1. What is a QSA?
    
   QSA stands for Qualified Security Assessor. It is a certification obtained by experienced security consultants to enable them to conduct the On-Site Data Security Assessment for PCI DSS Compliance. QSA's are required to recertify every year by attending training by PCI and passing the exam. A recertifying QSA must obtain additional CPE's from training and other experiences in order to obtain certification. Some QSA's also maintain other certifications. The LBMC team has a tremendous level of compliance experience focusing on FISMA, SOX, HIPAA, ISO 27001 and PCI.
    
2. What types of services do QSA's provide merchants?
    
   On-Site Data Security Assessments (PCI "Audits"), Gap Analysis, Remediation Services, General PCI consulting and advice. Depending on the size of the company and number of distinct credit card processes, most engagements will last 2 - 6 months.
    
3. Are merchants required to work with a QSA to become PCI Compliant?
    
   Level-1 Merchants and Level 1-2 Service Providers will require a QSA to conduct their annual On-Site Data Security Assessment. Level 1-2 qualifiers are that they have more than 6 million transactions. There is one caveat, an internal audit group can do the On-Site Assessment but the results must be signed off by an Officer of the company. Level 2-4 Merchants and Level-3 Service Providers do not have required QSA audits and may use the PCI Self-Assessment Questionnaire to self-certify.
    
4. What are the pros and cons of 'doing it yourself' versus hiring a QSA?
    
   There are pros and cons, but I dare say the pros are worth it. QSAs provide third-party validation which proves 'due diligence'. The Cons are the costs – not necessarily in more money, but in potential greater costs for the organization when considering the resources needed and the diversion from other profit generating projects. Another con to consider is that it can be difficult to get up to speed on all PCI requirements, which could provide an unfortunate opportunity for merchants to miss key areas, or controls. In the long run, it may be far more economical to hire a QSA.

About the PCI Data Security Standard
The PCI Data Security Standard is a set of comprehensive requirements for enhancing payment account data security to help facilitate the broad adoption of consistent data security measures on a global basis. For more information on the PCI DSS, please visit: www.pcisecuritystandards.org.

About the PCI Security Standards Council
The mission of the PCI Security Standards Council is to enhance payment account security by fostering broad adoption of PCI security standards. For more information on the PCI Security Standards Council, please visit: www.pcisecuritystandards.org.

For more information on LBMC Risk Services and PCI Qualified Security Assessors contact:

Thomas Lewis, Partner
LBMC Risk Services
tlewis@lbmc.com
615-309-2296

LBMC has pioneered an integrated compliance approach for our clients to comply with multiple requirements without unneeded redundant controls and testing efforts. LBMC’s approach is based upon sound risk management principles ensuring that controls are practical and cost-effective. LBMC’s consultants are trained to be very skilled with identifying any compensating controls that can be used for compliance which separates us from many of our competitors.