Qualified Security Assessor (QSA)

Premiercallcentre.co.uk is a professional call centre operations that can help trained and students training as a Qualified Security Assessor (QSA) or any business that requires more information on Qualified Security Assessor (QSA). Our staff whom are based in our UK site, are on hand to answer your call and help you. We have proven track record in delivering a whole range of business handling.

The Payment Card Industry (PCI) Qualified Security Assessor (QSA) designation is conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of an Approved PCI Security and Auditing Firm, and will be performing PCI compliance assessments as they relate to the protection of credit card data.

The term QSA may also be implied to identify an individual qualified to perform PCI compliance auditing and consulting.

The primary goal of an individual with the PCI QSA certification is to perform an assessment of a firm that handles credit card data against the high-level control objectives of the PCI Data Security Standard (PCI DSS). There are different levels of auditing and reporting requirements, but the twelve high-level control objectives, and corresponding sub-requirements, of the PCI Data Security Standard are required to be met either directly or through a compensating control. Requirement 3.2 prohibits the storage of track data and does not allow for compensating controls. Compensating controls are not always allowed and must be approved on a case-by-case basis.

What is a QSA?

The QSA person is that professional that goes in to help other businesses be compliant. QSA companies are basically just security companies that are being incorporated and certified so that they can be the jack of all trades. These are not official people associated with the credit card companies. These are not official government or credit card company auditors. These are just private business people.

You can take the list of requirements to be a QSA shop, set up a LLC, get your people and have them trained and then you are a QSA.

The QSA goes in, tells you what you need to be compliant, then go in annually and do your audit and then also push all their software so you can keep compliant.

QSA if it is going to be that important should be directly associated with the banks or credit card companies and not just some Joe Smith who makes a company, meets the requirements and the pushes people into spending 100s of thousands of dollars because the council only lets them certify.

QSA really is a certification obtained by experienced security consultants to enable them to conduct the On-Site Data Security Assessment for PCI DSS Compliance. QSA's are required to recertify every year by attending training by PCI and passing the exam. A recertifying QSA must obtain additional CPE's from training and other experiences in order to obtain certification. Some QSA's also maintain other certifications. There are over 100 QSA companies and individual QSA's must work for a company that maintains the PCI certification. In choosing a QSA, merchants will want to a firm that has similar processes / infrastructure as theirs.

What types of services do QSA's provide merchants?

• On-Site Data Security Assessments (PCI "Audits")
• Gap Analysis, Remediation Services
• General PCI consulting and advice

Depending on the size of the company and number of distinct credit card processes, most engagements will last somewhere between 2 and 6 months.

Are merchants required to work with a QSA to become PCI Compliant?

No, Level 2-4 Merchants and Level-3 Service Providers use the PCI Self-Assessment Questionnaire to self-certify. Level-1 Merchants and Level 1-2 Service Providers will require a QSA to conduct their annual On-Site Data Security Assessment. There is one caveat, an internal audit group can do the On-Site Assessment but the results must be signed off by an Officer of the company.

What are the pros and cons of 'doing it yourself' versus hiring a QSA?

QSA - Pros: Third-party validation which proves 'due diligence' Cons: Costs money. But that is not is not to say more money. Companies may end up spending more money doing it themselves when including the cost of internal resources and diversion from other profit generating projects. DIY - Pros: May be more economical. Cons – It is difficult to get up to speed on all the PCI DSS requirements. Merchants may miss key areas or controls.

How much does it cost to hire a QSA and is it economical for all businesses?

It depends on how mature the compliance program is at the particular business. The cost to make an application PCI compliant averages about $100k.

Would you like to work as a Qualified Security Assessor (QSA) or do you have more questions, then call premiercallcentre.co.uk UK's leader in Call Centres for more information.

Through a pre-set of questions, we will be able to establish your needs and nature of your call in more detail and handle this in line with your requirements, call us today.