QSA Assessment Guide
Everything you need to know about working with a Qualified Security Assessor — from choosing the right QSA to preparing for your on-site audit and maximising the value of the engagement.
Learn what QSAs examine, how the assessment process works, and how to build a productive assessor-client relationship.
What Is a Qualified Security Assessor (QSA)?
A Qualified Security Assessor (QSA) is a security professional certified by the PCI Security Standards Council (PCI SSC) to conduct PCI DSS assessments. QSAs are employed by QSA Companies (QSACs) — firms that have been qualified and listed by the PCI SSC to perform assessment services.
The QSA certification requires rigorous training, examination, and annual requalification. QSAs must demonstrate expertise in information security, PCI DSS requirements, and assessment methodology. The PCI SSC maintains a public directory of all qualified QSACs and individual QSAs, and organisations should always verify their assessor's credentials before engagement.
QSAC firms must also meet stringent requirements including maintaining professional liability insurance, employing a minimum number of qualified assessors, and adhering to quality assurance processes. The PCI SSC conducts periodic quality reviews of QSAC firms and individual QSA work products to ensure assessment consistency and rigour.
When You Need a QSA vs Self-Assessment
Whether you need a QSA depends on your merchant level, your service provider status, and your acquiring bank's requirements.
QSA Required
- Level 1 merchants (over 6 million annual transactions)
- All service providers storing, processing, or transmitting cardholder data
- Any organisation that has experienced a cardholder data breach
- Merchants escalated to Level 1 by their acquiring bank
QSA Recommended
- Level 2 merchants with complex cardholder data environments
- Organisations pursuing PCI DSS for the first time
- Merchants with multi-channel payment processing (omnichannel)
- Organisations using compensating controls for multiple requirements
Self-Assessment (SAQ)
- Level 2-4 merchants with straightforward payment environments
- Merchants using fully outsourced payment processing
- Organisations with prior PCI DSS assessment experience
- Merchants eligible for simplified SAQ types (A, A-EP, B, B-IP)
How to Choose the Right QSA
Selecting the right QSA is one of the most important decisions in your PCI DSS compliance journey. Evaluate candidates across these eight criteria:
Industry Experience
Look for QSAs who have assessed organisations in your specific industry. Retail, e-commerce, financial services, and healthcare each have unique PCI DSS challenges.
PCI SSC Listing Verification
Always verify the QSAC and individual QSA are currently listed on the PCI SSC website. Listings can be revoked, so check before every engagement.
Team Size & Availability
Ensure the QSAC has sufficient staff to meet your timeline. Ask about assessor allocation, backup resources, and peak season availability.
Communication Style
Choose a QSA who explains findings clearly and provides actionable guidance. The assessment should be educational, not adversarial.
Remediation Guidance
The best QSAs help you understand how to fix gaps, not just identify them. Ask whether the QSA provides remediation recommendations and advisory support.
Geographic Coverage
If you have multiple locations or international operations, ensure the QSA can support on-site assessments across all relevant geographies.
Client References
Request references from organisations similar to yours in size, industry, and complexity. Speak with past clients about the QSA's thoroughness, communication, and professionalism.
Cost Transparency
Require a detailed proposal with a fixed or capped fee. Understand what is included, what triggers additional charges, and how remediation re-validation is priced.
What the QSA Will Examine
During the on-site assessment, QSAs use multiple evidence-gathering methods to validate compliance with each requirement. Understanding these methods helps you prepare the right evidence in advance.
Documentation Review
Policies, procedures, standards, and guidelines for all 12 requirement families. Documents must be current, approved, and communicated to relevant personnel.
Technical Testing
System configuration reviews, firewall rule analysis, encryption validation, vulnerability scanning, and penetration testing to verify technical controls.
Personnel Interviews
Discussions with security staff, system administrators, developers, and management to verify awareness, understanding, and execution of security processes.
Physical Inspection
On-site walkthroughs of data centres, server rooms, and facilities to verify physical access controls, device security, and environmental protections.
