PCI Qualified Security Assessors: A Buyer’s Guide

PCI QSA Buyer's Guide

There are two kinds of PCI assessors: Qualified Security Assessors (QSAs) and Internal Security Assessors (ISAs).  This article will focus on the former. 

QSAs are certified by the PCI Security Standards Council (SSC) to perform PCI assessments for other companies through consulting. A QSA has not only the knowledge to perform PCI assessments, but also the ability to sign a Report on Compliance (ROC). 

When first starting your journey with PCI, it’s a good practice to engage with a QSA. Why? QSAs will help guide you through the process towards compliance and help you save time, money, and resources. 

Finding a QSA might seem like a daunting task in your PCI DSS compliance journey but this article will help remove the unknowns and guide you through the process. We will help you determine if you need a QSA, why you might want to get a QSA, and how to pick the QSA that’s best for your organization.

What is a PCI QSA?

QSAs are certified by the Council to perform and sign PCI assessments on behalf of another organization. A QSA is a professional designation that certifies such PCI professionals to a higher standard. Both ISAs and QSAs go through the same training process however, unlike QSAs, ISAs can only be assessors at the organization where they are employed whereas their counterparts have far more privileges. 

Before an individual can become a certified QSA, the company they work for must first be a Qualified Security Assessor Company (QSAC). This allows a company to certify and hire other QSAs to perform assessments. The purpose of QSACs is to ensure that the company is also qualified to perform security assessments. The QSA process is as follows:

  1. An Application Process
  2. QSA Training
  3. Enrollment Into the QSA Program

The key with both QSAs and the QSACs is checks and balances. QSAs are held to a higher standard by the PCI Security Standards Council. QSA reports are often reviewed by the PCI Security Standards Council to validate their assessment techniques. Additionally, all QSA reports are required to go through a quality assurance (QA) process within the QSAC to ensure assessment completion. The QA process must be completed by another separate and independent QSA.

It’s important to know that a QSA must be employed by a QSAC in order to perform assessments as a QSA. A report may not be valid if both the QSA and QSAC are not listed on the PCI Security Standards Council website. If you do not see either on the PCI SSC website, do not hire them to perform your assessment.

See A 20-Year PCI Pro’s Best Strategies for Rapid Compliance in 2022

Want to reduce PCI requirements and maintain compliance more efficiently? Download our free 5 Step plan to reduce scope for PCI in 2022 and get compliant fast.

PCI QSA vs ISA vs PCIP

Now that we know what a PCI QSA is, how do they differ from other PCI professionals like ISAs and PCIPs? 

As mentioned previously, PCI ISAs undergo the same training process as QSAs. The main difference is that a PCI ISA is only able to sign reports for the company by which they are employed. This means that an ISA cannot sign a ROC on behalf of your company. Your organization can hire and train an ISA through the PCI Council once your company applies to be an ISA Sponsor Company. If you are a Level 2 through Level 4 organization you can use a PCI ISA to perform Self-Assessment Questionnaires (SAQs) and ROCs. 

Both QSAs and ISAs are PCI Professionals (PCIPs). The PCIP certification is a personal certification, which means that the certification is tied directly to that individual and not through the company they are employed by. A PCIP will retain their certification if they change companies. QSA and ISA certifications are non-transferable. Once a QSA or ISA changes companies, they must recertify with the PCI Council with the new company before they can perform and sign assessments. 

Do not think of QSAs as the only type of PCI professional you can engage with your organization! QSAs, ISA, and PCIPs can all help consult you on your PCI DSS compliance journey, which may include the following:

  • Scoping
  • Choose an Approved Scanning Vendor (our list of top ASVs is a starting point)
  • Provide general assessment guidance
  • Help you descope your environment
  • Help you strengthen your PCI controls
  • Collect and validate evidence
  • Help you create a PCI program
  • & More

While ISA and PCIPs cannot sign the reports on behalf of your organization, they can be valuable sources of information for PCI operations. While you can engage ISAs and PCIPs, if you are a Level 1 merchant performing a ROC, your QSA will be the final authority. As such, if you aren’t filling out a SAQ and you are searching for guidance either before or after an assessment it’s best to consult your QSA. Since the QSA will perform your assessment, they will guide you to the solution that they will deem acceptable. An ISA or PCIP solution may not be completely accepted by a QSA when the assessment comes around.

Do You Need a QSA to Get PCI Certified?

We’ve talked about the various assessment levels in the last few sections and your organization’s level is key to answering this question. Your level designation is set by your acquirer. If you don’t currently know your processing level, reach out to your acquirer and they can tell you what you need for your assessments.

