We all know that achieving PCI Compliance for a company can lower the risk of a security breach. There are seemingly endless requirements to follow in order to be considered compliant by the PCI Security Standards Council. With so many requirements, how can companies, especially larger ones be sure that they are in line with all of them? The answer is to work with a qualified security assessor to determine compliance.
What (or rather who) is a QSA?
A qualified security assessor, or QSA for short, is an individual that helps companies identify gaps in their cybersecurity and their cyber security awareness training. These individuals are employed by Qualified Security Assessor (QSA) companies, which are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to Payment Card Industry Data Security Standard (PCI DSS). QSA Employees have satisfied and continue to satisfy all QSA Requirements.
A QSA company forms just like any other. It must first be a legal entity, meaning it has legal capacity to enter into agreements or contracts, assume obligations, incur and pay debts, sue and be sued in its own right, and to be held responsible for its actions. From there it must provide the Payment Card Industry Security Standards Council (PCI SSC) with a copy of Business license or equivalent, including year of incorporation, and location(s) of offices. In addition to that they must submit written statements describing any past or present allegations or convictions of any fraudulent or criminal activity involving the QSA (and QSA principles), and the status and resolution. Once a QSA company proves to PCI SSC that they can remain independent, ethical, and are insured (more elaborate explanation on QSA validation requirements found here), it needs to meet certain requirements for its employees. QSA companies are often differentiated from a QSA individual by the acronym QSAC.
QSA Employee Requirements
QSA employees are heavily scrutinized by the PCI SSC in order to be ready to conduct efficient security assessments. The QSA employee(s) performing or managing PCI DSS Assessments must:
- Be knowledgeable about and have experience in terms of conducting security assessments.
- Possess one or more industry-recognized security certifications or have sufficient work experience.
- Have knowledge about the PCI DSS and be familiar with the PCI DSS Security Audit Procedures.
- Attend annual training provided by PCI SSC and pass all of the exams associated with the training. If an employee fails any of the exams, they must wait to take part in any PCI SSC assessment, managing or otherwise, until all exams are passed.
- Be employees of the QSA (meaning this work cannot be subcontracted to non-employees) unless PCI SSC has given prior written consent for each subcontracted worker.
How to become a QSA
Those who become certified to act as a qualified security assessor are usually already involved in the industry, such as IT security workers and audit professionals for security companies. In fact the PCI SSC lists the following as prerequisites for entering their training program:
A candidate should possess at least one of the following industry-recognized professional certifications:
- Certified Information System Security Professional (CISSP)
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- Certified ISO 27001, Lead Auditor, Internal Auditor
- International Register of Certified Auditors (IRCA)
- Information Security Management System (ISMS) Auditor
- Certified Internal Auditor (CIA)
Candidate should possess a minimum of one year of experience in each of the following information security disciplines:
- Application security
- Information systems security
- Network security
- IT security auditing
- Information security risk assessment or risk management
The training program consists of a five hour online course covering PCI fundamentals, this is followed by an exam. Upon passing this exam, a candidate would then need to pass a two day instructor led course that is also concluded with an exam. These trainings consist of the following content:
- PCI DSS testing procedures. These are procedures that all QSAs are required to follow when conducting a security audit. The incredibly in depth procedure list is composed of fourteen sections, each with their own subsections.
- Payment brand specific requirements. Each of the five major payment brands (Discover, Mastercard, JCB International, American Express, Visa) have their own PCI compliance programs. A QSA must be familiar with each one.
- PCI validation requirements. Each of the four merchant levels have specific compliance validation requirements, and each of those requirements are again different for each payment brand.
- PCI reporting requirements. Just like the previous two points, reporting requirements are determined by the merchant level and the specific payment brand. QSAs will be trained on how to complete a Report on Compliance or ROC, which are required as on-site assessments for all level 1 merchants annually.
- Real world case studies. QSAs will be trained to handle real situations that they may encounter in the field.
When the training has concluded, QSAs are expected to know how to define the processes involved in card processing, understand the PCI DSS requirements and testing procedures and how they apply to merchant environments, and conduct PCI DSS assessments, validate compliance and generate Reports on Compliance (RoCs). From there a QSA is qualified by the PCI SSC to perform complex security assessments and advise organizations on how to achieve PCI compliance. In order to retain the QSA designation, all PCI QSAs must re-qualify annually through online training and exams. You can also verify a QSA employee here.
Choosing the right QSA
The first step is to choose a QSA company that is going to fit the needs of your company. Since companies can vary in several different way, including merchant level, it is important to select a QSA company that has experience assessing security needs similar to your company. It can also be meaningful in the long run to consider choosing a QSAC that has experience with the consultation and implementation side of a compliance audit. A list of QSA companies can be found here.
