The Role – and Importance – of a PCI QSA

Before deciding on a PCI QSA, it’s essential to understand what a PCI QSA does and why they are important to your organisation.

Compliance with Payment Card Industry Data Security Standards (PCI DSS) is mandatory for all organisations that accept payment cards (credit and debit cards) as a form of payment – whether online or via a Point of Sale (PoS) system.

Over the last few years, the number of cyber attacks on Australian businesses has grown at an alarming rate. In its most recent cyber threat report, the Australian Signals Directorate (ASD) highlighted that there were 94,000 reported cyber attacks on Australian organisations in the 2022-2023 financial year, up from 76,000 in 2021-2022, 67,500 in 2020-2021 and 59,806 in 2019-20. This upward trend highlights the importance of mitigating risk through maintaining a robust security posture. If, like most organisations, you handle payment card data, ensuring and maintaining PCI Compliance is critical to organisations’ defence against cyber crime. PCI compliance will also help to maintain customer and stakeholder trust amid increasing public awareness of cyber threats.

Are QSAs the same as a cyber security professional?

While PCI QSAs are cyber security professionals, the service they offer is not an all-encompassing cyber security service. While PCI DSS is an essential aspect of cyber security for organisations that handle payment card data, it is not the only security consideration these organisations need to address.

In addition to being a PCI QSA service provider, Stratica offers a comprehensive cybersecurity solution.

What to Look for When Selecting a PCI QSA

Here is a guide on the considerations you should make before selecting a PCI QSA to help you make an informed decision.

 The role of a QSA in your organisation

When searching for a PCI QSA, the first thing you need to do is gain an understanding of their role in your organisation.

Ultimately, a QSA’s role is to help your organisation achieve and maintain PCI compliance. There are two distinct aspects of a QSA’s services:

  • Assessments: Conducting a comprehensive audit of your organisation’s environment to ensure PCI compliance in all the relevant areas.
  • Consulting: Acting as an advisor to your organisation on security and PCI compliance matters. This should include keeping your organisation abreast of changes in the threat landscape and the security implications of any changes to your organisation’s environment.

 Qualifications

At a minimum, your PCI QSA and their organisation should have and maintain official certification from the PCI Security Standards Council (PCI SSC). To achieve and maintain PCI SSC, QSAs must undertake an extensive series of training and testing modules that, when completed, ensure their ability to provide PCI Compliance services to the PCI SSC standard.

The PCI Security Standards Council maintains a complete list of certified QSAs. Click here to view the list. When considering a QSA, ensure their organisation is on this list, as it indicates they have a current, official certification. An uncertified QSA cannot guarantee PCI Compliance and should be avoided at all costs.

Stratica is accredited by the Payment Card Industry Council as a PCI Qualified Security Assessor & Payments Forensic Investigator.

The Criteria to look for in a QSA

Now that you understand the role and importance of a PCI QSA and the qualifications they must have, you’re now in a position to evaluate vendors.

Here are the criteria to use when evaluating a PCI QSA.

Experience: An experienced QSA will have navigated several organisations (and their unique environments) through an evolving threat environment. This allows them to better tailor a solution to your organisation’s unique needs.

Expertise: Alongside experience sits expertise. The right QSA should be knowledgeable in the evolving PCI landscape so they can provide you with up-to-date advice to mitigate contemporary and evolving risks.

Reputation: Given PCI compliance’s highly sensitive and consequential nature, your QSA must have a solid reputation in the industry.

References: When selecting a QSA, it is important to get references from current clients, particularly those of a size, sector, or business environment similar to your organisation. Obtaining references will give your organisation the proof it needs to evaluate a PCI QSA properly.

Location: While it is more than possible (and, in most cases, more efficient) to work with a QSA remotely, it is still important to know where they are located.

Ensure your QSA has a significant presence in the countries or regions where you do business. That way, they will have a solid understanding of the environments in which you operate and the unique risks associated with them.

