I recently interviewed Brian Serra from Accuvant about Qualified Security Assessors (QSA's). Brian is a CISSP, QSA and ISO: 277001 Lead Auditor. Accuvant is a security consulting firm that helps companies address complex information security challenges. The firms focus on four primary areas: Assessment, Compliance, Wireless and Security Technologies.
1. What is a QSA? QSA stands for Qualified Security Assessor. It is a certification obtained by experienced security consultants to enable them to conduct the On-Site Data Security Assessment for PCI DSS Compliance. QSA's are required to recertify every year by attending training by PCI and passing the exam. A recertifying QSA must obtain additional CPE's from training and other experiences in order to obtain certification. Some QSA's also maintain other certifications. For example, all of Accuvant's QSA's are also ISO 27001 Lead Auditors. I myself am certified as a CHSP (HIPPA). There are over 100 QSA companies and individual QSA's must work for a company that maintains the PCI certification. In choosing a QSA, merchants will want to a firm that has similar processes/infrastructure as theirs.
2. What types of services do QSA's provide merchants? On-Site Data Security Assessments (PCI "Audits"), Gap Analysis, Remediation Services, General PCI consulting and advice. Depending on the size of the company and number of distinct credit card processes, most engagements will last somewhere between 2 and 6 months.
3. Are merchants required to work with a QSA to become PCI Compliant? No, Level 2-4 Merchants and Level-3 Service Providers use the PCI Self-Assessment Questionnaire to self-certify. Level-1 Merchants and Level 1-2 Service Providers will require a QSA to conduct their annual On-Site Data Security Assessment. There is one caveat, an internal audit group can do the On-Site Assessment but the results must be signed off by an Officer of the company
4. What are the pros and cons of 'doing it yourself' versus hiring a QSA? QSA - Pros: Third-party validation which proves 'due diligence' Cons: Costs money. But that is not is not to say more money. Companies may end up spending more money doing it themselves when including the cost of internal resources and diversion from other profit generating projects. DIY - Pros: May be more economical. Cons - Difficult to get up to speed on all the PCI DSS requirements. Merchants may miss key areas or controls.
5. How much does it cost to hire a QSA and is it economical for all businesses? It depends on how mature the compliance program is at the particular business. The cost to make an application PCI compliant averages about $100k.