QSA

A Qualified Security Assessor (QSA) is an individual certified by PCI SSC to perform on-site PCI DSS assessments and validate compliance for Level 1 merchants.

QSAs are certified professionals authorized to assess organizations against PCI DSS requirements.

QSA requirements: - Employed by a QSA Company (QSAC) - Passed QSA exam - Annual requalification training - Adherence to quality standards

QSA responsibilities: - Conduct on-site assessments - Review documentation and evidence - Interview personnel - Validate control effectiveness - Issue Report on Compliance (ROC)

When QSA is required: - Level 1 merchants (6M+ transactions) - Service providers processing/storing cardholder data - Any organization that has experienced a breach

ISA vs QSA: - ISA (Internal Security Assessor) can assess internally - QSA provides independent third-party validation

Why It Matters

For Level 1 merchants processing 6 million+ card transactions annually, a QSA assessment is mandatory—self-assessment is not an option. Choosing the right QSA significantly impacts your PCI compliance journey; experienced QSAs provide practical remediation guidance and help organizations avoid costly overengineering of controls while ensuring genuine security improvements.

Key Points

Required for Level 1 PCI DSS assessments

Must be employed by certified QSAC company

Issues official Report on Compliance (ROC)

Annual requalification required

Validates both design and operating effectiveness

Applicable Compliance Frameworks

PCI DSS

Related Terms

PCI DSS

PCI DSS is a set of security standards for organizations that process, store, or transmit credit card information to maintain a secure environment.

Evidence Collection

Evidence collection is the process of gathering documentation and artifacts that demonstrate security controls are designed properly and operating effectively.