PCI DSS was developed and is regulated by major credit card companies to help organizations proactively protect sensitive customer account data by implementing consistent data security measures.
If your company needs to undergo a PCI DSS audit, it will be performed by a PCI Qualified Security Assessor . In this post, we’ll dive deeper into what exactly a PCI Qualified Security Assessor is, what they do, how they achieve such a designation, and how they’ll assess your business’s PCI DSS compliance.
First and foremost, the term Qualified Security Assessor, or QSA, can be used to identify an individual qualified to perform payment card industry compliance auditing and consulting, or a company itself. QSA companies are sometimes differentiated from QSA individuals by the initialism “QSAC.”
When referring to the individual — according to the PCI Security Standards Council — a Qualified Security Assessor is an individual who meets the following criteria:
Individuals who are PCI Qualified Security Assessors perform assessments of companies that handle credit card data against the high-level control objectives of the PCI Data Security Standard (PCI DSS) . Similarly, QSA companies, or QSACs, are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS.
The PCI Security Standards Council’s in-depth program for security companies — and their employees — seeking to become Qualified Security Assessors consists of the following steps:
A fourth, and optional, step is to transition from a QSA to an Associate QSA (AQSA) . An Associate QSA is a QSA company that develops new cybersecurity professionals into full QSAs.
It’s important to note that both consultants and companies holding the QSA certification must recertify annually to ensure they are up to date with any changes to the PCI DSS requirements and guidelines.
How a QSA verifies that a company is complying with PCI DSS requirements varies based on the number of credit or debit card transactions the company processes annually.
Based on their transaction volume, companies are split into four PCI DSS levels :
Whereas Level 2, 3, and 4 organizations are only required to complete an annual assessment using a Self-Assessment Questionnaire (and may require a quarterly PCI scan), Level 1 organizations must undergo an annual internal audit conducted by a QSA (and submit to a PCI scan by an Approved Scanning Vendor quarterly).
During this annual internal audit, the QSA will determine the effectiveness of your organization’s information security controls by testing all of your organization’s controls around the Cardholder Data Environment (CDE):
Since there are 12 PCI DSS requirements and 281 directives, your initial audit may take as long as two years to complete. However, not every requirement applies to every organization. Your company may not need to comply with all 281 requirements, which would reduce the time it takes to complete the audit.
To find a PCI QSA appropriate for your organization, head on over to the PCI Security Standards Council website . There, you’ll find an updated database of companies and their employees that are qualified. Once you’ve narrowed down your choices by place of business, servicing markets, and supported languages, you’ll next want to check for experience in your industry. Since payment card environments can vary significantly from industry to industry, auditing in one vertical can be quite different from auditing in another.
Once you’ve found a few companies you think might be a good match, check to see the experience level of each individual consultant at each of these companies. You should feel free to reach out to these companies directly to ask for the qualifications of the QSAs who would be potentially servicing your account.
To narrow your search even further, ask prospective QSA companies for client referrals, testimonials, their contract renewal rates, or all of the above. When assessing the latter, look for a QSA company with a renewal rate of at least 50%.
Need to get your company ready for a PCI DSS audit by a QSA? We’ve got you covered. Our initial risk assessment will help you identify the actions your company needs to take to achieve PCI DSS compliance. And, our flexible compliance platform makes it easy to maintain that compliance and expand to other revenue-boosting cybersecurity certifications.