Cybersecurity Insights

Qualified Security Assessor - Quick FAQs

Written by Muralee Krishnan | Sep 15, 2021 12:30:00 PM

We address some of the most frequently asked questions about a Qualified Security Assessor (QSA) company. Check out the complete blog.

Qualified Security Assessor – Frequently Asked Questions (FAQ)

What is a QSA Company?

Answer: Qualified Security Assessor (QSA) companies are organisations that have been qualified by the PCI SSC Council) to have their employees assess compliance to the PCI DSS standard. Qualified Security Assessors are employees of these organisations who have been certified by the Council to validate an entity’s adherence to the PCI DSS standards. And these Qualified Security Assessors must meet specific information security education requirements and have undertaken appropriate training and certification from the PCI Security Standards Council.

How do QSA Companies reach Certification?

Answer: Qualified Security Assessor (QSA) companies are organisations that have been qualified by the PCI SSC Council) to have their employees assess compliance to the PCI DSS standard. Qualified Security Assessors are employees of these organisations who have been certified by the Council to validate an entity’s adherence to the PCI DSS standards. And these Qualified Security Assessors must meet specific information security education requirements and have undertaken appropriate training and certification from the PCI Security Standards Council. The PCI Security Standards Council maintains an in-depth training program covering all new trends and technologies associated with payment and card data security for companies seeking to be certified as Qualified Security Assessors (QSAs), as well as to be re-certified as QSAs each year. Stickman Consulting is a listed QSA Company having expertise and capable record in assisting wide range of organisations with their PCI DSS Compliance.

Is StickmanCyber a QSA Company?

Answer: YES – StickmanCyber is a Qualified Security Assessor (QSA) company qualified by the PCI SSC Council where our QSA qualified employees assess compliance to the PCI DSS standard. Stickman Consulting Qualified Security Assessors are employees of Stickman Consulting who have been certified by the Council to validate an entity’s adherence to the PCI DSS standards. All of Stickman Consulting’s (QSA) Qualified Security Assessors must meet specific information security education requirements and have undertaken appropriate training and certification from the PCI Security Standards Council. StickmanCyber QSA Services: StickmanCyber QSA consultants perform a range of PCI Compliance services for our clients starting from PCI GAP Assessments, PCI Remediation, and card holder data scanning and network Scans, PCI Certification and other unique packaged services such as StickFigure which helps clients to complete Self Assessment Questionnaires (SAQ).

Is Stickman Consulting listed on the QSA Companies list?

Answer: YES – Stickman Consulting is a Qualified Security Assessor (QSA) company qualified by the PCI Security Standards Council and can be found under “Approved Companies and Providers” listed within the QSA Companies on the PCI SSC Council website.

What do PCI DSS Services Include?

Answer: StickmanCyber QSA Services:

In Stickman Consulting QSA consultants perform a range of PCI Compliance services for our clients starting from PCI GAP Assessments, PCI Remediation, and Credit Card data scanning and network Scans, PCI Certification and other unique packaged services such as StickFigure which helps clients to complete Self Assessment Questionnaires (SAQ).

How do I reduce the scope of a PCI DSS assessment?

Answer: Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is strongly recommended as a method that may reduce the scope of a PCI DSS assessment. At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network. An important prerequisite to reduce the scope of the cardholder data environment is a clear understanding of business needs and processes related to the storage, processing or transmission of cardholder data. Restricting cardholder data to as few locations as possible by elimination of unnecessary data, and consolidation of necessary data, may require reengineering of long-standing business practices. Documenting cardholder data flows via a dataflow diagram helps fully understand all cardholder data flows and ensures that any network segmentation is effective at isolating the cardholder data environment. The adequacy of a specific implementation of network segmentation is highly variable and dependent upon a number of factors, such as a given network’s configuration, the technologies deployed, and other controls that may be implemented. You should be validating the scope of your cardholder data environment as part of your annual PCI DSS assessment process, including validation of any network segmentation.

How do I choose a reputable PCI QSA?

Answer: If you are considering hiring a professional to help you with your business, here are a few helpful guidelines.

#1 You Get What You Pay For

While it may be tempting to opt for the services of an assessor who asks for the lowest professional fee, remember that you almost always get what you pay for. Remember that PCI Compliance is not just another item to tick off your to-do list.  Failure to obtain it can lead to serious consequences. Although there are some assessors who do ask for low professional fees, these are more an exception than the rule.

#2 The Value of PCI QSA Certification

It does not necessarily mean that when an assessor is certified, he can offer the best advice. Most professionals vary in their ability and proficiency. The best are almost always employed by companies which specialise in QSA and do not simply provide the service amongst a range of other services.

#3 The Assessor’s Role

Your QSA should perform two important roles in order to help your business. As an auditor, he will thoroughly assess the structures you have put into place. But before and after the audit, your QSA should act as a business partner who can readily provide you with invaluable advice.

#4 How to Choose A Professional

Before hiring a QSA, it is worthwhile to invest ample time into assessing his knowledge, skill and experience. Here are areas worth delving into.

Experience: Often, the best professionals have several years of experience and have worked with different organisations of varying sizes. If you’d ask them for references, they readily give you a list of their past clients.

Knowledge: Your QSA should readily answer your queries and explain complicated issues in a clear and simple manner. Prior to hiring a QSA, it is worthwhile to do some research and ask him about contentious issues in his field. What you’d want are answers that are fairly consistent. Why? Consistent answers mean that the QSA knows what he is talking about. In turn, should he recommend some measures to be implemented, you’ll know that your investment toward those are well worth your money.

Professionalism: A true professional knows that his role extends beyond auditing. Rather than giving advice to clients, they offers solutions and explains the merits of each. The best auditors also subscribe to the ideal of transparency. If your organisation has pitfalls, he will readily explain why such things happened and what options are available to you in order to rectify these. Finally, quality professionals adhere to a strict code of ethics. Rarely will you hear the best professionals name past clients and the issues they have encountered.

Is your business looking to get PCI DSS compliant? StickmanCyber's PCI DSS compliance service deploys a 5-step methodology to help you build trust with your customers and guarantee secure transactions with PCI DSS Compliance.