Wednesday, September 21, 2011

Self-Assess Like a QSA?

Just about everyone reading this self-assesses their institution's PCI compliance using one or a set of Self-Assessment Questionnaires (SAQs). This is the PCI Council's -- and the card brands' -- own version of the honor system.

But the very largest Level 1 merchants don't get to use the honor system. Instead they must get an outside assessment, either by a Qualified Security Assessor (QSA, like me) or a member of their own staff who attended training and qualified as an Internal Security Assessor (ISA).

The QSA prepares a Report on Compliance (ROC, pronounced "rock"). This covers all of PCI. Moreover, the QSA needs to see multiple pieces of evidence before she/he can mark a requirement as "in place." The Council has released its updated guidance on just what the QSA does. It could make informative reading. It is now available for everyone to see.

Click here to download a copy of the ROC Reporting Instructions, then see how your own internal self-assessment measures up.


  1. Good morning,

    I hava a question.
    Would you please tell me if the QSA just verifies the documentation, configuration and stuff or does some tests like penetration tests to verify that what the documentation says is true, and like in requirement 10.2.2, the QSA tries to log with root privilege to verify that it is logged.


  2. Good Question. In the case where the QSA is doing an assessment, they need to verify that what is documented actually exists. That can be by examining configurations, interviewing staff, and observing administrator actions and results. When you complete your SAQ, the idea is that you might want to use the same guidelines for what counts as "in place." It is a higher standard than many schools might be using today, but it will give you more peace of mind re your security and actual compliance.

  3. So, all the QSA have to do is reviewing the documentation/configuration and interviewing staff to make sure it was done.
    But, is it enough? In requirement 11 for example, the QSA just have to review the results of the scans? There's no penetration tests?


  4. While it will depend on the QSA, I would imagine they would use the same, QSA standard (as in a ROC) for evidence of compliance. If a pen test is required, the QSA would review the credentials of the tester as well as the findings and remediation. Same for all the requirements. My points are (1) that the QSA is likely to require a higher standard of proof of compliance than internal staff (business and IT) might require, and (2) shouldn't you use the same standard?

    Great comments. Thanks.