QSA in PCI DSS Compliance & Audit

An organization from the Digital Payment Industry will have definitely heard or dealt with a professional QSA. A QSA is a Qualified Security Assessor appointed by the PCI Council, to validate Merchants and Service Providers against the PCI DSS Standards and verify whether or not they are compliant.

Going by the standards of PCI DSS Compliance, organizations that deal with payment card data will have to hire a QSA for the compliance assessment and audit. Organizations of this industry dealing with payment data are expected to secure sensitive cardholder data as a part of their business responsibility and QSA’s are professionals trained to assist businesses in this area. Speaking more on this and explaining the role of a QSA in detail, here is an informative article that gives you all the details of a QSA. To begin with, let us first understand who is a QSA and what are their roles and responsibilities in PCI DSS.

Who is a QSA?

Qualified Security Assessor (QSA) are independent assessors and their specified security organizations qualified by the PCI Security Standards Council to validate a Merchant / Service Provider’s adherence to the PCI DSS standards and level of compliance.

These independent assessors and organizations are required to satisfy all QSA Requirements to stay as a valid QSA every year. PCI Security Standards Council conducts and maintains an in-depth program for security companies seeking to be certified as Qualified Security Assessors, and to be re-certified as QSAs each year.

Certification and re-certification suggest that only those individuals and organizations are qualified as QSA who have successfully met all PCI Security Standards Council requirements. The certification gives them the authority to perform PCI DSS Assessments for the Merchants and Service Providers. They further maintain a list of qualified QSA on their website and update the list frequently.

How is an AQSA different from QSA?

As mentioned earlier a Qualified Security Assessor (QSA) is an experienced professional qualified to assess the PCI DSS Compliance for Merchants and Service Providers. On the other hand, an Associate Qualified Security Assessor is an individual who is qualified to assist the QSA in the PCI Compliance audit process. Due to the growing resource crunch felt by QSA, the PCI Council in an effort to address the issue introduced an Associate QSA Certification program (AQSA).

The program aims at training new cybersecurity talents for assisting QSA in the audit process. The individuals are trained to support a QSA and get experience under them to eventually become a QSA at a later stage. On successful completion of the training program and examination, trainees will be equipped to assist the QSA in conducting PCI DSS assessments and preparing appropriate compliance reports with the due guidance and oversight of a qualified QSA.

Role and Responsibilities of a QSA in PCI Compliance

Organizations that are required to comply with PCI DSS Standard are required to annually undergo an audit and complete a Report on Compliance (ROC) for achieving PCI DSS Compliance. This process of audit and report generation should be assessed by approved PCI QSA in accordance with the PCI Security Standards Council requirements.

The ROC must be accompanied by an Attestation of Compliance (AOC) which also needs to be duly signed by the QSA which summarizes whether the Service Providers and Merchants assessed are PCI compliant or not and any related findings were identified during the assessment process. For ROC that applies to level 1 merchants and level 2 Merchants and Service Providers, must be dully completed by a QSA after an audit, and subsequently submit the ROC to the Merchant’s acquirer and payment brands. On the other hand, organizations that have to complete a Self-Assessment Questionnaire (SAQ) are recommended consulting a QSA because they have better credibility in completing the SAQ.

That said, selecting the best QSA in the industry is crucial. This is mainly because only an experienced and knowledgeable QSA can help in effectively assessing the security of the cardholder data environment and assist organizations in identifying gaps and addressing them. An experienced professional can assist in reviewing the security of the organization’s digital payment transaction systems, relevant personnel, and processes, to validate compliance with PCI DSS.

