Using a QSA for PCI compliance can help your organization ensure that it is protecting its customers' payment card information and minimize the risk of a data breach.
A Qualified Security Assessor (QSA) is a third-party individual or organization that has been certified by the Payment Card Industry Security Standards Council to perform assessments and audits of an organization's compliance following the Payment Card Industry Data Security Standards (PCI DSS).
Learn more about why you should use a QSA and read several business case examples of the benefits of trusting your PCI compliance assessment and audits to an experienced QSA assessor.
There are several compelling reasons why you should enlist a qualified security assessor for PCI compliance:
A common joke in the PCI industry is to get in a room with 10 QSAs and you are likely to get 10 different opinions. While not completely accurate, it does ring true in certain situations, particularly with the interpretation of requirements in the standard where the PCI working groups have only provided vague descriptions of how a requirement may be applicable.
For example, internal vulnerability scanning has been around since PCI 1.0; however, not many QSAs were enforcing “Authenticated Scanning.”
Why?
Because the standard never explicitly required it. This discrepancy was somewhat resolved in the PCI-DSS 4.0; however, is not actually enforced until after April 1, 2025!
These differences in opinions; along with anecdotal stories of companies finding out they were breached a day after receiving their AoC from a QSA have tainted the perceived value of QSAs and in some instances the PCI-DSS standard itself.
I would argue these perceptions are somewhat unfair, and like everything else in IT or Cybersecurity, highlight the weaknesses of the human element. QSAs are only able to assess and comment on what they observe, what they are told, and what they are given by their client.
Recent forensic investigations performed by our PFI team have highlighted critical failures made by smaller companies. In 3 out of 4 investigations over the last 6 months, incident response clients completed an SAQ-A, based on their belief that PAN data was not stored. While they were not storing the data, data was still being processed and transmitted through their systems. This misunderstanding resulted in their organizations failing to implement critical controls prescribed by the more rigorous SAQ-D. These organizations should have completed an SAQ-D because they were supporting multiple channels and in one case storing full cardholder data and Sensitive Authentication Data (SAD), post-authorization.
It should be noted that completing an SAQ-D does not prevent data breaches; however, had the organizations sought out the opinion of a QSA, they would have learned they needed to implement additional controls to meet compliance OR migrate to an architecture that removed the organization's interaction with cardholder data. Examples of these architectures include E-commerce I-Frames or P2PE solutions. Instead, these organizations were temporarily shut down as they were unable to process payments until the investigation was concluded. One organization never fully recovered and no longer exists.
Intersec offers consulting packages that provide smaller clients a sanity check that they have completed the SAQ properly and assistance with their overall security posture as an organization. The packages can be tailored to the needs of an organization’s size and budget.
It is important to carefully consider several factors when selecting a Qualified Security Assessor (QSA) for your organization's PCI DSS assessment. Here are some factors to consider when selecting a QSA:
Considering these factors will enable you to find a QSA that is suited to your organization's unique needs and ensure they provide an accurate and thorough assessment of your PCI DSS compliance.
Intersec Worldwide’s PCI compliance services can help you meet PCI DSS standards and protect customers from a PCI breach. All too often, companies offering cybersecurity services will identify potential threats but are unable to implement the necessary solutions you require.
With any consulting, assessment, and advisory business the level of service and expertise your organization receives will be down to the people the firm hires. In addition to well-rounded cybersecurity experience, Intersec Worldwide focuses on hiring individuals with 10-15 years of IT experience and deep operations backgrounds. These individuals bring practical solutions and reasonability to the interpretation of cybersecurity frameworks and standards such as PCI-DSS. This is a big difference between firms and individuals from a pure audit background. Organizations specializing in audit tend to show up with a request list, a specific checklist, and a black-and-white interpretation of the intent of a given requirement. These individuals lack the fundamental understanding of how a given technology or platform works and attempt to interpret a control to fit a narrative that is not always practical. This is often referred to as a “Check the Box'' compliance and has plagued the PCI-DSS standard from the beginning.
At Intersec Worldwide, we are one of the few PCI compliance consulting firms that are also highly experienced in digital forensics, incident response, and customized remediation services. As a PCI QSA company, Intersec Worldwide has been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. Contact our team directly to learn more or inquire how we can help your organization with QSA services.