As the use of credit cards becomes more ubiquitous, so too does the need for security standards to protect cardholder data. That has led to the rise of the Qualified Security Assessor (QSA).
What is a QSA? And who needs one? The title of QSA is an industry designation conferred by the Payment Card Industry (PCI) Security Standards Council to information security companies. Typically, businesses with more than one million credit card transactions per year should bring in a QSA to assess and validate the security of their credit card data through a PCI audit.
In many ways, a QSA is an investigator. Their job is to validate the security of a company’s credit card or cardholder environment. To do that, employees of a QSA certified company must participate in face-to-face training conducted by the PCI Security Council and pass an exam as well as background checks. These employees also often have professional credentials such as that of a Certified Information Systems Auditor or Certified Information Systems Security Professional. Employees must also participate in continuing professional education regarding PCI standards and pass an annual PCI standards exam in order for a company to maintain its QSA certification.
What that means for a business that has to bring in a QSA is that they can’t just check a box for yes or no. An assessor has to confirm that your business is in fact meeting each PCI standard. Andy Cottrell, CEO of IT security firm Truvantis, says his company’s work as a QSA vendor is all about verifying the security of a business’ credit card environment. And that means each standard has to be validated through multiple steps, including personnel interviews, log and record reviews, systems tests and live observations.
“There are more questions than there are standards,” says Cottrell, whose company conducts annual PCI audits for ZZ Servers. “I have to answer each of those questions individually to verify a single standard.”
A PCI audit is meant to be a point-in-time audit – a snap shot of a business’ PCI environment. An audit typically takes between one to three months. A QSA firm, such as Truvantis, starts the process with an orientation meeting prior to beginning the assessment to make sure the business being assessed understands the process, deadlines and requirements. Then an audit kick-off meeting will follow where assessors will start asking for specific information, such as diagrams and firewall configurations, so they can begin to understand the scope of the PCI environment.
From there the process gets more rigorous, with assessors digging down into every process and procedure tied to credit card data.
“We want to get to the point we know what it is they’re really doing,” Cottrell says, noting the process includes an on-site visit. “We need to look at stuff locked behind doors, access controls and view physical security measures such as cameras.”
ZZ Servers, a PCI Level 1 Service Provider, provides custom engineered solutions for businesses that need to comply with PCI, providing the highest levels of security, stability and reliability. ZZ Servers can help ensure your credit card environment is secure and they can help your business prove that it’s PCI compliant.
An important point, Cottrell notes, is that information gathered for an audit cannot roll forward year to year. A QSA has to do the entire assessment each time. “We have to test everything every year.”
And ZZ Servers can help your company be ready every single time.