A QSA is a qualified security assessor that performs an external audit to determine whether an organization’s policies and procedures, configurations of networks and applications, and general security controls meet PCI DSS requirements. They will then provide a documented list of findings and allow the organization to potentially resolve any vulnerabilities or missing controls in order to receive a Report on Compliance (RoC).

Do I need a QSA for PCI?

Level 1 merchant and service providers need a QSA to complete a PCI RoC. Level 2, 3, and 4 organizations can conduct a PCI SAQ internally, but may have a QSA review it to determine their compliance status with PCI.

How do I become PCI QSA certified?

Becoming PCI QSA certified is a four step-process. You must apply for qualification first and provide documentation adhering to the Qualification Requirements for Qualified Security Assessors (QSA) v. 4.1. Individuals must then complete the PCI Security Standards Council's two-part training program as well as testing to qualify to perform the assessments. And finally, you must execute an agreement with the PCI SSC governing performance.

What is the difference between a QSA and a PCI ISA?

A Qualified Security Assessor (QSA) and Internal Security Assessor (ISA) can both perform PCI audits and produce an RoC. The key difference is that ISAs can only be assessors at the organization where they are employed.

Secureframe: Build trust. Unlock growth.

Ready to prove compliance with a Report on Compliance (RoC)? Check out this list of trusted Qualified Security Assessors (QSAs) that can complete an RoC to verify your organization's PCI DSS compliance.

360 Advanced

The 360 Advanced team provides a variety of PCI DSS compliance services, including audits as well as readiness assessments, remediation, and consulting and reporting.

Learn more

Aprio

Aprio’s QSAs use a proprietary streamlined approach to PCI DSS compliance that reduces the complexity, time, and stress associated with creating an RoC.

Learn more

GRSee Consulting

GRSee’s team includes experts that can help you throughout the PCI DSS process, from gap analysis to PCI DSS certification, as well as certified QSAs who can conduct the audit.

Learn more

Insight Assurance

Insight Assurance provides a tailored approach to PCI DSS assessments so you can meet compliance requirements and have peace of mind.

Learn more

Moss Adams

Moss Adams can provide you with everything you need to get PCI certified, including an RoC, vulnerability scan, and pen test.

Learn more

Prescient Assurance

Prescient Assurance’s experienced QSAs can deliver a full RoC or facilitate a self-assessment questionnaire. This firm also offers vulnerability scanning and penetration testing services to help you get and stay compliant.

Learn more