Companies that are required to undergo an audit and complete a Report on Compliance (ROC) for PCI DSS compliance should be assessed by approved PCI QSAs (Qualified Security Assessors), according to the PCI Security Standards Council.
An ROC usually applies to level 1 and 2 merchants and service providers, but organisations that have to complete a self-assessment questionnaire (SAQ) will find that using a QSA lends greater credibility to the completed SAQ.
Selecting the best Qualified Security Assessor (QSA) is critical.
The right QSA can help identify and address security risks while meeting an organisation’s specific needs and budget. A good QSA is able to translate concepts into business terms, giving the company a firm grasp on the PCI requirements and the impact they may have on the business.
Selecting a QSA that has the right knowledge and experience will not only ensure that you achieve and maintain compliance with the PCI DSS, it will also give you the peace of mind that you are able to reduce your risks and control your costs on an ongoing basis.
A Qualified Security Assessor is a highly skilled security consultant who has been certified by the PCI Security Standards Council to validate an entity’s compliance with the PCI DSS and to guide an organisation through the PCI compliance requirements.
Your QSA should be available to provide you with expert guidance and advice throughout your PCI implementation process.
The QSA should ensure that you have a very clear understanding of the requirements, and resolving any uncertainties you may have whenever you come unstuck.
Your QSA should understand your technical environment and the specific challenges that you face.
The QSA should be neutral to any software solution, and work with you to help you make the best decisions for your business requirements and budget.
QSAs that follow a tick-box approach to compliance can put your organisation at risk of compliance violations.
Your QSA should have detailed knowledge of the Standard and the challenges that organisations face when implementing its requirements. A good QSA will work in partnership with your team and help you to understand what is required and why, giving you control over the implementation and enabling you to maintain compliance after the audit has been completed.
What can you expect from an ROC?
The ROC assessment involves a thorough review and assessment of all control areas by an approved QSA, as agreed in the scoping session. This is followed by the completion of the ROC, which is returned to the client after rigorous quality assurance processes, who then forward it to their acquiring bank. An Attestation of Compliance (AOC) is also produced and signed by both the QSA conducting the audit and the client being audited.
Attaining compliance is only a part of the journey: of equal importance is maintaining it. Your QSA should be able to develop a strategic roadmap for ensuring ongoing risk reduction and compliance while minimising business impact.
QSAs are employed by approved QSA companies. You cannot be a QSA unless you work for a QSA organisation. A full list of approved QSA companies can be found on the PCI Security Standards Council’s website. You can also verify a QSA employee here.
As an approved QSA company, IT Governance’s comprehensive expertise in PCI, penetration testing, ISO 27001 and business continuity management means that we can help you cost-effectively integrate your ISMS with other security frameworks, enabling you to maintain compliance with the PCI DSS at a fraction of the regular cost of compliance.