Who are the QSA employees? and what are their role in PCI assessment

Share on facebook
Share on twitter
Share on linkedin

Who are the QSA employees? and what are their role in PCI assessment

QSA employees are qualified individuals who are employed by QSA Companies and perform assessments that relate to the protection of credit cards.
Once you understood the requirements you have to comply with, you will have to determine the scope of your environment that have to comply with the PCI DSS requirements, the scope is comprised of people, processes, and technology that store, process or transmit credit card details. The scoping will be done by the organisation or with the help of a QSA. Once the scope has been established and the Card Holder Data Environment (CDE) is identified the gap analysis should start.

The gap analysis consists of reviewing each PCI DSS requirements and checking which requirements are in place and which ones are not. Usually a gap analysis report will be created and it will be used as the basis for the remediation plan, in which all of the gaps and vulnerabilities that came up from the gap analysis will be remediated.
Once the company has confirmed that all of the gaps are remediated and the organisation is meeting all of the PCI DSS requirements, the QSA will schedule a date for the assessment with the organisation.
In the assessment phase the QSA will review all of the relevant documentation, systems, processes etc. are in place and all of the PCI DSS requirements are met. The QSA will also collect evidence as part of the audit (which is required by the PCI DSS Council).
If the assessment was indeed successful and the organisation is meeting all the relevant requirements the QSA will complete the reporting needed based on the audit and the evidence that were collected and will eventually certify the organisation to the PCI DSS.
It is very important to remember that PCI assessment is a snapshot at time, so the QSA which assess and certifies the organisation is relying on the specific security status on the date of the assessment. It is up to the organisation to maintain the PCI DSS compliance through all of the year and make sure all of the requirements are met.

Recent Posts

Follow Us

Register for out blog

Sign up for our Newsletter

Close Menu