QSA audit is a specialized procedure of independent assessment of organization compliance with PCI DSS standard requirements (Payment Card Industry Data Security Standard), conducted by certified auditors for companies processing payment card data. QSA is conducted by a qualified security professional who has passed accreditation in the Payment Card Industry Security Council.
QSA audit is mandatory for first-level merchant enterprises processing more than six million Visa transactions or four million transactions of other payment systems per year. The procedure can also be applied to lower-level organizations when considering acquiring banks or in case of security violations related to card data compromise.
Auditor Qualification
Qualified Security Assessors must pass a strict certification program including PCI DSS standard training, practical tests and regular recertification. QSA qualification assumes deep knowledge in information security, payment technologies and compliance requirements, allowing objective assessment of IT environment complexity.
Audit Conducting Process
Audit begins with determining standard scope and mapping all systems processing, storing or transmitting cardholder data. QSA auditor conducts detailed analysis of network structure, access management systems, data processing procedures, security policies and technical information protection means.
Within the audit, compliance with all twelve PCI DSS requirements is assessed:
- Installation and maintenance of network security control means (including firewalls)
- Replacement of standard configurations with secure settings
- Protection of cardholder data
- Data encryption during network transmission
- Protection of all systems from innovative software
- Development of secure systems and applications
- Protection of cardholder data access by “need to know” principle
- Identification and authentication of access to system components
- Determination of physical access to cardholder data
- Registration and monitoring of general access to network resources and cardholder data
- Regulation of security processes
- Maintenance of comprehensive information security policy
Documentation and Reporting
QSA auditor compiles a detailed compliance report (Report on Compliance), documenting all checked elements, identified non-compliances and recommendations for their elimination. The report includes detailed description of verification methodology, testing results and compliance confirmation for each equipment standard.
When PCI DSS requirements violations are discovered, the organization must develop a corrective action plan indicating deadlines for deficiency limitation. QSA can conduct repeated verification of corrected elements to confirm compliance achievement and issue final certificate.
Validity Periods and Updates
PCI DSS compliance certificate is valid for one year, after which new QSA audit is required. Between full audits, the organization must conduct self-assessment and use any infrastructure changes that may comply with the standard.
Successful QSA audit completion ensures compliance with industry security requirements, reduction of penalty risks from payment systems, increase of partner and client trust, as well as compliance with general principles of organizational information security systems.