facebook noscript

Enhancing PCI Qualified Security Assessor (QSA) and Customer Relations

October 8, 2020
Enhancing QSA & Customer Relations

Have you ever considered the relationship between the PCI DSS QSA and your business? When you are looking to become PCI DSS compliant and protect your consumer’s sensitive data, your Qualified Security Assessor becomes invaluable. Not only does a PCI QSA conduct your PCI DSS audit, but they are also the only person capable of providing you with a Report on Compliance (RoC).

What is a Qualified Security Assessor (QSA)?

A PCI Qualified Security Assessor is an individual from an independent company who has been verified by the PCI Security Standards Council to conduct audits for businesses seeking to become PCI compliant. An experienced Qualified Security Assessor can easily identify data risks your consumers may face and help you find solutions.

The Right PCI DSS QSA for your PCI Audit

You can hire a PCI Qualified Security Assessor from a QSA company. This may appear simple enough, but who you hire to conduct your audit is extremely important. You will want to take the following details about a Qualified Security Assessor and their organization into account:

  • How experienced is the Qualified Security Assessor?
  • Does the auditor understand your company?
  • Does their QSA company specialize in your industry?
  • What is the turnaround time?
  • Does their fee match your budget?
  • Do you need a gap analysis first?
  • What happens if you need multiple audits?

When it comes to hiring a Qualified Security Assessor, it is essential that you first find someone who knows your industry in and out. Try to discover their assessment history and their familiarity with your business. Data security requirements can vary based on numerous factors, including your industry and merchant level. The best thing you can do is hire a PCI assessor who understands your business, what areas need the most attention and possible pitfalls.

How to Help your PCI DSS QSA for a Successful PCI Audit

You also need to lay the foundation for your auditor. Understand your current limits, strengths, and weaknesses. Being honest with yourself and your auditor will not only accelerate the process, but it will be easier for them to help you.

To better give your PCI DSS QSA access to your systems, you’ll want to make sure they get a glimpse of your entire operations. There’s no need to limit who your QSA comes in contact with. In fact, it may be better that they talk to as many employees as possible. This way he or she will be able to get a comprehensive view of your processes and needs.

At the end of the day, a QSA is meant to help your company. By auditing your system, they make it easier for you to become PCI compliant. It is in your best interest to treat them as an asset.

VGS Solution for Both QSAs and Businesses

Managing a PCI DSS engagement is an adventure for both businesses and the PCI Qualified Security Assessor. To make the journey as productive as possible, either the QSA firm or business should appoint a guide.

For businesses new to PCI DSS, finding a guide within their existing resource pool may present a challenge. On the other hand, any PCI QSA seeking to fulfill this role still needs to learn and understand the organization’s environment. This means that for both parties, finding a professional who deeply knows both the business and the PCI DSS compliance requirements can be difficult. Very Good Security (VGS) has solved this problem by providing PCI compliance guide who has a deep understanding of our platform and the business use case. This combination of guide support with the platform results in a more streamlined assessment experience for both QSAs and businesses.

Very Good Security’s Zero Data platform enables businesses to retain full operational functionality without having to store or interact with the sensitive data themselves, making PCI compliance easier and faster. This is achieved by VGS directly receiving custody of and responsibility for cardholder data at the point of data collection. Here’s how it works: With VGS Collect, payment data entered by the consumer is sent directly to VGS. In other words, the business never interacts with the data and it never enters their systems. This allows for a card not present assessment to occur and effectively transfers the responsibility of those PCI requirements from the organization to VGS.

To help QSA learn about the VGS platform and gain assurance that the PCI DSS requirements are being fulfilled at the point of data capture, VGS provides an Attestation of Compliance and responsibility matrix. From these materials and documentation, a PCI QSA gains a more comprehensive understanding of how VGS reduces the assessment scope of the business’s environment, as well as a clear delineation of PCI DSS responsibilities between VGS and its customer.

Very Good Security takes on the responsibility of data collection, storage, and routing for its customers, and provides them with non-sensitive representations of the data as “aliases” for normal business usage. This approach dramatically reduces the PCI scope for QSA to assess. To further enhance customers’ PCI DSS alignment with process-oriented controls such as maintaining confidentiality, integrity, availability over aliased information, VGS Compliance Leads provide their expertise during the product’s implementation as well during preparation for the customer’s PCI DSS assessment and throughout the journey.

This results in well-developed integrations, policies, and procedures, all of which can be leveraged to further accelerate the PCI DSS assessment of a VGS customer. This approach enhances the assessment experience for both the business and the assessor. Collaboration between VGS Compliance Leads, the business, and the PCI QSA promotes continuous monitoring of the environment's compliance with PCI DSS.

By outsourcing your PCI DSS compliance to a trusted Compliance-as-a-Service provider, you can make your organization's PCI assessment as quick and painless as possible. Learn about all the benefits of using a PCI-as-a-Service solution in this guide.

Stefan Slattery Stefan Slattery

Head of Growth Marketing


You Might also be interested in...


What is PCI Compliance? A Comprehensive Guide

Stefan Slattery January 20, 2022