A Qualified Security Assessor (QSA) is an impartial third party hired by a merchant to conduct an assessment and offer advice on how it can become compliant with the Payment Card Industry Data Security Standard (PCI DSS).
What Does a QSA Do?
The involvement the security assessor has in the process depends on the ‘level’ a merchant has been assigned. All merchants fall into one of four merchant levels based on their Visa transaction volume over a 12-month period. Level 3 and 4 merchants, which are typically small-to-medium sized businesses, will not necessarily need the assistance of a QSA to be PCI compliant.
Level 1 and 2 merchants will require an onsite assessment and an annual Report on Compliance (ROC) completed by a QSA. During the PCI assessment, the QSA will determine whether the organisation has met the 12 PCI DSS requirements before completing an ROC.
How Does Someone Become a QSA?
To qualify as a QSA, an individual must meet information security education requirements and receive appropriate training from the PCI Security Standards Council. They must also be full-time employees of an approved PCI security and auditing firm and be re-certified annually.
Because the quality of PCI DSS validation assessments can have a significant impact on the application of the security measures and controls, the qualification requirements they must meet are demanding and detailed. Once an applicant has been accepted by the PCI SSC, they then have to complete the two-day QSA training course and pass an open-book exam. They will then receive official certification.
How Do They Interact with Internal Security Assessors?
Internal Security Assessor (ISA) sponsor companies are organisations that have been qualified by the PCI SCC. The council runs an Internal Security Assessor Programme, which gives employees of ISA sponsor companies the opportunity to receive training and earn a qualification.
The aim of this training is to improve the organisation’s understanding of PCI DSS and the requirements they must meet to be compliant. It will also help to improve an organisation’s interactions with Qualified Security Assessors and enhance the reliability, quality and consistency of PCI DSS self-assessments. The result is the proper and consistent application of PCI DSS measures and controls.
How Should You Choose a QSA?
As in any profession, there can be considerable differences between the technical skills of individual QSAs, so ultimately the security of your card payments is only as good as your assessor.
There are three questions you should ask to give your organisation the best chance of hiring a reputable and thorough Qualified Security Assessor (QSA):
- What type of organisations have they performed PCI DSS assessments for?
The type of organisation a QSA has worked for in the past is important because the payment card processing equipment and applications tend to vary from sector to sector. Using an assessor with prior experience in your industry can improve the level of security guidance provided.
- What is their background?
The experience and background of the QSA you should look for depends on the particular aspects of PCI DSS compliance you wish to improve. Firms with considerable experience of information security might be more expensive, but you generally get what you pay for.
- Who will be carrying out the work?
In can be the case that you have discussions with a particular QSA to ascertain their suitability for the work, only for a different QSA to carry out the work. Make sure the assessor you have been talking to is the same assessor who arrives on site.
Remove Your Compliance Concerns
A fully hosted solution like Agent Assist will ensure your contact centre is compliant with PCI DSS 3.2 without the assistance of a Qualified Security Assessor. To discuss your specific requirements, please give us a call or email [email protected] today.
This guide is the fifth chapter of our eBook ‘Starting Your PCI Compliance Journey‘.