Performing PCI DSS assessments in accordance with the standard is not just not limited to validating and confirming Cardholder Data Environment (CDE) scope as defined by the assessed organization but involves a lot more than that. To get a better perspective of a QSA’s roles and responsibilities, here is a list that gives clarity about their duty-

  • Validating the scope of the Cardholder Data Environment (CDE) as determined by the assessed organization.
  • Conducting an on-site assessment, examining the CDE which is in scope.
  • Assessing with a sampling approach (as approved by the PCI DSS audit standard) and selecting employees, facilities, systems, and system components accurately representing the assessed environment and which is in scope.
  • Evaluate all the compensating controls as applicable.
  • Providing an opinion on whether or the assessed organization is compliant and meets PCI DSS Requirements.
  • Draft and generate a ROC effectively based on the assessment findings.
  • Based on the assessment and validation of the findings provide an AOC to the assessed organization’s PCI DSS compliance status.
  • Maintaining documents, paper works, and recordings of interviews that were collected during the PCI DSS Assessment as evidence and using it to validate the findings.
  • Applying and maintaining independent judgment in all PCI DSS Assessment decisions.
  • Conducting follow-up assessments as and when needed.
  • PCI SSC periodically performs QA reviews on a QSA’s ROC to ensure that the documentation of testing procedures performed is sufficient to support the results of the PCI DSS Assessment.

How should you select a QSA for your organization‘s PCI DSS Audit?

As mentioned earlier, selecting the right QSA is critical for the success of your compliance. Hiring an experienced and knowledgeable QSA will definitely go a long way in helping you identify and address security issues. When it comes to implementing PCI Standards, simply identifying the risk will not help.

A good QSA will provide recommendations to fix the issues and help you translate the recommendations effectively into a strong security implementation while meeting the organization’s specific goals and budget. Giving the organization a detailed insight into the Compliance requirements, potential risk of threats, and the impact that it may have on the organization is essential. So, here is what we would suggest organizations to look for in a QSA Company before hiring them.

Experience matters –

Having the industry and the audit experience really matters. So, select a QSA who has the knowledge and experience to ensure that your organization does not just achieve compliance but also helps you maintain it year on year.  Their experience will also matter when you plan on building security measures that stand as a strong defense against evolving threats.

Skills and Subject Knowledge

The QSA you plan to hire must have all the skills and knowledge required for performing an effective assessment, identifying threats, and providing necessary recommendations for addressing the potential threats. While a Qualified Security Assessor may have been certified by the PCI Security Standards Council, but it is important that you validate them based on their skills, work process, and approach.

The QSA should be capable enough to understand the technical environment of your organization and suggest specific recommendations to help your organization face challenges. They should also have a very clear understanding of the requirements to help your organization in meeting these requirements and translate the security measures to resolve any kind of uncertainties. Evaluating a QSA based on these parameters will ensure you are in the right hands and the journey of compliance will easy.

Knowledge of the PCI Standards

QSA should have a good knowledge of the Compliance Standard and an understanding of the challenges faced by the organizations when implementing the requirements.  Having the knowledge and understanding of the PCI standard will facilitate an easy transition and implementation of security measures.

This will in turn help in achieving the PCI DSS Compliance. A good QSA should work in partnership with you to help you understand what is required and how it can be achieved while also assisting you in the implementation of measures. They must also be capable enough to help you maintain compliance year on year.

Support and Guidance

The QSA you hire should work as an extension to your team and guide you in the right direction. QSAs that follow a tick-box approach to compliance may possibly end up making the compliance process a lot more complex for your organization and may also put you at the risk of compliance violations. Having the support of the right QSA is essential as it significantly contributes to a hassle-free process of audit and compliance.

Besides, the QSA you hire should be available to provide you with expert guidance and advice throughout the PCI implementation process. Only with the right support and guidance can an organization sail through the Compliance process.

Vendor-neutral QSA

This is definitely an important factor to be considered when collaborating with a QSA company. Ensure the QSA you hire is neutral to any software solution in particular and only works with you to help you make the best decisions for your business requirements, and budget.

More than often, QSA companies have tie-ups with hardware/software solution providers and so they push you with recommendations to purchase those solutions for your business. That said, a QSA should be neutral and only be able to provide you recommendations that actually benefit your organization and ensures a successful compliance journey.

 

 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.