall customer experience. The goal is to find a strategic partner who will help you not only meet compliance requirements but also strengthen your overall security posture. The right partner can turn a dreaded annual audit into a valuable opportunity for growth and security.”
Before choosing to renew your contract, ask yourself, is my PCI Audit Firm:
Using the provided questions above, you can have a productive conversation with your current vendor or begin evaluating potential new partners.