QSA audit (Qualified Security Assessor) is the last stage of checking an organization for compliance with the PCI DSS standard. The audit is carried out by employees of a company that has QSA audit certificates.
Verification is carried out only for legal entities that are financial organizations, payment gateways or data centers. The second prerequisite is a minimum of 300,000 transactions per year. An additional condition is regular ASV scanning in automatic mode.
The audit affects only the infrastructure of the enterprise, which is responsible for payment systems, so the customer is advised to isolate the necessary part of the network in advance.
PCI DSS compliance
Audit requirements
During the inspection, more than 250 requirements are imposed on the organization. They are divided into 6 groups.
- Creation and support of a secure enterprise infrastructure.
- Ensuring the confidentiality of information about bank card holders.
- Implementation of policies and hardware and software complexes to prevent vulnerabilities in the company’s infrastructure.
- The introduction of strict access control measures within the organization.
- Constant monitoring and testing of all elements of the enterprise infrastructure.
- Updating the information security policy in accordance with the current requirements of the PCI DSS standard.
QSA audit results
The auditor checks for compliance with the requirements of the PCI DSS standard. It collects verification evidence and documented confirmation. According to the result of the verification, the client is provided with a compliance report.
In case of successful completion of the verification, a certificate of conformity and a certificate of conformity are issued. They are valid for one year from the date of completion of the audit. The certificate is then sent to international payment systems (VISA, Master Card) or acquiring banks. The results of the QSA check are stored for 3 years.