Commitment: When the words “external assessment” are mentioned, they likely conjure thoughts of someone removed from your organisation’s day-to-day operations. This person only communicates with your team when necessary and is seldom (if ever) seen outside of the assessment. This style of auditing is not the case for a PCI QSA. Well, at least. It shouldn’t be.

A good PCI QSA will act as an extension of your team, whether you have in-house IT and cyber security personnel or they deal with the owners/directors. Ensure your QSA is willing to engage with your team and provide expert assistance where required – before, during and after your assessments. If a QSA has limited capacity to work with your organisation, they are more likely to provide only the minimum service.

Cost: While cost is a consideration for every organisation when selecting vendors, you shouldn’t put a price on security. Indeed, the risks associated with saving money on a PCI QSA could cost you much more in the long run. If you are considering your budget when evaluating a PCI QSA provider, you should only do so with a complete understanding of why their costs are lower – and a strategy to mitigate the risks associated with those reasons.

The Questions Your PCI QSA Should Answer

Are they also a Payments Forensic Investigator (PFI)?

A Payments Forensic Investigator (PFI) is a professional qualified to investigate a data breach. They determine the exact source of the breach and the vulnerabilities that allowed it to occur.

Of course, an organisation cannot have the same PFI and QSA—they can’t investigate themselves. However, many QSAs are also PFIs across different organisations, and their experience on both sides is invaluable to preventing a breach. A PFI has a practical understanding of how breaches can occur in seemingly secure environments, and they can apply these learnings as a QSA to prevent the same kind of breach from happening on their watch.

Has one of their clients had a data breach?

Implementing cyber security measures, such as hiring a QSA, is not a “box-ticking exercise” to satisfy security standards. Ultimately, a QSA’s job is to protect organisations from falling victim to a data breach and experiencing the consequences that would follow. Unfortunately, some organisations—particularly those that fall into the former category and choose price over protection—are not adequately protected and, as a result, fall victim to a data breach on their QSA’s watch.

The reasons for a data breach may vary, including ineffective security measures or a lack of resources to ensure adequate protection. But regardless of the reason, a data breach on a QSA’s watch should raise an immediate red flag.

What tools do they use?

PCI QSAs use several tools to monitor an organisation’s environment for potential vulnerabilities.

A QSA should be able to outline the tools they use and how these tools contribute to maintaining your organisation’s security and PCI Compliance.

Some PCI QSA companies offer additional tools and resources, such as risk assessment tools or compliance management software. These tools are designed to assist your internal teams in managing PCI compliance requirements day to day, but they shouldn’t replace the need for a QSA.

What is their approach to security assessments?

While PCI compliance requirements can often seem complex, the concepts behind them shouldn’t be. That’s why your QSA should adopt a consultative approach to security assessments and their outcomes – beyond just ticking off compliance requirements.

Your QSA should help you understand compliance requirements and their importance to your organisation’s overall security posture. This will equip your organisation to manage its ongoing security requirements, an essential component of any cyber security strategy. Simply put, you should be able to understand why your QSA is doing what it is and how that initiative helps protect your organisation’s data.

A QSA should also act as a bridge between technical and non-technical teams in an organisation. They should be able to explain complex security terms clearly and understandably to ensure all stakeholders understand the importance of PCI Compliance and the associated measures.

Stratica is Australia’s leading PCI QSA Company

PCI Compliance is more than just a box your organisation must tick. It’s an ongoing concern crucial to your organisation’s ability to run efficiently, effectively and securely. That’s why it is vital to select the right QSA to work with your organisation and help it achieve PCI Compliance.

Stratica’s expert team offers a winning combination of best-of-breed tools and regular, ongoing strategic consultation. This comprehensive PCI QSA solution enables organisations to effectively navigate the complexities of PCI Compliance and do business with peace of mind.

For a free, no-obligation security audit, contact our team by phone at (03) 9660 5701.