What is a Qualified Security Assessor?
A Qualified Security Assessor (QSA) is an individual certified by the Payment Card Industry Security Standards Council (PCI SSC) to conduct on-site PCI DSS compliance assessments. QSAs work for approved QSA companies and are authorised to validate whether an organisation meets all PCI DSS requirements.
What a QSA Does
A QSA conducts formal assessments of an organisation's security controls, policies, and processes against the requirements of PCI DSS. This involves reviewing documentation, interviewing staff, inspecting systems, and testing technical controls to determine whether the organisation is meeting the standard.
At the end of the assessment, the QSA produces either a Report on Compliance (ROC) confirming that the organisation meets all applicable requirements, or a list of findings that must be remediated before compliance can be achieved.
When You Need a QSA
Not every business needs a QSA assessment. The requirement depends on your merchant level:
- Level 1 merchants (over 6 million transactions per year) must have an annual on-site assessment conducted by a QSA
- Level 2-4 merchants can typically self-assess using the appropriate SAQ, though their acquiring bank may require a QSA assessment in certain circumstances
- Service providers processing or storing card data on behalf of other businesses are also required to undergo QSA assessments at higher transaction volumes
Even when a QSA is not strictly required, some organisations choose to engage one voluntarily for the added assurance and credibility that an independent assessment provides.
How QSAs Are Certified
To become a QSA, an individual must:
- Be employed by a company approved as a QSA organisation by the PCI SSC
- Complete PCI SSC training and pass the QSA qualification exam
- Have relevant experience in information security
- Requalify annually through continuing education and re-examination
The PCI SSC maintains a public directory of approved QSA companies on its website, which organisations can use to find a qualified assessor.
QSA vs ISA
An Internal Security Assessor (ISA) is an employee of the organisation being assessed who has completed PCI SSC training. ISAs can conduct internal assessments for their own organisation but cannot produce a ROC. For Level 1 merchants and service providers, only an external QSA can produce the formal Report on Compliance.
Paytia undergoes annual PCI DSS Level 1 assessment by a Qualified Security Assessor. This is the most rigorous level of evaluation, confirming that Paytia's platform meets every requirement of the standard.
For Paytia's clients, this means the payment infrastructure they rely on has been independently verified by a certified assessor. By processing payments through Paytia, businesses can reduce their own PCI DSS scope and may be able to complete a simpler SAQ rather than requiring their own QSA assessment.
Frequently Asked Questions
How much does a QSA assessment cost?
Costs vary widely depending on the size and complexity of the environment being assessed. A straightforward assessment for a smaller organisation might cost £10,000 to £30,000, while a large enterprise with multiple locations and complex systems could pay significantly more. The cost includes the assessor's time, travel, and report preparation.
Can I choose any QSA company?
You can choose any QSA company that is listed in the PCI SSC's directory of approved assessors. It is worth selecting one with experience in your industry and payment channels, as this will make the assessment process smoother and more relevant to your environment.
What is the difference between a QSA and a PCI scan?
A QSA conducts a comprehensive assessment of your entire security posture against all PCI DSS requirements. A PCI scan, performed by an Approved Scanning Vendor (ASV), is a specific technical test that checks your external-facing systems for vulnerabilities. Most organisations need both -- the scan is one component of the broader compliance assessment.
See how Paytia handles qualified security assessor (qsa)
Book a personalised demo and we'll show you how our platform works with your setup.
Request a Demo