What is a Qualified Security Assessor?

What a Qualified Security Assessor Does

A Qualified Security Assessor (QSA) is an individual who has been certified by the PCI Security Standards Council (PCI SSC) to assess an organisation's compliance with the PCI DSS. QSAs are the independent auditors of the payment card security world -- they examine your systems, test your controls, review your policies, and ultimately determine whether you meet the standard.

QSAs do not work independently. They are employed by QSA Companies (QSACs) -- firms that have been approved by the PCI SSC to conduct PCI DSS assessments. Both the individual assessor and their employer must meet specific qualification and quality requirements set by the Council.

How QSAs Become Qualified

Becoming a QSA is not simply a matter of passing an exam. The PCI SSC sets rigorous requirements for both the individual and their organisation.

• Professional experience QSA candidates must demonstrate significant experience in information security, typically through a combination of professional qualifications (such as CISA, CISSP, or ISO 27001 Lead Auditor) and hands-on security assessment experience.
• PCI SSC training Candidates must complete the PCI SSC's official QSA training programme, which covers the PCI DSS requirements in detail, assessment methodology, evidence gathering, and reporting.
• Annual requalification QSAs must requalify every year by attending refresher training and passing the updated exam. This ensures they stay current as the standard evolves.
• Company requirements The QSA Company itself must carry professional liability insurance, maintain quality assurance processes, and undergo its own annual revalidation by the PCI SSC.

When You Need a QSA

Not every organisation that processes card payments needs to hire a QSA. Whether you need one depends on your merchant level and the requirements of your acquiring bank.

Level 1 merchants -- those processing more than six million card transactions per year -- are required to undergo an annual on-site assessment conducted by a QSA. The QSA produces a Report on Compliance (RoC) and an Attestation of Compliance (AoC) that formally document the assessment findings.

Level 1 service providers -- companies that store, process, or transmit cardholder data on behalf of merchants -- also require a QSA assessment.

Smaller merchants (Levels 2, 3, and 4) can typically validate compliance through a Self-Assessment Questionnaire (SAQ) without a QSA. However, some acquiring banks require Level 2 merchants to use a QSA, and any organisation can voluntarily engage a QSA if they want an independent, expert assessment of their security posture.

What a QSA Assessment Involves

A QSA assessment is a thorough examination of your cardholder data environment and the controls protecting it. The process typically includes the following.

Scoping

The QSA works with the organisation to define the scope of the assessment -- identifying every system, network segment, process, and person that touches cardholder data. Getting the scope right is critical: too narrow and you risk missing something; too broad and you waste time and money assessing systems that do not need it.

Documentation Review

The QSA reviews security policies, procedures, network diagrams, data flow diagrams, system configurations, and access control lists. This paperwork forms the foundation of the assessment and demonstrates that the organisation has formally documented its security controls.

Technical Testing

The QSA tests controls directly -- checking firewall configurations, examining encryption implementations, verifying that default passwords have been changed, testing access controls, and reviewing log files. This is where theory meets reality: the QSA is looking for evidence that controls are not just documented but actually working in practice.

Staff Interviews

The QSA interviews staff at various levels to verify that security awareness training has been conducted, that people understand their responsibilities, and that procedures are followed in day-to-day operations. A policy that nobody knows about or follows is not an effective control.

Reporting

After completing the assessment, the QSA produces the Report on Compliance (RoC) -- a detailed document that covers every PCI DSS requirement, whether the organisation meets it, and the evidence supporting that conclusion. The RoC is accompanied by the Attestation of Compliance (AoC), which is the summary document shared with acquiring banks and card brands.

Choosing a QSA

If your organisation needs a QSA, choosing the right one matters. Here are some practical considerations.

• Industry experience Some QSA firms specialise in specific industries -- retail, hospitality, healthcare, or contact centres. A QSA who understands your industry will be more efficient and provide more relevant guidance.
• Telephony expertise For organisations that take payments over the phone, it is important to choose a QSA who understands telephony environments, DTMF masking, call recording, and the specific compliance challenges these create. Not all QSAs have this expertise.
• Communication style The best QSAs explain requirements in plain English and help you understand not just what you need to do but why. A QSA who buries everything in jargon is not adding value.
• Remediation support Some QSA firms offer advisory services to help you close gaps before the formal assessment. This can save time and money, but make sure the advisory and assessment functions are kept separate to maintain independence.

QSAs and Telephone Payment Environments

Telephone payment environments present unique challenges for QSA assessments. The scope typically includes telephony infrastructure, call recording systems, agent desktops, network segments, and sometimes even home-working environments for remote agents.

Organisations that use DTMF masking to keep card data out of their telephony environment can significantly simplify the QSA assessment. Because the card data never enters the merchant's systems, the QSA can confirm a much narrower scope -- often limited to the relationship with the PCI DSS Level 1 certified payment provider rather than the entire contact centre infrastructure.

This is one of the most practical benefits of descoping: not only does it reduce the number of security controls you need to implement, it also reduces the cost, duration, and complexity of the QSA assessment itself.