Qualified Security Assessor (QSA)

A Qualified Security Assessor (QSA) is an independent security organization that has been qualified and approved by the Payment Card Industry (PCI) Security Standards Council (SSC) to confirm and validate an entity’s compliance with the PCI Data Security Standard (DSS).

A QSA is responsible for the assessment of security controls within an organization. Their goal, in part, is to understand and document the extent to which the controls are configured correctly, operating as expected, and producing the desired outcome associated with that security control and the controls to which it interconnects.

There is considerable discussion about the importance of assessor independence. Maintaining assessors as impartial and unbiased participants in an equally neutral and fair assessment process is essential. They must deliver the most objective and unbiased information to make a subsequent, fully informed, risk-weighted decision to drive remediation going forward.

The certification of QSAs indicates only that the specific QSA has met all of the PCI SSC requirements to perform proper assessments. To be clear, the PCI SSC does not endorse in any way these security solution contractors, their business practices, or the processes and practices they employ.

QSA companies and the QSA assessor employees must have the skills, experience, and knowledge to perform correct PCI DSS assessments. To be qualified as a QSA company, at least one of its employees must meet all QSA requirements. Per the PCI SSC Qualification Requirements for Qualified Security Assessors v4.0 (March 2021), that each QSA employee generally must:

• Pass requisite background checks.
• Demonstrate sufficient information security knowledge and experience to conduct technically complex security assessments.
• Possess a minimum of one year of experience in each of these areas: application security, network security, and information systems security, IT security audit, information security risk assessment (or risk management).
• Be accredited by a leading information insecurity organization such as ISC2, ISACA, Certification as ISO 27001 lead implementer, or METI registered information security specialist (RISS).
• Be accredited by a leading audit with one of these certifications to include ISACA CISA, GIAC GSNA, ISO 27001 Lead auditor or internal auditor, IRCA ISMS Auditor, or IIA Certified internal auditor. 
• Attain comprehensive knowledge of PCI DSS and all applicable supporting documentation that PCI DSS publishes or displays on their website.
• Attend annual QSA training by PCI DSS. 
• Meet the PCI SSC code of professional responsibility.
• Be an employee of the QSA company – no subcontracting without the explicit approval of PCI SSC.
• Understand the processes used with credit card processing and cardholder data.

Please refer to the PCI DSS website for additional detailed and current information: https://www.pcisecuritystandards.org/

Auditing firms may often reference their abilities to complete a PCI audit. Still, unless they are on the list (database) published by the PCI SSC, they may outsource the project to external contractors. Therefore, it is vital to have a direct relationship with your QSA. It is also essential to have the correct certification. QSAs certified by PCI should not be confused with PCI Professional (PCIP) certification, which is an entry-level certification for an individual in payment security.

Preparing for a PCI audit
PCI compliance audits are routinely required of businesses that process credit card transactions. The audit intends to validate compliance with the PCI DSS standards. In addition, there will be regularly scheduled PCI compliance audits and audits that an alleged violation may cause.

Businesses can prepare for an upcoming PCI compliance audit. Often, a checklist review (pre-audit assessment) can help them stay on plan to full compliance with the PCI standard. Penalties for failing a PCI compliance audit by credit card companies are highly undesirable. They can impact the credit card processes for which many of these businesses depend for revenue.

The basic steps include:

• Before the Engagement. You will need to work with the QSA or their organization to determine what is required and ensure that it is correctly quoted.
• Before the Onsite. A QSA does an initial gap assessment to help ensure that an organization is ready to start an audit. 
• Onsite Activity. During the onsite activity, the QSA will verify that the organization is compliant. If there are items that need to be addressed, remediation activity is identified. The audit is as of that moment in time, but arrangements with the QSA often allow continued coordination to help reach compliance.
• After the Onsite. Remediation is identified in detail, and the Report on Compliance (ROC) can be signed. The ROC follows a PCI DSS template. ROC sections include contact information and report date, summary overview, description of the scope of work and approach taken, details about the reviewed environment, quarterly scan results, and finally, the findings and observations. They are usually appendices for PCI DSS requirements, compensating controls and a compensating controls worksheet, and segmentation and sampling of business facilities/system components diagram.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.