Operationally Necessary Cookies
A Qualified Security Assessor (QSA) is an independent security organization that has been qualified and approved by the Payment Card Industry (PCI) Security Standards Council (SSC) to confirm and validate an entity’s compliance with the PCI Data Security Standard (DSS).
A QSA is responsible for the assessment of security controls within an organization. Their goal, in part, is to understand and document the extent to which the controls are configured correctly, operating as expected, and producing the desired outcome associated with that security control and the controls to which it interconnects.
There is considerable discussion about the importance of assessor independence. Maintaining assessors as impartial and unbiased participants in an equally neutral and fair assessment process is essential. They must deliver the most objective and unbiased information to make a subsequent, fully informed, risk-weighted decision to drive remediation going forward.
The certification of QSAs indicates only that the specific QSA has met all of the PCI SSC requirements to perform proper assessments. To be clear, the PCI SSC does not endorse in any way these security solution contractors, their business practices, or the processes and practices they employ.
QSA companies and the QSA assessor employees must have the skills, experience, and knowledge to perform correct PCI DSS assessments. To be qualified as a QSA company, at least one of its employees must meet all QSA requirements. Per the PCI SSC Qualification Requirements for Qualified Security Assessors v4.0 (March 2021), that each QSA employee generally must:
Please refer to the PCI DSS website for additional detailed and current information: https://www.pcisecuritystandards.org/
Auditing firms may often reference their abilities to complete a PCI audit. Still, unless they are on the list (database) published by the PCI SSC, they may outsource the project to external contractors. Therefore, it is vital to have a direct relationship with your QSA. It is also essential to have the correct certification. QSAs certified by PCI should not be confused with PCI Professional (PCIP) certification, which is an entry-level certification for an individual in payment security.
Preparing for a PCI audit PCI compliance audits are routinely required of businesses that process credit card transactions. The audit intends to validate compliance with the PCI DSS standards. In addition, there will be regularly scheduled PCI compliance audits and audits that an alleged violation may cause.
Businesses can prepare for an upcoming PCI compliance audit. Often, a checklist review (pre-audit assessment) can help them stay on plan to full compliance with the PCI standard. Penalties for failing a PCI compliance audit by credit card companies are highly undesirable. They can impact the credit card processes for which many of these businesses depend for revenue.
The basic steps include:
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.
Stay current with the latest security trends from Bugcrowd