System Configuration Review
Examination of actual system configurations, hardening standards, and default settings to confirm they match documented policies and PCI DSS requirements.
Log Analysis
Review of audit logs, security event logs, and daily log review evidence to validate monitoring processes and Requirement 10 compliance.
Vulnerability Scan Review
Analysis of quarterly ASV scan reports and internal vulnerability scan results, including validation that identified vulnerabilities were remediated.
Penetration Test Review
Review of internal and external penetration test reports, methodology, scope coverage, and evidence that identified findings were addressed.
Working with Your QSA Effectively
A well-prepared organisation can significantly reduce assessment duration and cost. Complete this preparation checklist before your QSA's on-site arrival:
How GRCTrack Supports QSA Engagements
Multi-QSA Workspace
Support multiple QSA team members with individual role-based access. Each assessor can view assigned requirements, track their findings, and collaborate with colleagues.
Evidence Sharing Portal
Share evidence securely with your QSA through a purpose-built portal. Eliminate email attachments with direct access to versioned, requirement-mapped documentation.
Assessment Workflow Tracking
Track assessment progress by requirement family, individual requirement, and assessor. See which requirements have been reviewed, which are pending, and which need attention.
Real-Time Status Dashboards
Live dashboards showing assessment completion percentage, findings by severity, and evidence coverage. Share progress with executives and stakeholders at any time.
Automated Evidence Collection
Schedule and automate recurring evidence collection tasks. Automated reminders and collection workflows ensure evidence is current and complete before each assessment cycle.
QSA-Ready Report Generation
Generate reports structured to match ROC reporting templates. Pre-populate requirement details, evidence references, and control descriptions to streamline the assessment documentation process.
Frequently Asked Questions
What qualifications must a QSA hold?
A QSA must be employed by a QSA Company (QSAC) that is listed on the PCI SSC website. Individual QSAs must complete PCI SSC training, pass the QSA qualification exam, and requalify annually through continuing education. QSAs must also adhere to the PCI SSC Code of Professional Responsibility and maintain independence from the organisations they assess. The PCI SSC can revoke QSA status for violations of professional standards.
How much does a QSA assessment typically cost?
QSA assessment costs vary significantly based on the scope and complexity of the engagement. For a full ROC assessment, costs typically range from $50,000 to $500,000 or more, depending on the number of locations, the size of the cardholder data environment, and the duration of the on-site engagement. Smaller engagements such as QSA-assisted SAQ completions may cost $10,000 to $30,000. Always request a detailed proposal with a fixed or capped fee structure before engaging.
Can we use the same QSA every year?
Yes, organisations can use the same QSA Company year after year. However, the PCI SSC recommends that the lead QSA assessor rotate periodically to bring fresh perspectives. Some acquiring banks or card brands may require QSA rotation after a certain number of consecutive years. Continuity with the same QSAC provides efficiency benefits, but organisations should periodically evaluate whether their QSA is providing the rigour and value expected.
What is the difference between a QSA and an ISA?
A QSA (Qualified Security Assessor) is an external assessor employed by a PCI SSC-listed QSAC firm who can assess any organisation. An ISA (Internal Security Assessor) is an employee of a specific organisation who has completed PCI SSC ISA training and can only assess their own employer. ISAs can complete ROCs for their organisation, but the ISA programme is sponsored through a QSAC. ISA assessments carry the same weight as QSA assessments for compliance reporting.
What happens if we disagree with a QSA finding?
If you disagree with a QSA finding, you should first discuss the specific requirement interpretation with the assessor and provide additional evidence or context. If the disagreement cannot be resolved, you can escalate to the QSA Company's quality assurance lead. As a last resort, the PCI SSC has a feedback mechanism where organisations can report concerns about QSA conduct or competence. However, most disagreements are resolved through additional evidence or clarification of scope.
Related PCI DSS Resources
Find the Right QSA for Your Assessment
GRCTrack provides the collaboration tools and evidence management platform that make QSA engagements faster, smoother, and more cost-effective.