PCI DSS was developed and is regulated by major credit card companies to help organizations proactively protect sensitive customer account data by implementing consistent data security measures.
If your company needs to undergo a PCI DSS audit, it will be performed by a PCI Qualified Security Assessor. In this post, we’ll dive deeper into what exactly a PCI Qualified Security Assessor is, what they do, how they achieve such a designation, and how they’ll assess your business’s PCI DSS compliance.
What is a PCI Qualified Security Assessor?
First and foremost, the term Qualified Security Assessor, or QSA, can be used to identify an individual qualified to perform payment card industry compliance auditing and consulting, or a company itself. QSA companies are sometimes differentiated from QSA individuals by the initialism “QSAC.”
When referring to the individual — according to the PCI Security Standards Council — a Qualified Security Assessor is an individual who meets the following criteria:
- Meets specific information security education requirements
- Has taken the appropriate training from the PCI Security Standards Council
- Is an employee of a Qualified Security Assessor (QSA) company-approved PCI security and auditing firm
- Will be performing PCI compliance assessments as they relate to the protection of credit card data
What does a PCI Qualified Security Assessor do?
Individuals who are PCI Qualified Security Assessors perform assessments of companies that handle credit card data against the high-level control objectives of the PCI Data Security Standard (PCI DSS). Similarly, QSA companies, or QSACs, are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS.
Ready to get started? Set up a demo today to learn how Strike Graph can simplify the PCI DSS compliance process for your company
What does it take to become a PCI Qualified Security Assessor?
The PCI Security Standards Council’s in-depth program for security companies — and their employees — seeking to become Qualified Security Assessors consists of the following steps:
- Application of the firm for qualification in the program — including providing documentation, including certifications, business license(s), insurance certificates, and the registration fee
- Training and testing of all individuals who will be involved in assessing security for the company’s clients
- Enrollment as a QSA and reception of a Letter of Acceptance
A fourth, and optional, step is to transition from a QSA to an Associate QSA (AQSA). An Associate QSA is a QSA company that develops new cybersecurity professionals into full QSAs.
It’s important to note that both consultants and companies holding the QSA certification must recertify annually to ensure they are up to date with any changes to the PCI DSS requirements and guidelines.
What are PCI Qualified Security Assessors looking for during an audit?
How a QSA verifies that a company is complying with PCI DSS requirements varies based on the number of credit or debit card transactions the company processes annually.
Based on their transaction volume, companies are split into four PCI DSS levels:
- Level 1: More than 6 million real-world credit or debit card transactions annually
- Level 2: Between 1 and 6 million real-world credit or debit card transactions annually
- Level 3: Between 20,000 and 1 million e-commerce transactions annually
- Level 4: Fewer than 20,000 e-commerce transactions annually
Whereas Level 2, 3, and 4 organizations are only required to complete an annual assessment using a Self-Assessment Questionnaire (and may require a quarterly PCI scan), Level 1 organizations must undergo an annual internal audit conducted by a QSA (and submit to a PCI scan by an Approved Scanning Vendor quarterly).
During this annual internal audit, the QSA will determine the effectiveness of your organization’s information security controls by testing all of your organization’s controls around the Cardholder Data Environment (CDE):
- Point-of-sale system
- Network segmentation
- Data encryption
- Access (including physical access) to the CDE
- The application that processes payment information
- Where and how card information is stored
- Security of the routers transmitting credit card information
- Your vendors’ data security
- And more
Since there are 12 PCI DSS requirements and 281 directives, your initial audit may take as long as two years to complete. However, not every requirement applies to every organization. Your company may not need to comply with all 281 requirements, which would reduce the time it takes to complete the audit.
How to choose an appropriate PCI Qualified Security Assessors
To find a PCI QSA appropriate for your organization, head on over to the PCI Security Standards Council website. There, you’ll find an updated database of companies and their employees that are qualified. Once you’ve narrowed down your choices by place of business, servicing markets, and supported languages, you’ll next want to check for experience in your industry. Since payment card environments can vary significantly from industry to industry, auditing in one vertical can be quite different from auditing in another.
Once you’ve found a few companies you think might be a good match, check to see the experience level of each individual consultant at each of these companies. You should feel free to reach out to these companies directly to ask for the qualifications of the QSAs who would be potentially servicing your account.
To narrow your search even further, ask prospective QSA companies for client referrals, testimonials, their contract renewal rates, or all of the above. When assessing the latter, look for a QSA company with a renewal rate of at least 50%.
PCI DSS audits made easy with Strike Graph
Need to get your company ready for a PCI DSS audit by a QSA? We’ve got you covered. Our initial risk assessment will help you identify the actions your company needs to take to achieve PCI DSS compliance. And, our flexible compliance platform makes it easy to maintain that compliance and expand to other revenue-boosting cybersecurity certifications.