Level 1 merchants, or merchants who typically process 6M+ transactions per year, must be assessed by a Qualified Security Assessor to complete a ROC. Depending on the guidance from your acquirer, they may allow you to use an ISA for a Level 1 assessment, however, this isn’t common. So get that confirmation from your acquirer.

Levels 2 through 4 are able to utilize an ISA to perform either a SAQ or ROC, however it’s not necessarily required. SAQs are self-assessments, meaning that you can perform these assessments yourself. Again, check with your acquirer to ensure they are fine with you performing your own assessments, but also consider this: do you know if you are looking for the right things?

We recommend avoiding “Check the Box” assessments as much as possible. They can only harm you instead of help you. It’s best to still have an ISA or PCIP help you with your SAQs. They are trained and certified in assessments and will ensure that your PCI assessment is completed properly. 

To recap, a QSA can do almost anything and maybe your best option but not necessarily. Ask your acquirer to define what your reporting requirements are and follow them.

PCI QSAs for Your Assessment vs Consulting

A PCI qualified security assessor

PCI Qualified Security Assessors can be engaged by your organization either for the assessment alone, or for both the assessment and PCI consulting either before or after. This consulting can include the following items:

  • Pre-assessment gap analysis: A pre-assessment gap analysis involves identifying where you might be missing controls. This helps to ensure that you are on-track towards PCI compliance before your assessment begins.
  • Scoping: Scoping is an annual pre-assessment activity that is the responsibility of the entity being assessed, ie you. Scoping involves identifying all places where PCI cardholder data is stored, processed, or transmitted. A QSA can assist in the scoping activities and give you guidance on the validation efforts. Ultimately, the entity must confirm the scope before the assessment begins.
  • Validating segmentation controls: Segmentation is not one of the PCI DSS requirements, however, it can help you reduce your PCI environment. If you use segmentation to reduce your PCI scope, you must validate that the controls are functioning properly. If you don’t have segmentation in place and want to, a QSA can help you identify the path towards segmentation. What do you need to do? Where can you segment? Etc.
  • Assisting in remediations pre/post-assessment: Any findings that may have arisen during the assessment must be addressed before the next year. This could include any controls where you failed during the assessment or ones that you need to fix before the assessment is completed to get a passing mark. The QSA can give you guidance on what you need to show in order to be compliant. It’s going to be rare that a QSA would provide you with step-by-step instructions on how to remediate, but they should be able to tell you what the solution will ultimately need to fix in order to be compliant.
  • Maturing your internal PCI controls: PCI is meant to be a continuous process. Maturing your PCI controls not only ensures that PCI is continuous but also that they are further protecting your environment and ultimately reducing the PCI compliance load on your teams and organization overall. A QSA can help you review your current PCI controls and provide guidance on what you can do or implement to strengthen them.
  • & More

As briefly mentioned above, your QSA is going to be the best source of information and guidance if you have one. Since your QSA is performing your assessment they’re going to tell you what they want to see in your environment to be compliant. A separate QSA can be used to have an independent second opinion, however, come assessment time your assessment QSA will have the final say.

How Can QSAs Help?

You need to have an ongoing relationship with your QSA that goes beyond assessment time. Engage them whenever you have a change to your PCI environment, planned or otherwise. They are a valuable resource to ensure that the proposed project or changes will be PCI compliant. Their advice and guidance can save you precious time and money by doing things right the first time instead of fixing what’s missing after, or worse, during the assessment. 

a Qualified Security Assessor is able to provide guidance for any of the above-mentioned points in the lists we covered. Most QSAs live and breathe PCI. Being a QSA and QSAC is an expensive endeavor for a company to pursue. Typically, because of this, QSACs perform a lot of PCI assessments on organizations big and small all with unique PCI environments. If they are experienced QSA, they’ve most likely seen the same challenge you’re facing in another organization. For this reason, their insight is very valuable. 

The longer an assessment takes, the longer it’s going to cost. Since QSAs perform assessments all year round, they have a process. QSAs are typically performing multiple assessments at the same time with other organizations. This benefits both the QSA and your organization. QSAs want to complete an assessment both as accurately as possible and as quickly as possible. Their expertise can oftentimes mean a faster turnaround for your assessment. If time is of the essence for being PCI compliant, search for an experienced QSA.

How Much do PCI QSAs Charge?

It must be said that QSA and QSAC annual fees from the PCI Council are costly. Being both a QSA and QSAC company is an investment by the assessing company. Any PCI professional is a professional in a very small and specific compliance market. Add in the months of work involved in an assessment, a QSA-led assessment is not the most affordable assessment you might have on an annual basis. 

