Using a QSA for PCI compliance can help your organization ensure that it is protecting its customers' payment card information and minimize the risk of a data breach.
A Qualified Security Assessor (QSA) is a third-party individual or organization that has been certified by the Payment Card Industry Security Standards Council to perform assessments and audits of an organization's compliance following the Payment Card Industry Data Security Standards (PCI DSS).
Learn more about why you should use a QSA and read several business case examples of the benefits of trusting your PCI compliance assessment and audits to an experienced QSA assessor.
Why Should You Use a QSA for PCI Compliance?
There are several compelling reasons why you should enlist a qualified security assessor for PCI compliance:
- Expertise and experience: QSAs understand the nuances of PCI DSS compliance and possess comprehensive knowledge of industry regulations, standards, and best practices. They are trained and certified to conduct accurate PCI DSS assessments.
- Independent assessment: QSAs provide an impartial and independent evaluation of an organization's compliance with PCI DSS. An unbiased assessment is important to ensure an organization's compliance is accurately evaluated.
- Compliance assurance: By enlisting the services of a QSA, organizations can feel confident that they are meeting PCI DSS regulations.
- Risk management: A QSA can help organizations identify and mitigate the potential risks that come with managing payment card information. This includes identifying vulnerabilities and guiding organizations on best practices for implementing risk mitigation tactics.
A Common QSA Myth Dispelled
A common joke in the PCI industry is to get in a room with 10 QSAs and you are likely to get 10 different opinions. While not completely accurate, it does ring true in certain situations, particularly with the interpretation of requirements in the standard where the PCI working groups have only provided vague descriptions of how a requirement may be applicable.
For example, internal vulnerability scanning has been around since PCI 1.0; however, not many QSAs were enforcing “Authenticated Scanning.”
Why?
Because the standard never explicitly required it. This discrepancy was somewhat resolved in the PCI-DSS 4.0; however, is not actually enforced until after April 1, 2025!
These differences in opinions; along with anecdotal stories of companies finding out they were breached a day after receiving their AoC from a QSA have tainted the perceived value of QSAs and in some instances the PCI-DSS standard itself.
I would argue these perceptions are somewhat unfair, and like everything else in IT or Cybersecurity, highlight the weaknesses of the human element. QSAs are only able to assess and comment on what they observe, what they are told, and what they are given by their client.
A Business Case For Using a QSA
Recent forensic investigations performed by our PFI team have highlighted critical failures made by smaller companies. In 3 out of 4 investigations over the last 6 months, incident response clients completed an SAQ-A, based on their belief that PAN data was not stored. While they were not storing the data, data was still being processed and transmitted through their systems. This misunderstanding resulted in their organizations failing to implement critical controls prescribed by the more rigorous SAQ-D. These organizations should have completed an SAQ-D because they were supporting multiple channels and in one case storing full cardholder data and Sensitive Authentication Data (SAD), post-authorization.
It should be noted that completing an SAQ-D does not prevent data breaches; however, had the organizations sought out the opinion of a QSA, they would have learned they needed to implement additional controls to meet compliance OR migrate to an architecture that removed the organization's interaction with cardholder data. Examples of these architectures include E-commerce I-Frames or P2PE solutions. Instead, these organizations were temporarily shut down as they were unable to process payments until the investigation was concluded. One organization never fully recovered and no longer exists.
Given the rising cost of cybersecurity professionals, QSA’s may seem prohibitively expensive. But, when faced with the prospect of a data breach, being shut down, fined for losses, or lawsuits, one could argue time spent with a QSA is relatively cheap.
Intersec offers consulting packages that provide smaller clients a sanity check that they have completed the SAQ properly and assistance with their overall security posture as an organization. The packages can be tailored to the needs of an organization’s size and budget.
How to Select the Right QSA
It is important to carefully consider several factors when selecting a Qualified Security Assessor (QSA) for your organization's PCI DSS assessment. Here are some factors to consider when selecting a QSA:
- Certification: Ensure the QSA you select is certified by the Payment Card Industry Security Standards Council. You can verify the QSA's certification status on the PCI SSC's website.
- Technical expertise: Look for a QSA with technical expertise in the areas relevant to your organization's payment card processing environment.
- Experience: When selecting a QSA, be sure to choose one who has prior experience working with organizations that are similar to yours in terms of size, industry, and complexity.
- Availability: Confirm the QSA has the capacity to perform the assessment within the timeframe you require.
Considering these factors will enable you to find a QSA that is suited to your organization's unique needs and ensure they provide an accurate and thorough assessment of your PCI DSS compliance.
Why Choose Intersec Worldwide QSA Services?
Intersec Worldwide’s PCI compliance services can help you meet PCI DSS standards and protect customers from a PCI breach. All too often, companies offering cybersecurity services will identify potential threats but are unable to implement the necessary solutions you require.
With any consulting, assessment, and advisory business the level of service and expertise your organization receives will be down to the people the firm hires. In addition to well-rounded cybersecurity experience, Intersec Worldwide focuses on hiring individuals with 10-15 years of IT experience and deep operations backgrounds. These individuals bring practical solutions and reasonability to the interpretation of cybersecurity frameworks and standards such as PCI-DSS. This is a big difference between firms and individuals from a pure audit background. Organizations specializing in audit tend to show up with a request list, a specific checklist, and a black-and-white interpretation of the intent of a given requirement. These individuals lack the fundamental understanding of how a given technology or platform works and attempt to interpret a control to fit a narrative that is not always practical. This is often referred to as a “Check the Box'' compliance and has plagued the PCI-DSS standard from the beginning.
At Intersec Worldwide, we are one of the few PCI compliance consulting firms that are also highly experienced in digital forensics, incident response, and customized remediation services. As a PCI QSA company, Intersec Worldwide has been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. Contact our team directly to learn more or inquire how we can help your organization with QSA services.
