An organization from the Digital Payment Industry will have definitely heard or dealt with a professional QSA. A QSA is a Qualified Security Assessor appointed by the PCI Council, to validate Merchants and Service Providers against the PCI DSS Standards and verify whether or not they are compliant.
Going by the standards of PCI DSS Compliance, organizations that deal with payment card data will have to hire a QSA for the compliance assessment and audit. Organizations of this industry dealing with payment data are expected to secure sensitive cardholder data as a part of their business responsibility and QSA’s are professionals trained to assist businesses in this area. Speaking more on this and explaining the role of a QSA in detail, here is an informative article that gives you all the details of a QSA. To begin with, let us first understand who is a QSA and what are their roles and responsibilities in PCI DSS.
Who is a QSA?
Qualified Security Assessor (QSA) are independent assessors and their specified security organizations qualified by the PCI Security Standards Council to validate a Merchant / Service Provider’s adherence to the PCI DSS standards and level of compliance.
These independent assessors and organizations are required to satisfy all QSA Requirements to stay as a valid QSA every year. PCI Security Standards Council conducts and maintains an in-depth program for security companies seeking to be certified as Qualified Security Assessors, and to be re-certified as QSAs each year.
Certification and re-certification suggest that only those individuals and organizations are qualified as QSA who have successfully met all PCI Security Standards Council requirements. The certification gives them the authority to perform PCI DSS Assessments for the Merchants and Service Providers. They further maintain a list of qualified QSA on their website and update the list frequently.
How is an AQSA different from QSA?
As mentioned earlier a Qualified Security Assessor (QSA) is an experienced professional qualified to assess the PCI DSS Compliance for Merchants and Service Providers. On the other hand, an Associate Qualified Security Assessor is an individual who is qualified to assist the QSA in the PCI Compliance audit process. Due to the growing resource crunch felt by QSA, the PCI Council in an effort to address the issue introduced an Associate QSA Certification program (AQSA).
The program aims at training new cybersecurity talents for assisting QSA in the audit process. The individuals are trained to support a QSA and get experience under them to eventually become a QSA at a later stage. On successful completion of the training program and examination, trainees will be equipped to assist the QSA in conducting PCI DSS assessments and preparing appropriate compliance reports with the due guidance and oversight of a qualified QSA.
Role and Responsibilities of a QSA in PCI Compliance
Organizations that are required to comply with PCI DSS Standard are required to annually undergo an audit and complete a Report on Compliance (ROC) for achieving PCI DSS Compliance. This process of audit and report generation should be assessed by approved PCI QSA in accordance with the PCI Security Standards Council requirements.
The ROC must be accompanied by an Attestation of Compliance (AOC) which also needs to be duly signed by the QSA which summarizes whether the Service Providers and Merchants assessed are PCI compliant or not and any related findings were identified during the assessment process. For ROC that applies to level 1 merchants and level 2 Merchants and Service Providers, must be dully completed by a QSA after an audit, and subsequently submit the ROC to the Merchant’s acquirer and payment brands. On the other hand, organizations that have to complete a Self-Assessment Questionnaire (SAQ) are recommended consulting a QSA because they have better credibility in completing the SAQ.
Performing PCI DSS assessments in accordance with the standard is not just not limited to validating and confirming Cardholder Data Environment (CDE) scope as defined by the assessed organization but involves a lot more than that. To get a better perspective of a QSA’s roles and responsibilities, here is a list that gives clarity about their duty-
Validating the scope of the Cardholder Data Environment (CDE) as determined by the assessed organization.
Conducting an on-site assessment, examining the CDE which is in scope.
Assessing with a sampling approach (as approved by the PCI DSS audit standard) and selecting employees, facilities, systems, and system components accurately representing the assessed environment and which is in scope.
Evaluate all the compensating controls as applicable.
Providing an opinion on whether or the assessed organization is compliant and meets PCI DSS Requirements.
Draft and generate a ROC effectively based on the assessment findings.
Based on the assessment and validation of the findings provide an AOC to the assessed organization’s PCI DSS compliance status.
Maintaining documents, paper works, and recordings of interviews that were collected during the PCI DSS Assessment as evidence and using it to validate the findings.
Applying and maintaining independent judgment in all PCI DSS Assessment decisions.
No comments:
Post a Comment