Qualified Security Assessor
The Payment Card Industry (PCI) Qualified Security Assessor (QSA) designation is conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of a Qualified Security Assessor (QSA) company approved PCI security and auditing firm, and will be performing PCI compliance assessments as they relate to the protection of credit card data.
The term QSA can be implied to identify an individual qualified to perform payment card industry compliance auditing and consulting or the firm itself.
The primary goal of an individual with the PCI QSA certification is to perform an assessment of a firm that handles credit card data against the high-level control objectives of the PCI Data Security Standard (PCI DSS). There are different levels of auditing and reporting requirements, but the twelve high-level control objectives—and corresponding sub-requirements—of the PCI Data Security Standard are required to be met either directly or through a compensating control. Requirement 3.2 prohibits the storage of track data and does not allow for compensating controls. Compensating controls are not always allowed and must be approved on a case-by-case basis.