What is a QSA? Qualified Security Assessor Explained

What QSAs Do

Conduct Formal PCI DSS Assessments

The defining activity of a QSA is conducting formal PCI DSS assessments of merchants and service providers — reviewing scope, evaluating controls against the requirements of the standard, and producing the formal documentation that attests to the organization's compliance posture. The assessment can result in a Report on Compliance (RoC), which is the formal attestation required of Level 1 merchants and large service providers, or in attesting to a lower-tier Self-Assessment Questionnaire (SAQ).

Independent Validation of Compliance Posture

QSAs serve as independent validators between the organization being assessed and the payment ecosystem that requires compliance attestation — card brands, acquirers, and ultimately consumers whose data is being protected by the standard. The independence is structural: QSAs cannot assess organizations they have a conflict of interest with, including organizations they have provided remediation consulting to in immediate prior periods. The discipline preserves the assessment's value as a credible third-party attestation.

Produce Documentation Acceptable to Acquirers and Card Brands

The output of a QSA assessment is documentation that the assessed organization submits to its acquiring banks and, in some cases, directly to card brands. Acquirers and card brands rely on QSA-produced documentation as the basis for their compliance status determinations of the organization. Without QSA validation, larger merchants cannot maintain their card-processing privileges.

When You Need a QSA

Level 1 Merchants and Service Providers

Level 1 merchants — typically defined as those processing more than 6 million transactions per card brand per year — and Level 1 service providers are required to engage a QSA for an annual Report on Compliance. The RoC is the formal compliance documentation that the acquirer receives.

Level 2 Merchants in Some Cases

Level 2 merchants (1-6 million transactions per year) are typically permitted to complete a Self-Assessment Questionnaire instead of engaging a QSA. Some card brands and acquirers, however, require QSA engagement for Level 2 merchants in specific circumstances — typically following a security incident or as a condition of continued processing privileges.

Smaller Merchants on Discretionary Engagement

Smaller merchants (Level 3 and Level 4) typically complete SAQs without QSA involvement. Some smaller merchants engage QSAs voluntarily — to validate their SAQ scoping decisions, prepare for prospective scope expansion, or provide independent attestation to enterprise customers who require it. This is a discretionary decision driven by the customer-facing or risk-management value of the formal attestation.

Following a Card-Data Incident

Organizations that experience card-data security incidents — confirmed breaches, suspected exposures, or significant control failures — typically engage QSAs as part of the post-incident response. The QSA's role is to validate that remediation has restored compliance posture before the organization resumes normal processing privileges.

How to Select a QSA

The PCI SSC Public List

The PCI Security Standards Council maintains a public list of currently-certified QSA companies, searchable by geography and specialization. This is the authoritative source — companies not on the list cannot legitimately produce QSA-attested documentation. Any organization claiming QSA capability without active SSC certification is misrepresenting its credentials.

Specialization and Industry Experience

QSA firms vary significantly in their depth of experience by industry, environment type, and merchant size. A QSA firm whose primary experience is large enterprise retail may approach a SaaS service provider's assessment differently than a SaaS-experienced firm would. The selection criterion is not just current certification but demonstrated experience with similar organizations.

Engagement Scope and Pricing

QSA engagement pricing varies based on environment complexity, scope size, and engagement type. A typical RoC engagement for a mid-market organization runs $50,000-$250,000+, with material variation based on the specific environment. The engagement includes scope review, control assessment, evidence collection, documentation production, and final attestation.

Frequently Asked Questions

Can a QSA also provide remediation consulting?
Generally not for the same engagement. The PCI SSC's independence requirements typically prevent QSAs from both consulting on remediation and assessing compliance for the same organization in the same period. Some firms structure their engagements so that one team provides remediation consulting while a separate team performs the assessment, with appropriate independence safeguards. Many organizations engage one firm for consulting and remediation and a separate firm for the QSA assessment.

How long does a QSA assessment take?
For a mid-market organization with mature documentation, a typical RoC assessment runs 4-8 weeks of fieldwork plus 2-4 weeks of report production. Organizations with documentation gaps or significant remediation requirements run materially longer.

What happens if the QSA assessment identifies non-compliance?
The QSA documents the finding in the RoC. The organization either remediates the finding (if the timeline permits) or accepts the finding in the RoC, which then goes to the acquirer with a remediation plan. Acquirers may impose additional restrictions, including loss of processing privileges for material findings.

Can I switch QSAs between assessment cycles?
Yes. Organizations frequently rotate QSAs every several years, both to refresh perspective and to satisfy any internal governance requirements about auditor rotation. The new QSA reviews prior assessments and current state independently.

Related Reading

• What is PCI DSS? — the standard QSAs assess against
• What is a PCI DSS Report on Compliance? — the deliverable QSAs produce
• What is an ASV? — the scanning counterpart to QSA assessment
• PCI DSS Compliance Consultants — the broader consulting category

Real-World Example: When QSA Independence Matters

Following the 2013 Target breach, regulatory and ecosystem scrutiny of QSA engagement practices increased substantially. Investigations into the breach surfaced questions about whether the QSA who had assessed Target's pre-breach compliance posture had identified the controls weaknesses that the breach exploited. The PCI SSC subsequently strengthened both the certification requirements for QSA firms and the quality assurance review of QSA assessments.

The structural lesson is that QSA independence and quality matter to the validity of the entire PCI compliance ecosystem. An organization selecting a QSA based purely on price, with insufficient attention to specialization fit and quality reputation, is purchasing a less-credible attestation that may not survive scrutiny when an incident occurs. The full breach analysis walks through the assessor-related findings that drove the standard's evolution.