Qualified Security Assessors (QSA's) for PCI DSS Compliance

Posted on Wednesday, January 30, 2008

I recently interviewed Brian Serra from Accuvant about Qualified Security Assessors (QSA's). Brian is a CISSP, QSA and ISO: 277001 Lead Auditor. Accuvant is a security consulting firm that helps companies address complex information security challenges. The firms focus on four primary areas: Assessment, Compliance, Wireless and Security Technologies.

1. What is a QSA? QSA stands for Qualified Security Assessor. It is a certification obtained by experienced security consultants to enable them to conduct the On-Site Data Security Assessment for PCI DSS Compliance. QSA's are required to recertify every year by attending training by PCI and passing the exam. A recertifying QSA must obtain additional CPE's from training and other experiences in order to obtain certification. Some QSA's also maintain other certifications. For example, all of Accuvant's QSA's are also ISO 27001 Lead Auditors. I myself am certified as a CHSP (HIPPA). There are over 100 QSA companies and individual QSA's must work for a company that maintains the PCI certification. In choosing a QSA, merchants will want to a firm that has similar processes/infrastructure as theirs.

2. What types of services do QSA's provide merchants? On-Site Data Security Assessments (PCI "Audits"), Gap Analysis, Remediation Services, General PCI consulting and advice. Depending on the size of the company and number of distinct credit card processes, most engagements will last somewhere between 2 and 6 months.

3. Are merchants required to work with a QSA to become PCI Compliant? No, Level 2-4 Merchants and Level-3 Service Providers use the PCI Self-Assessment Questionnaire to self-certify. Level-1 Merchants and Level 1-2 Service Providers will require a QSA to conduct their annual On-Site Data Security Assessment. There is one caveat, an internal audit group can do the On-Site Assessment but the results must be signed off by an Officer of the company

4. What are the pros and cons of 'doing it yourself' versus hiring a QSA? QSA - Pros: Third-party validation which proves 'due diligence' Cons: Costs money. But that is not is not to say more money. Companies may end up spending more money doing it themselves when including the cost of internal resources and diversion from other profit generating projects. DIY - Pros: May be more economical. Cons - Difficult to get up to speed on all the PCI DSS requirements. Merchants may miss key areas or controls.

5. How much does it cost to hire a QSA and is it economical for all businesses? It depends on how mature the compliance program is at the particular business. The cost to make an application PCI compliant averages about $100k.

Comments

Mark Scott said on Wednesday, March 05, 2008:

I am curious. There is much talk about the QSA and required audit which must be validated by a QSA. Along with that there is much talk about the DIY approach to becoming prepared for the audit. Much like ISO i see a market for professionals that can go in and help a merchant become compliant and be ready for the QSA auditor and subsequent compliance. Is there a market emerging for this kind of skill set?

Ronald said on Thursday, March 20, 2008:

Mark:

The QSA person is that professional that goes in to help them be compliant. QSA companies are basically just security companies that are being incorporated and certified so that they can be the jack of all trades. These are not official people associated with the credit card companies. These are not official government or credit card company auditors. These are just private business people.

You can take the list of requirements to be a QSA shop, set up a LLC, get your people and have then trained and then tahdah! you are QSA.

The QSA goes in, tells you what you need to be compliant, then go in annually and do your audit and then also push all their software so you can keep compliant.

Personally I think QSA if it is going to be that important should be directly associated with the banks or credit card companies and not just some Joe Smoh who makes a company, meets the requirements and the pushes people into spending 100s of thousand of dollars because the council only lets them certify.

Rick said on Friday, June 27, 2008:

I am doing research for my IT security company that is looking into becoming a QSA. A huge roadblock that I am running into is seeing how much these QSA companies are charging for their services. I am trying to put together a business plan showing costs and revenue that can be generated.

I know you mentioned above that the avg. is 100K, but do you have any other figures than that? Have you come across any other sites that have done any research?

Bryan Johnson said on Monday, June 30, 2008:

@ Rick - sorry. I do not as this is not part of our core business.

Anonymous said on Tuesday, July 08, 2008:

First of all, I agree QSA can help you get PCI-DSS compliant.

BUT........
I think QSA program is sham created by PCI council because there is no certification for individuals and cost for company to be QSA is hugh; only big/rich companies can afford it. Do I smell "you scratch my back and I will scratch your"?

If PCI is serious about getting security as core operating aspect for merchants they should make QSA program available to mass so the good security professionals (individuals) can get certified (or qualified) and PCI security audit becomes more competitive.

1. Cost is not justification of quality
2. Companies spent money to train one or two individuals to become QSA doesn't mean entire company is qualified
3. What if QSA leaves the company to join another one? would the individual's qualification makes the other company automatic QSA?

PCI get serious about you QSA program...merchants is going through hugh cost burden to get PCI compliant and by your stupid QSA program you are making them pay through their nose.

Mahesh said on Sunday, August 17, 2008:

Hi,

I was just curious about the kind of questions that are asked in the QSA exam ?
I have 6 yrs of work ex in Information Security and am a CISA professional..I am planning to appear for the QSA exam to start on my own.

Cheers,

Nalin Wijetilleke said on Sunday, March 07, 2010:

Please provide me the details of qualifying as a QSA from PCI Council.
Thanx
Nalin

Post a comment



(required, but not displayed)


(optional)


Subscribe via email

Subscribe via RSS

Search

For Starters

Categories

    Creative Commons License
    This work is licensed under a Creative Commons License.
     

    Resources

    New to processing?

    Merchant Account Quick Guides

    PCI Compliance Quick Guides

    Developer Resources

    © 2010 Braintree Payment Solutions. All rights reserved. Braintree is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA