Who are the QSA employees? and what are their role in PCI assessment

Share on facebook
Share on twitter
Share on linkedin

Who are the QSA employees? and what are their role in PCI assessment

QSA employees are qualified individuals who are employed by QSA Companies and perform assessments that relate to the protection of credit cards.
Once you understood the requirements you have to comply with, you will have to determine the scope of your environment that have to comply with the PCI DSS requirements, the scope is comprised of people, processes, and technology that store, process or transmit credit card details. The scoping will be done by the organisation or with the help of a QSA. Once the scope has been established and the Card Holder Data Environment (CDE) is identified the gap analysis should start.

The gap analysis consists of reviewing each PCI DSS requirements and checking which requirements are in place and which ones are not. Usually a gap analysis report will be created and it will be used as the basis for the remediation plan, in which all of the gaps and vulnerabilities that came up from the gap analysis will be remediated.
Once the company has confirmed that all of the gaps are remediated and the organisation is meeting all of the PCI DSS requirements, the QSA will schedule a date for the assessment with the organisation.
In the assessment phase the QSA will review all of the relevant documentation, systems, processes etc. are in place and all of the PCI DSS requirements are met. The QSA will also collect evidence as part of the audit (which is required by the PCI DSS Council).
If the assessment was indeed successful and the organisation is meeting all the relevant requirements the QSA will complete the reporting needed based on the audit and the evidence that were collected and will eventually certify the organisation to the PCI DSS.
It is very important to remember that PCI assessment is a snapshot at time, so the QSA which assess and certifies the organisation is relying on the specific security status on the date of the assessment. It is up to the organisation to maintain the PCI DSS compliance through all of the year and make sure all of the requirements are met.

Recent Posts

Follow Us

Register for out blog

Sign up for our Newsletter

Close Menu
Comsec is now offering a few unique packages, should you order by the end of 2019:
  •  For ordering one of our Cybersecurity Services, you’ll be able to choose between: Hardening procedure documentation / SSDLC guidelines / Awareness training session (1.5 hours) / CISO advisory session (3 hours)
  • For ordering our Incident Response Service (IRP / IRT): CISO advisory session (3 hours)
  •  For ordering our Table Top exercise, you’ll be able to choose between: A session by a senior Comsec Information Security expert / Hardening procedure documentation
  •  For ordering our Red Team service: Attack simulation by a senior Comsec Information Security expert
  •  For ordering our Secure Code Review service, you’ll be able to choose between: 2 system re-tests / Additional scan (of the same system)
  •  For ordering Comsec Hour Bank, you’ll be able to choose between:
  • Additional 10% hours of the value of the package / Hardening procedure documentation / SSDLC guidelines
 

If you’re interested, please drop us an email:
salespromotions@comsecglobal.com