Becoming a Qualified Security Assessor, commonly referred to as a QSA, is a relatively grueling process that is in line with the important role that a QSA plays. In this article, well answer what a QSA is, how you can gain QSA designation, and why using a QSA to audit your cybersecurity is something you should be already doing. This information should provide insight into the role that QSAs play in cyber-security, and allow you to assess whether outsourcing your cyber-security to a QSA designated firm is a good choice given your security needs.
What (or who) is a QSA?
A QSA is an individual that is highly trained and certified in cyber-security. An individual cannot become a QSA on their own. Rather, a qualified professional must work for an organization that has received QSA designation. The QSA designation is awarded to companies by the Payment Card Industry Security Standards Council (PCI-SSC) that have completed the process well go over in the following sections. In addition to completing the initial process to gain designation, QSAs must continually demonstrate their adherence to the standards and practices put forth by the PCI-SSC.
In addition to the company as a whole gaining QSA designation, each individual employee that wishes to serve as a QSA must complete an initial training and subsequent reevaluations, which well go over in greater detail in the next section.
A QSA serves as an outside expert that is hired to comprehensively assess your cyber-security. QSA employees perform an important role in securing your customers personal identifying information (PII). QSA employees have a deep understanding of payment card processing standards and security best practices put forth in the PCI Data Security Standard (PCI DSS). A QSA assessment tracks how your customers payment card information is routed through your organization, where it is stored, what information is stored, how that information can be accessed, and who can access it.
As we will see, an important aspect of the work a QSA performs is the ability of the assessor to make targeted security recommendations that will help your company attain PCI DSS compliance and maintain it over time.
What is PCI DSS?
Because a QSA employee is responsible for assessing an organizations compliance with PCI DSS, it is worth spending a bit of time gaining a greater understanding of what PCI DSS is. This helps provide insight into the scope of the work that QSA employees provide and why it is difficult to gain the QSA designation. To attain PCI DSS compliance, businesses must adhere to all PCI DSS requirements. The primary goal of PCI DSS is to secure cardholder data, including how it is processed, transmitted, or stored.
The PCI DSS has six goals, each with multiple requirements that companies must meet.
Build and Maintain a Secure Network and Systems
In order to meet this goal, a company must install a firewall to serve as a bulwark against penetration attacks from the outside. Additionally, the company must change the passwords from the supplied defaults on systems and equipment. This includes not disclosing internal network IP addresses which can aid outside attackers in gaining access. It also includes securing hardware that is used to access your system remotely, such as mobile devices or computers used by employees working remotely. This is especially critical given the recent rise in popularity of the Bring Your Own Device (BYOD) movement where an increasing amount of employees are working remotely on their own laptops, phones, or tablets which may not be properly secured against threats.
Protect Cardholder Data
This goal requires that a company take adequate steps to secure the cardholder data that is stored in their systems. Not all cardholder data should be stored. It may be necessary to store some sensitive data, but information like the card identification number (CID) or PIN should never be stored. Additionally, companies need to ensure that when cardholder data is transmitted across open networks it must be encrypted.
Companies must also apply industry recognized configurations that protect against vulnerabilities for known threats. These configurations must apply to all hardware and systems throughout the company. Common system-hardening standards are outlined by the Center for Internet Security (CIS), National Institute of Standards Technology (NIST), SysAdmin Audit Network Security (SANS) Institute, or International Organization for Standardization (ISO).
Maintain a Vulnerability Management Program
To maintain PCI DSS compliance, companies must protect their systems against areas of risk for cybercrime. This means protecting against malware such as Trojans, worms, and viruses, and utilizing antivirus that is kept updated. Systems and networks must also be secured, and that security must be monitored and maintained. Additionally, information security employees must maintain knowledge of trends in malware development so that they can anticipate areas of risk and address potential vulnerabilities against evolving threats.
Implement Strong Access Control Measures
This goal requires businesses to take steps to restrict access to cardholder data. This includes both virtual and physical access, as each must be safeguarded appropriately in order to be in compliance with PCI DSS. Additionally, all access to system components must be identified and authenticated. Strong access control measures are a necessary step to avoid data breaches because many successful data thefts involve hackers or malware gaining access and then moving through systems laterally until they achieve access to sensitive information. Securing lateral access throughout your system, and verifying that those that have access to cardholder data do in fact need it, is a necessary step towards implementing a robust security presence.
Maintain an Information Security Policy
The last goal of PCI DSS is achieved by crafting and implementing a comprehensive information security policy. This policy should be implemented for all employees, regardless of the level of access that they have. Foreign threats often enter systems through the actions of unwitting employees, whether it is through opening the wrong attachment or falling victim to social engineering attacks. A comprehensive information security policy can help minimize the risk of a data breach of a successful attack while also minimizing the damage caused if a data breach does occur.
