How Do I Find a QSA For My PCI Audit?

by Sarah Harvey / July 9th, 2019

Are you a merchant, service provider, or sub-service provider who stores, processes, or transmits cardholder data?  Going through a PCI audit for the first time? Your organization will need an individual who can help you maintain PCI compliance and provide you with a high-quality PCI audit. Who can do that? A Qualified Security Assessor (QSA).

In fact, a QSA is the only individual who can deliver a PCI RoC for your organization.

Without hiring a company that has a certified QSA, you won’t be able to meet your PCI compliance requirements and are at risk for additional data threats. You know you need a QSA, but where should you start?

Let’s begin by defining what you’re looking for when choosing a QSA.

What is a Qualified Security Assessor (QSA)?

A Qualified Security Assessor (QSA) is an individual who is certified with qualifications from the PCI Security Standards Council that can test and prove an organization’s compliance with PCI DSS standards. A security expert who holds the QSA certification is highly esteemed as a credible source for reviewing compliance activities.

You can find a real QSA that will lead you on the path towards PCI compliance through the PCI SSC. The PCI SSC provides a detailed list of all QSA companies and individuals, but choosing a QSA takes more effort than simply searching a list.

Choosing a QSA That’s Right for You

Finding a list of QSAs may be straightforward, but choosing the best QSA for your organization is a more difficult choice. There is more to choosing a QSA than finding a company with the correct certification.

  • The best QSA for your PCI audit must understand your organization, what you do, the technologies you use, and the industry within your industry.
  • To get the most out of your journey to PCI compliance, you want an experienced QSA, not a junior auditor.
  • You need to find a QSA that can meet your needs. Do you have a quick turnaround time? Does the company fit your budget? Are they equipped to handle your specific scope? Can they handle visiting your third parties?
  • Do you need a gap analysis before going through the audit? The right QSA for your organization is one that provides you with remediation guidance and prepares you for the upcoming audit.
  • Do you need to go through multiple audits? Choosing a QSA that will benefit you by offering multiple services and gap analyses along with your PCI audit is necessary!

What to Look Out for When Choosing a QSA

You may hear from an auditing firm that they are qualified to complete your PCI audit, but if they’re not a QSA on the list from the PCI SSC, they’re most likely outsourcing the project.

The last thing you need when working towards PCI compliance is a company that leaves the security validation to a third-party. They may even misrepresent their PCI services because they want to get your business in another auditing or service area, such as SOC 2 or penetration testing.

What’s more, many times companies will claim to be a QSA when they only have PCI Professionals (PCIPs). PCIPs are valuable to the PCI audit process, but lack in the necessary certification to properly audit your organization for PCI compliance. You need to watch out for these possible misrepresentations when you’re choosing a QSA.

Choosing KirkpatrickPrice as Your QSA

At KirkpatrickPrice, we pride ourselves on providing a quality QSA experience that gives your organization a streamlined PCI audit experience.

How do we do it?

We partner with you to learn about your organization, your processes, your technologies, and your industry to ensure the scope of your engagement is accurate.

We utilize our Online Audit Manager to guide you through the audit control objectives and help you complete your audits together at the same, qualified firm. We work hand-in-hand with your information security team on remediation strategies to make sure that you get the most out of your audit. In addition, many of our audit support professionals, technical writers, and quality assurance personnel have the PCIP certification and work with your QSA, so you’ll have peace of mind that you’re receiving an expert PCI audit from start to finish.

Why settle for a company that outsources your PCI audit when you can choose a QSA that works alongside you to perform a quality audit completed by senior-level, expert auditors? Hire a QSA that’s right for you. Contact us today.

More PCI DSS Resources

Beginner’s Guide to PCI Compliance

PCI Demystified

What is a PCI audit?