What is a PCI QSA and a QSAC?

When you’re dealing with PCI DSS compliance, the terms QSA and QSAC come up a lot. So what are they?

It’s a good question, because the term ‘QSA’ can refer to at least 3 related things. The term QSA itself stands for Qualified Security Assessor, which is a qualification issued by the PCI Security Standards Council. Note, the qualification is called an Assessor, not an Auditor.

We often use the term QSA to reference both individual people who hold the QSA qualification, and also the company they work for. Being more accurate, we should use QSA to refer to a person, and QSAC (QSA Company) to refer to their employer.


What do QSAs do?

The primary role of a QSA is to conduct on-site PCI DSS assessments of merchants and service providers. Under the rules of the card brands, level 1 companies are required to have on-site PCI assessments done on an annual basis. Depending on card brand, you may be required to use a QSA to do this assessment, or it may simply be something you’re strongly encouraged to do.

Any company required to do an annual PCI assessment (in fact any company at all) can elect to contract with a QSAC and go through a full on-site audit, rather than just doing a Self Assessment Questionnaire. Simply because of cost and time constraints, most level 2, 3, and 4, companies will go down the SAQ route. As a result, QSAs spend most of their time conducting assessments dealing with level 1 companies.

While the primary purpose of the QSA qualification is to conduct assessments, that’s not all these qualified individuals find themselves doing. QSAs both receive significant training in the PCI ecosystem, and also have extensive experience of different ways of solving the issues that arise due to the time they spend on-site with clients. So PCI QSAs find themselves in demand for consulting engagements with companies that are either already subject to PCI DSS, or are moving into that space.

PCI QSAs are trained to understand the PCI DSS and how the standard is intended to operate. But because their work output is regularly reviewed by the card brands, they also develop expertise in some aspects of how those card brands operate. This is particularly the case when it comes to the operation of the card brand information security programs such as Mastercard SDP and Visa CISP.

What do I need in order to become a QSA?

There are various requirements in order to become qualified as a QSA. They are documented in detail in the official PCI DSS Qualification Requirements for Qualified Security Assessors guide, but summarized here.

The first one is somewhat chicken and egg-like: to be eligible to receive or renew a QSA qualification, you must work at a QSA Company (QSAC). How do you get a job at a QSAC to be a QSA, if you’re not already a QSA? Luck and persistence; start low aim high; …?

Assuming you’re working at a QSAC, you’ve cleared a major hurdle.

There are two other significant prerequisites however. You must hold a recognized Information Security management certification, and a recognized Audit certification. Historically you only needed one of these to be eligible for QSA training, but in 2017 the PCI Security Standards Council changed the rules to require one of each type.

Information Security CertificationsAudit Certifications
(ISC)2 Certified Information Systems Security Professional (CISSP)ISACA Certified Information Systems Auditor (CISA)
ISACA Certified Information Systems Manager (CISM)GIAC Systems and Network Auditor (GSNA)
Certified ISO 27001 Lead ImplementerIRCA ISMS Auditor or higher
IIA Certified Internal Auditor

Going beyond the professional certification requirements, there are also professional experience requirements. For practical purposes, these typically won’t be an issue for most eligible candidates because similar experience requirements exist as prerequisites for those professional certifications too. Anyone holding the professional certifications is likely to already have the practical experience.

However the PCI Security Standards Council explicitly request one year of experience covering all the following information security disciplines, and one year covering all of these audit disciplines.

Information Security DisciplinesAudit Disciplines
Application SecurityIT Security Auditing
Information Systems SecurityInformation Security Risk Assessment
or Risk Management
Network Security

Beyond these, the requirements are very similar to what’s required to receive most professional certifications:

  • pass appropriate background checks, per the policy of the QSAC
  • possess knowledge of the PCI DSS and applicable documents on the PCI SSC website
  • attend annual QSA Employee training and pass all the required examinations
  • agree to adhere to the PCI SSC Code of Professional Responsibility

Assuming you’ve cleared all of these hurdles, you’re a QSA. In addition to getting to put those QSA initials after your name on your business card, this also means you are now included in the public database of QSAs maintained by the PCI Security Standards Council.

What ongoing training do QSAs get?

People who are QSAs are required to go through annual training delivered by the PCI Security Standards council. The purpose of this is to ensure that their knowledge of the PCI DSS and its interpretation remains current. This training is delivered on an annual basis, but beyond this there are also a number of other activities a QSA needs to do in order to maintain their QSA status.

To maintain their QSA credential, QSAs are required to do a certain number of hours of educational activities every year, which are reported to the PCI Security Standards Council. These are known as CPE credits, for Continuing Professional Education, and are measured in hours. On an annual basis, a QSA must earn at least 20 hours of CPEs, and on a rolling 3-year cycle they must total 120 CPE hours. Averaged out, that’s 40 hours per year, which is a significant undertaking.

As professionals in the IT Security space, QSAs also need to need to maintain their existing certifications in order to remain QSAs. Those existing credentials have their own continuing professional education requirements. As examples, both the (ISC)2 CISSP (IT security certification) and the ISACA CISA (audit certification) require you to earn 120 CPE hours over 3 years.

Fortunately, many of these certifications have their CPE requirements aligned, such that the same hour can be used as qualifying credit for multiple certifications. Otherwise this could easily be infeasible to manage, with both the QSA qualification and two professional certifications each requiring an average of 40 hours per year of continuing education – that would be 3 business weeks per year!

Does the QSA qualification expire?

Yes, the QSA qualification can and does expire. The QSA qualification is granted on a 3 year cycle, after which there is a requalification process. This is one of the reasons why the 120 CPE hours have to be earned over a 3 year period – it’s at requalification time that a review is done to ensure you maintained your eligibility over that time.

After being a QSA for 3 years, you go through requalification training and a further exam, which ensures you are up to date with the latest iteration of the PCI DSS. If you don’t complete this training successfully, and also demonstrate that you’ve met the other requirements, then you’re no longer a QSA.

In addition to the QSA qualification expiring, it’s also possible for it to be effectively suspended. If you fail any of the exams administered by the PCI Security Standards Council, you are no longer allowed to perform or lead PCI DSS assessments. That remains the case until you pass the exam that you failed.