QSA stands for Qualified Security Assessor, and they are certified by the PCI Security Standards Council. QSAs are tasked with providing guidance and validation to the DSS. QSAs are special in that they have been certified for their knowledge and ability to advise on the PCI DSS specifically. There are roughly 800 QSA individuals in North America, and their function is to assist merchants and service providers in getting PCI compliant and validating that compliance.

How do you become a QSA?

In order to be certified by the PCI Council, you need to have a CISSP certification and/or 5 years of experience in information security, complete the official QSA training as well as pass a certification exam. QSA’s must also be employed by a QSA company which is authorized by the PCI Council, maintain their skills with a minimum of 40 hours per year of continuing education, and receive positive feedback from clients and the card brands.

What a QSA isn’t… A QSA is not law enforcement, nor is a QSA looking to report someone for non-compliance. Your QSA is there to support your efforts to become compliant, help protect your sensitive data, educate you on best practices and changes in the standard, as well as to provide an understanding of the intent of the standard. That’s why it is very important to be open & honest with your QSA, they’re the ones that can help! If you have questions regarding PCI compliance or would like to consult with a QSA, give us a call here at HALOCK Security Labs.

PCI DSS Requirements

PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel. 

Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1

Unpacking the New PCI DSS Password Standards

Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?

What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?

What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?

PCI SSC Updates SAQ A: Removal of Key eCommerce Security and New Eligibility Criteria – Requirements 6.4.3, 11.6.1, 12.3.1

The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2

How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities – Requirements 8.6.1, 7.2.5.1, 8.6.2, 8.6.3, 10.2.1.2

Are You Keeping an Inventory of Cipher Suites and Certificates for the New PCI DSS – Requirements 12.3.3, 4.2.1.1?

How to Analyze An Attestation of Compliance (AOC)

PCI Compliance New Requirements and Targeted Risk Analysis (TRA)