How to Choose a Qualified Security Assessor

by Dave Shackleford
Sept. 1, 2017 0 comments SANS Institute Pen Testing & Audits auditing & assessment

Since its inception in 2004, the Payment Card Industry Data Security Standard (PCI DSS) has required financial service providers and large merchants to use Qualified Security Assessors (QSAs) to conduct onsite assessments and audits of security and compliance controls. More recently,the PCI DSS standard has expanded to include training guidelines for QSAs and other improvements.However,QSAs—and the services they render—still vary widely.Among assessors,there are vast differencesin methodologies,thoroughness,technicalskills,and many other areas. In other words,the outcome of an assessment is only as good as the qualified assessor.