QSA Assessment Fees

While the cost might seem daunting, the benefits are immense. Not only do you get the compliance report you need to show your acquirer and customer, but you also can assure that your environment is secure. You’re shielding your organization from potential breaches, lawsuits, non-compliance fees, and the possibility of card processing being revoked. 

QSA-led assessment costs are heavily dependent on the size and complexity of your PCI environment. A QSA-led PCI assessment can run from $15,000 for a moderate sized environment to $50,000+ for larger environments.

These are typically for full ROC and SAQ-D assessments.

QSA Consulting Fees

On top of assessment fees, the consulting fees for a QSA will vary based on the type of work requested, the amount of effort required by the QSA, and the length of the work. Typically QSAs will charge for consulting work either on a per-hour basis or a per-project basis. The specifics to the costs must be discussed with the QSA and QSA company before contracting the work to ensure that they align with your budget.

IMPORTANT: For more detailed price guidance for specific PCI services, you can download our free PCI DSS Compliance Costs report. In it, we provide examples with costing, from 10 real-world PCI consulting contracts, with different vendors, for various services such as scope reduction, gap assessment, and security awareness training.

For example, a retail company with around 2,000 employees and processing an average 4,000,000 card transactions per year, recently paid a PCI consulting firm around $50,000 for a scope reduction design project.

How do You Keep PCI QSA Costs Manageable?

The best way for you to keep QSA assessment costs low is to minimize or descope your environment as much as possible. If you don’t need to store cardholder data, don’t. Outsource your card processing, do not store cardholder data and segment your PCI environment from the rest of your network.

This can help you move to another SAQ. For example, if you currently have an e-commerce website, storage of PCI data, and an onsite call center, you can remove that PCI storage and replace it with tokens then outsource the call center you could potentially move to an SAQ-A. This will drastically reduce the cost of your assessment. 

Your QSA can help you figure out a process to descope or restructure your PCI environment. They are your best and most reliable resource. Since they know your environment from the assessment, they can be engaged faster and already have detailed knowledge of your environment to make targeted recommendations.

PCI DSS compliance is definitely an investment, but the cost you pay is well worth avoiding a breach, lawsuits from a breach, reputational damage, and possibly losing your ability to process payments.

See A 20-Year PCI Pro’s Best Strategies for Rapid Compliance in 2022

Want to reduce PCI requirements and maintain compliance more efficiently? Download our free 5 Step plan to reduce scope for PCI in 2022 and get compliant fast.

How to Choose the Right PCI QSA for Your Company

Finding the right QSA and QSAC is an important process. While every QSA and QSAC is qualified to perform PCI assessments for you, that doesn’t mean each one would be the best fit for you and your organization. The relationship between your organization and your QSA can be a valuable asset in your ongoing PCI journey. So how do you know if a QSA is a good fit and how do you find one?

Using the PCI Security Standards Council website you can search for active QSAs and QSACs.

Additionally, you can search on Google for companies that are in your area. Regardless of how you first find the QSA and QSAC, we recommend you

  1. Have an interview with the QSAs at the QSAC and get a sense of their expertise. Inquire about some of the specific environments they’ve worked with and assessed. Describe to them your PCI goals and allow them to speak to their potential solutions to your PCI pain points.
  2. Ask them to describe their assessment processes, typical time frames, how you will interact with them, and more. This is also where you can ask them if they are open to providing general consulting to you. Their answers will differentiate them as being just an auditor or a potentially beneficial and ongoing relationship. 
  3. If you have a specialized environment that needs special PCI certification like tokentization, application certifications and/or point-to-point encryption, ensure that the QSAC has QSAs that are qualified to perform these assessments. 

The right QSA and QSAC will speak directly to both your current PCI position and your future goals. They should be solely focused on using their expertise to help you secure your organization instead of just seeing dollar signs from the assessment costs. 

Ultimately, the most important thing in choosing a QSA and QSAC is your intuition. Based on your interview with them, did you get a good feeling about them? Are you confident in their expertise? Do you think their assessment workflow will go well with your organization’s processes? Did you enjoy talking with them in general? Do you see this being a beneficial relationship for them and your organization? Can you see yourself working with them for a few months every year? If the answer to all of these questions is “Yes,” then you’ve found the right QSA and QSAC.


Published by Noah Stahl PCI ISA
Noah Stahl is a PCI Internal Security Assessor and experienced consultant, having conducted PCI assessments for small businesses to Fortune 500 companies....
    
Copyright © 2022 Network Assured