Gaining QSA Designation
Qualified security assessors are in high demand, but how does a company earn their QSA designation? The first thing to understand is that there are two levels of QSA designation. First, only companies themselves can acquire a PCI QSA designation. A qualified employee of a QSA designated company can then go through the training in order to be qualified to conduct on-site security assessments on behalf of the QSA designated company. These employees are referred to as a QSA employee. To sum this up, the company contracted to perform the assessment is a QSA, while the employee or employees actually performing the assessment are considered QSA employees. Attaining QSA qualification is broadly a two-step process. First, a company must attain the qualification, then an individual employee must achieve the qualification.
The application process for a company to attain QSA designation is extensive. QSA companies must obviously be recognized as a legal entity and must provide a copy of their business license when applying. Additionally, they must also be insured. Companies applying for QSA designation must also pay an application fee, subsequent annual renewal fees, as well as training fees for each employee seeking QSA designation. These qualifications are standard for a variety of companies operating in different industries, and ensure that the QSA designated company conducting a security assessment is doing so in a legal, legitimate manner.
In addition to the basic requirements, companies hoping for QSA designation must have experience aligned with the duties they will be performing as a qualified security assessor. These include demonstrated experience conducting security audits and related industry experience. In order to accurately assess whether a business meets the stringent requirements for QSA designation, companies applying for the designation must provide the PCI SSC documentation that demonstrates that they meet the minimum qualifications.
The PCI SSC requires that companies hoping to achieve QSA qualification provide documentation that shows:
- They have demonstrated experience performing auditing functions for at least one year (or 3 audits). The auditing experience needs to be security related, with a preference for auditing payment systems.
- All specific areas of information security that the company has demonstrated experience with. QSA designated companies must provide at least one area that their company has experience within information security, but in general, most QSA companies have a wide range of experience with various aspects of information security such as securing networks, databases, applications, or systems.
- Companies must provide documentation that supports the fact that they are a dedicated security practice. This includes how many employees a business uses to run security assessments, and what percentage of time those employees spend conducting security assessments.
- Companies must provide an outline of their core business offerings, such as precisely what security services they provide. This would include functions they routinely provide as part of their security offerings like compliance and advisory services, security management services, and identity and access services.
- Each security company typically caters to a specific industry or market, and this information must be provided to the PCI SSC when applying. For example, if a security company has primarily worked with small businesses in the financial sector, they would provide documentation to PCI SSC outlining this.
- Companies must provide a list of languages that they support.
- Companies must provide at least two recent references from businesses that they have performed security work for within the last year.
Once a company has received their QSA designation, they are halfway to being able to perform QSA on-site assessments. The second step they must complete is the training and certification of their employees that will be conducting the QSA designation. Like the process that the business must follow for gaining QSA designation, individuals must also submit documentation to PCI SSC demonstrating their relevant experience and qualifications prior to being accepted for training and certification.
Broadly speaking, an individual seeking QSA qualification must demonstrate significant experience in information security. QSA employees must possess one or more industry-recognized certifications proving that they understand and implement industry accepted best practices for information security. QSA employees must understand the requirements of PCI DSS and possess knowledge of the auditing procedures necessary to perform an on-site PCI DSS assessment.
Lastly, in order to qualify as a QSA employee, an individual must actually be employed by a company that possesses a QSA qualification. There are also certain situations where an approved subcontractor can perform on-site security assessments, but the use of such subcontractors must be approved by the PCI SSC.
Specifically, each QSA employee must provide documentation to the PCI SSC that demonstrates they meet or exceed the following qualifications:
- QSA employees must meet the minimum educational requirement of a Bachelor’s degree or equivalent professional security certification.
- QSA employees must demonstrate expertise in at least three areas of information security, with at least one year of experience in each of the three areas. These areas include Network Security, System Integration, Auditing, Application Security and Consultancy, and Special Skills.
- QSA employees must provide the PCI SSC documentation that shows their detailed work experience and that illustrates their areas of responsibility. They must also provide the PCI SSC documentation showing their work experience in the payment card industry, including their responsibilities for work performed in the industry.
- Potential QSA employees must provide the PCI SSC a complete resume.
- QSA employees must provide documentation proving they hold at least one of three industry-recognized certifications. These include: Certified Information System Security Professional (CISSP), Certified Information Security Auditor (CISA), or Certified Information Security Manager (CISM).
If an employee of a QSA designated company wishes to become a designated QSA employee but is lacking the required education, experience, or certifications, they can submit proof to the PCI SSC of at least five years of closely related information security experience or equivalent industry certifications.