QSA Assessment

During a QSA assessment, a certified assessor reviews the organization's policies, procedures, and documentation and tests its systems for vulnerabilities to ensure that it meets PCI DSS requirements. They also interview employees to verify that the necessary controls are being implemented.

Typical vulnerabilities, risks, and threats within a payment system that QSA assessments identify, analyze, and flag as needing remediation include:

• Script behaviors: Analyses scripts and code running in the environment for potential security flaws, such as poor input validation and lack of proper logging or monitoring. 

• Overlooked threats: Evaluates insecure entry points like physical access to servers, weak employee login credentials, social engineering vulnerabilities, or insecure practices in the Software Development Life Cycle (such as lack of a proper code review).

• Increased risks: Assesses the security implications of new systems technologies and configurations that increase the cyber-attack surface.

The QSA compiles a detailed report outlining their findings during the assessment, including any compliance gaps, and provides recommendations for improving the organization’s data security posture. The QSA and the organization then sign a formal declaration to confirm that they have achieved PCI DSS compliance.

The most recent edition of PCI DSS, version 4.0.1, includes two notable new requirements: 6.4.3 and 11.6.1. 

Requirement 6.4.3 focuses on security controls in the software development lifecycle to ensure changes to critical systems do not inadvertently introduce vulnerabilities. To comply, organizations must include automated security tools and processes when developing payment pages, such as static application security testing (SAST) and dynamic application security testing, maintaining an inventory of scripts, and implementing a process to authorize scripts to be executed on payment pages.

Requirement 11.6.1 targets website tampering and script-based attacks, such as skimming and injection methods, that compromise customer payment data by introducing continuous monitoring tools and processes. This focus on reinforcing payment page scripts against unauthorized modifications is particularly relevant given the rise of JavaScript-based attacks.

A QSA assessment validates compliance with these requirements. This strengthens payment page security for organizations that process online payments by ensuring robust change management and unauthorized change detection processes. Collectively, these practices reduce risks and build trust with customers and partners by demonstrating the integrity and security of their payment process.

As internet-based operations continue to expand and evolve, online transactions have become more than just a convenience; they are necessary for organizations. 

QSA assessments are essential in this digital business environment as they help identify and mitigate potential risks associated with managing vast amounts of payment card information daily – and the benefits are compelling:

• Achieve PCI DSS compliance: By achieving and maintaining PCI DSS compliance, organizations protect sensitive customer data, reduce risk, and build trust in a competitive and security-conscious marketplace.

• Avoid penalties: Non-compliance can result in regulatory fines that vary in value depending on the severity and duration of the violation.

• Avoid loss of merchant account: Organisations found to be non-compliant might have their merchant account terminated by their acquiring bank or payment processor, effectively revoking their ability to process online payments.

• Improve security posture: Identifies gaps and vulnerabilities in payment systems, strengthening an organization’s cybersecurity perimeter against data breaches.

• Improve operational efficiency: PCI DSS best practices promote more streamlined and efficient IT operations, providing organizations with a competitive advantage.

The need for a QSA assessment depends on an organization’s merchant level. This is determined by several factors, including the volume and type of payment card transactions they process annually.

Level 1 merchants are required to have a QSA assessment. These are typically large organizations that process over 6 million card transactions annually (across all channels) or merchants identified as high-risk by card brands. 

Levels 2, 3, and 4 merchants are smaller organizations that may require a QSA assessment if:

• They have experienced a data breach.

• They are mandated by a payment brand or acquiring bank.

• They lack the resources to validate compliance independently.

Other organizations involved in the payment card transaction process that may require a QSA assessment are: 

• Level 1 service providers: Organisations that process over 300,000 transactions annually on behalf of merchants or other entities.

• Third-party vendors: Organisations such as software vendors and cloud providers provide services involving payment card data for other organizations.

• Organizations mandated by payment brands: Companies like Visa, Mastercard, and American Express may impose QSA assessments as part of their risk management practices or compliance programs.

Once they have confirmed they need an assessment, these organizations must select a qualified QSA and prepare for it. Once completed, they must review the findings, implement any suggested remediations, and ensure ongoing improvement to achieve compliance.