Dispelling the QSA Myth

Article Cybersecurity
QSA Myth


I’m sure you’ve heard that working with a Payment Card Industry (PCI) Qualified Security Assessor (QSA) will only lead to adversarial relationships and answers without clarity, such as “it depends.” However, I’m here to dispel those myths and overcome this stereotype.

First, let’s start with the credential itself. To become and remain credentialed as a QSA, some of the minimum requirements the individual must meet include:

  • Be employed at a QSA Company (QSAC),
  • Hold specific, industry-recognized certifications in both the information security and audit disciplines,
  • Take and pass the QSA qualification exams for the initial credential and annually take and pass the QSA requalification exam for retaining the credential, and
  • Maintain all credentials (QSA, audit and security certs, etc.) by completing on-going training and receiving continuing professional education units (CPEs) directly related to the security and audit disciplines, typically requiring a minimum of 120 CPEs in a three-year period.

Next, let’s talk about experience. QSAs must possess at least one year of experience in each of the following information security and audit disciplines:

  • Application security
  • Information systems security
  • Network security
  • IT security auditing
  • Information security risk assessment or risk management

Every QSA is knowledgeable with the payment brand specific security requirements as well as testing procedures, validation requirements, and reporting requirements for the PCI DSS.

When you combine those traits together, what you get is an individual who is knowledgeable, capable, and experienced. But, beyond that, QSAs are neutral to any solution and will help you not only achieve and maintain compliance with the PCI DSS, but also to maximize value helping you make the best decisions with regard to your business requirements and budgets. QSAs are able translate obtusely worded PCI DSS requirements in to clear and understandable business terms to give you the knowledge to understand the impact each control has on your operations.

So, why should you work with a QSAC and a QSA? …and more specifically, why should you work with CampusGuard?

CampusGuard partners with you to help you achieve your compliance and security goals. The dedicated team that supports you includes the aforementioned QSA employee and also a Payment Card Industry Professional (PCIP)-credentialed relationship manager. This team, that works hand-in-glove with your teams, understand the business operations, technology, and most importantly, the culture of your organization to make sure recommendations and solutions are tailored to your organization and not a generic, broad-stroked application of guidance.

Risky Business
I’ll start my last paragraph with the famous quip of my favorite TV detective, Columbo. “Just one more thing…” Who is your PCI Partner? If your answer is not CampusGuard, a QSA company focused solely on campus-based customers just like you, how do you know you’re getting the best advice and guidance available to you?


About the Author
Ed Ko

Edward Ko


Director, Information Security Services

Ed has over 20 years of experience in providing information security and compliance services within campus-based environments. Prior to CampusGuard, Ed was an information technology and security analyst for The Pennsylvania State University. As a co-founder of CampusGuard, he has personally conducted and delivered hundreds of assessments, which have helped him ably lead our highly qualified and deeply experienced team of security professionals. Ed is well-respected in the information technology arena, possessing a well-rounded understanding of information technology and the issues it can resolve, all while maintaining a keen awareness of the unique challenges that are often associated with complex environments.