Glossary

What is a Qualified Security Assessor (QSA)?

What is a Qualified Security Assessor (QSA)?

A Qualified Security Assessor (QSA) is a security professional employed by a QSA company that has been certified by the PCI Security Standards Council (PCI SSC) to perform on-site PCI DSS assessments. QSAs evaluate whether merchants and service providers meet PCI DSS requirements and produce the Report on Compliance (ROC) that documents their findings.

QSA certification requirements

To become a QSA, both the individual and their employing organization must meet PCI SSC requirements:

QSA company requirements:

  • Apply to and be approved by the PCI SSC
  • Maintain appropriate insurance coverage
  • Employ certified QSA individuals
  • Follow PCI SSC quality assurance procedures
  • Undergo annual requalification

Individual QSA requirements:

  • Complete PCI SSC QSA training and pass the certification exam
  • Demonstrate relevant information security experience
  • Maintain the certification through annual requalification and continuing education
  • Adhere to the PCI SSC Code of Professional Responsibility

What QSAs do

During a PCI DSS assessment, a QSA:

  • Defines scope — works with the organization to identify the cardholder data environment and all connected systems
  • Reviews documentation — examines policies, procedures, network diagrams, and data flow diagrams
  • Tests controls — verifies that required security controls are in place and operating effectively through observation, interview, and technical testing
  • Identifies gaps — documents areas where the organization does not meet PCI DSS requirements
  • Produces the ROC — creates the formal Report on Compliance documenting the assessment findings
  • Issues the AOC — provides the Attestation of Compliance confirming the assessment results

When a QSA is required

Not all organizations need a QSA-led assessment. The requirement depends on transaction volume and payment brand rules:

  • Level 1 merchants — typically defined as processing over 6 million transactions annually (thresholds vary by payment brand). These merchants must have an annual on-site assessment by a QSA.
  • Level 1 service providers — service providers that store, process, or transmit large volumes of cardholder data must also undergo QSA assessments.
  • Lower-level merchants — may self-assess using SAQs, though they can optionally engage a QSA for guidance.

Choosing a QSA

Selecting the right QSA impacts the quality and efficiency of your assessment. Consider:

  • Industry experience — a QSA familiar with your industry understands typical payment flows and common risks
  • Technical depth — the QSA should understand modern architectures including cloud, containers, and microservices
  • Communication — the QSA should clearly explain findings and work collaboratively, not adversarially
  • Availability — confirm the QSA's schedule aligns with your assessment timeline
  • References — ask for references from organizations of similar size and complexity

QSA vs ISA

An Internal Security Assessor (ISA) is an alternative for organizations that want to conduct assessments internally. ISAs complete PCI SSC training similar to QSAs but are employed by the organization being assessed. ISAs can perform assessments for their own organization but cannot assess external entities.

How episki helps

episki organizes your PCI DSS controls and evidence in a format aligned with QSA expectations, reducing the time and friction during assessment fieldwork. The platform provides a secure portal for QSA access to documentation and evidence. Learn more on our PCI DSS compliance page.

Related frameworks

pci

Related terms

pci-dsssaqasvcardholder-data-environmentpci-scope

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a demo