When choosing a company it is beneficial for you to know how they have handled their assessments of other companies in the past. If they have failed at any point to follow PCI DSS reporting procedures, its possible that they have been put into remediation. A record of any companies being put in remediation can be found on the PCI SSC website. It is also wise to outright ask a company if they have ever been in remediation, since the website only lists those currently in remediation, and what they did to correct their inconsistencies.
Lastly, how does their resume look in terms of those they have provided security audits for? Have those companies actually improved their security as a result of those assessments? These QSAC want your business so there is no doubt that they will be willing to provide specific examples of companies that they have helped improve. If there aren’t specific examples it could be that they are only interested in going through the motions of an assessment and not really looking to fully offer their expertise.
Security assessment expectations
Before bringing in a QSA to assess the security threats and potential non-compliance areas of a company, it should first perform a risk assessment. As part of a risk assessment the organization should determine the risk levels of each of its assets, such as hardware, software, and sensitive information.
Once the risk assessment is complete a company can take a closer look at its security policies and procedures. These make up a significant amount of the PCI DSS requirements. Leaders within the organization should examine their own procedures side by side with these requirements and make any changes needed to strengthen their security programs. In addition to this, any compliance gaps should be addressed before an assessment takes place.
Lets talk about what happens when a QSA makes an appearance and conducts an assessment for your company. Specifically lets look at the assessment of a level 1 merchant that results in a ROC. Most likely this process will begin with a get to know you session. This allows each side to express their visions, goals, expectations, and for the QSA to get to know the needs of the company.
Next comes a Report on Compliance (ROC). This is guided by the QSA and tests the standards that are in place to protect the credit card information. It also tests payment applications, dataflow, network in place for the CDE, and IT policies and procedures. Once the ROC is completed, it undergoes a quality assurance process and can then be returned to the company under review. From there the ROC can be forwarded to the acquiring bank of the organization. An Attestation of Compliance (AOC) is also produced and signed by both the QSA conducting the audit and the client being audited.
If the result of this report is negative, possible fines can be on the way for a non-compliant company. The good news is that because of the report a non-compliant company should be aware of its gaps and be able to take the necessary steps to fix them. For those companies that are revealed to be compliant based on the PCI DSS, they can work with the QSA to make sure that they remain compliant. Once again, a good QSA will work with a client to make plans and set goals to maintain and improve security policies and procedures.
Get the most from your PCI QSA
Several years ago a group of security experts were asked about creating great relationships between companies and their QSAs. Even though these suggestions are a few years old, they still ring true and are good suggestions to live by.
The first suggestion is that a QSA company must be chosen wisely. The most common mistake made by companies is to overlook the consequence of having a good assessment. They make the completion of the assessment the priority instead of the quality of it. The result is that the company hires an assessor that isn’t as well versed in the issues unique to their environment. It is worth the time to properly examine a QSAC and what their history is like.
Secondly it is suggested that a company lay the groundwork before the QSA arrives. What that means is that they must do everything within their power to identify weaknesses within their own system by completing a self assessment of risk. It is in the best interests of that company to be completely honest with themselves about the gaps in their security. If a QSA has a headstart on where to look for those gaps, they are in a better position to help a company fix those issues even if they result in compliance violations. It is much better to identify those breaks in security than to have them revealed by a hacker.
The third point is for a company to involve all of the necessary employees in the assessment process. Another common miscalculation by managers is to limit how many employees interact with a QSA. Perhaps thinking that certain of those employees lack the whole picture of the organization. Whatever the reason, it is always best that the QSA can study every aspect of the operation.
Finally it is important for companies hiring a QSAC to not treat them like an enemy. If a company does everything in its power to prepare for a QSA visit, there is no reason for them to see a QSA as anything other than an ally. It is when managers put pressure on the QSA and themselves that mistakes are made and gaps are missed. It is in the best interests of a company to treat a QSA as a member of their team and give them everything they need to perform as quality assessment.
Is a QSA necessary?
The answer is a resounding yes. These are highly skilled, highly qualified individuals, they are going to help your company achieve and retain PCI compliance. Even for those companies whose merchant levels only require them to fill out a self assessment questionnaire, a QSA can add credibility to those reports. The right QSA should be able to provide you with expert guidance and advice throughout your PCI implementation process. They know the PCI DSS and how it applies specifically to your business. Your QSA will also help you understand your technical environment and the specific challenges that you face. A good QSA wont simply run through and check off all of the necessary boxes, but will be there to work with your team to implement any changes that need to occur in terms of security.