The PCI Security Standards Council operates an in-depth program for security companies seeking to become Qualified Security Assessors (QSAs), and to be re-certified each year. The five founding members of the Council recognize the QSAs certified by the PCI Security Standards Council as being qualified to assess compliance to the PCI DSS standard.
Because the quality of PCI DSS validation assessments can have a tremendous impact on the consistent and proper application of security measures and controls, the PCI Security Standards Council's QSA qualification requirements are exacting and detailed, involving both the security companies and their individual employees. The time elapsed from application submission to a new QSA being listed on the PCI Security Standards Council Web site is estimated at three months.
The high-level qualification requirements are as follows. Prospective QSA companies must:
Step 1 - Application
The security company must first submit the required documentation, including certifications, business license, insurance certificates and the registration fee, which is credited against the initial enrollment fee if the firm becomes qualified. Please see the Qualification Requirements for Qualified Security Assessors (QSA) v. 2.1. Submit your attestation to the requirements to:
Step 2 - Training
All individuals who will be involved in assessing security for the company's clients must undergo and pass the Council's QSA training course and receive official certification. Individual fees apply. A Council representative will schedule training for the prospective QSA's employees, and the company will be notified whether they pass or fail the test at the end of the course. For more information regarding QSA training, please click here.
Step 3 - Enrollment
When the enrollment fee balance has been received by the PCI Security Standards Council, the security company will receive a Letter of Acceptance from the Council, and each of its employees who has passed the training course will receive a Certificate of Qualification. The new QSA firm will be listed on the Council Web site, the employees will be added to the Council's database of certified personnel, and the company may now perform audits for its clients.
To ensure that security audits are carried out at the highest levels of quality and professionalism, the PCI Security Standards Council encourages the payment brands and other entities to submit audit Quality Feedback Forms, which will be evaluated by the Council's Technical Working Group. If a QSA is judged to be deficient in its audit efforts, the Council will engage in dialog to recommend measures for improvement. If improvement is not deemed sufficient, the result could be disqualification for the QSA and removal from the Website list.