A Qualified Security Assessor (QSA) is an individual that has been certified by the PCI Security Standards Council to audit merchants for Payment Card Industry Data Security Standard (PCI DSS) compliance.
QSAs are engaged as unbiased third parties throughout PCI-compliance audits of Level 1 merchants (those who process over 6 million Visa transactions a year). At some stage in the audit procedure, a QSA completes a Report on Compliance (ROC) that confirms the merchant’s compliance with PCI DSS. The ROC is sent to the merchant’s acquiring bank, which then sends it to the apposite credit card company for compliance verification.
The PCI Security Standards Council operates a thorough program for security companies looking to develop into Qualified Security Assessors (QSAs), and to be re-certified every year. The five founding members of the Council recognize the QSA’s certified by the PCI Security Standards Council as being competent to calculate compliance to the PCI DSS standard.
One may wonder – how do you become a QSA? Well – in order to be certified by the PCI Council you are required to have a CISSP certification and, or, 5 years of experience in information security. Then you have to complete the official QSA training as well as pass the certification exam. QSA’s must also be engaged by a QSA company that is endorsed by the PCI Council, they need to preserve their skills with a minimum of 40 hours per year of ongoing education, and they must obtain positive feedback from clients and the card brands.
As well as knowing what a QSA is one must bear in mind what a QSA isn’t A QSA is not law enforcement, neither is a QSA searching to report somebody for non-compliance. Your QSA is there to help you in your efforts to become compliant, help guard your sensitive data, instruct you on best practices and changes in the standard, as well as to afford an understanding of the intention of the standard. That’s why it is imperative to be honest & straightforward with your QSA, they’re the one that can help you.