Who needs a QSA-led assessment?
There are a number of circumstances under which your organization may be required to undergo a formal assessment of its compliance to the Payment Card Industry Data Security Standard (PCI DSS). The definition of who must have a formal assessment performed is determined by card brand entities such as Visa and MasterCard, and by the ISOs, acquiring banks, and processors who service merchants. You might need a formal assessment if any of the following apply:
- You are a merchant doing a very large volume of transactions annually (more than six million) with MasterCard or Visa;
- You are a merchant doing a large volume of transactions annually (more than one million) with MasterCard and you do not have a PCI-trained internal assessor on staff;
- You are a merchant that has been breached in the past or otherwise deemed to represent exceptional risk; and/or
- You are service provider to merchants that can impact the security of their payment transactions and you have access to a large volume of transactions annually.
The PCI DSS Assessment is a detailed review of an organization's card data environment using a standard methodology and reporting format that results in a Report on Compliance (RoC). This is often referred to as the "Level 1" method of compliance validation.
"We contacted ControlScan to perform a PCI Audit. Our QSA as well as the team was highly knowledgeable and helped us overcome many obstacles. We chose ControlScan because of their approach, professionalism, and really needed expertise that we could leverage. Throughout the process, we found a partner, not an auditing company." — VP IT/IS, RDI Corporation
PCI audits are conducted by Qualified Security Assessors (QSAs)—individuals who work for QSA companies like ControlScan—and are certified on an annual basis to assess and validate compliance with the PCI DSS. The PCI Security Standards Council maintains an in-depth certification process for companies and their employees seeking QSA certification. You can obtain more information and see a list of qualified QSA companies at the PCI SSC website.
The ControlScan QSA assigned to your PCI QSA Assessment will work with you to ensure you fully understand the process and any aspects that are specific to your environment (such as how site sampling will be performed). They will perform an in-depth review of each of the DSS requirements (more than 200 of them) through interviews with personnel, configuration and documentation reviews and other forms of evidence gathering to demonstrate compliance with the DSS requirements. The resulting Report on Compliance serves as your proof of PCI compliance validation.
QSA SAQ assistance.
Most merchants and many service providers do not fall into the categories discussed above and do not have to undergo a formal assessment; rather, they can self-assess by filling out the appropriate Self-Assessment Questionnaire (SAQ). If you qualify to fill out an SAQ but have a complex card data environment, consider engaging a ControlScan QSA to assist with your self-assessment.
The ControlScan QSA will act as an advisor, ensuring that you are approaching the definition of your card data environment correctly, helping you ensure you have all the proper evidence in order, and clarifying any questions or issues that may arise during your project.
The benefits of engaging a QSA in assessing your environment are far reaching, and include the opportunity to bring hundreds of hours of best practice experience and observations into your own PCI compliance efforts.