QSA organisations and individual assessors usually complete the final phase of a PCI DSS compliance program – that is, a final audit. Whilst Security Centric is a QSA organisation, only a small proportion of engagements are to perform the final compliance audit.
The real value of being a QSA organisation is Security Centric’s involvement in assisting organisations in becoming compliant whilst avoiding disruption to day-to-day operations and minimising cost of compliance. By becoming part of the QSA program, Security Centric is able to assist organisations that are going through the compliance process by providing guidance for a remediation approach that is certain to pass QSA audit.
The QSA audit is often an all care, no responsibility approach. It is easy to specify what needs to be done to be compliant, but the real pain is felt by the organisation – through reduced business efficiency and/or cost of remediation and compliance programs.
In 2014, Security Centric joined the QSA program is order to provide decisive guidance and options that satisfy compliance requirements without having to significantly reengineer infrastructure and compromise business workflows. PCI DSS may become a compliance responsibility, but the organisation still needs to be able to function in a manner that is commercially viable.
The Payment Card Industry Data Security Standard (PCI DSS) is used, and often mandated, by the major credit card brands to protect credit card details stored by merchants and similar organisations. The Payment Card Industry runs a program where organisations and appropriately trained staff are certified as Qualified Security Assessors (QSAs).
There are currently 21 Australian QSA organisations.