As a qualified security assessor (QSA) certified by the PCI Security Standards Council, I have performed a large number of PCI assessments of all shapes and sizes in my career. This includes report of compliance (RoC) assessments, self-assessment questionnaire (SAQ) validations, gap analyses, and other consulting-related PCI services for a variety of retail establishments, service organizations, public utilities, healthcare organizations, and service providers. Any entity that stores, processes, or transmits credit card data is expected to comply with the PCI Data Security Standards (DSS), and may be required to complete a RoC or SAQ as evidence of their compliance posture. PCI Data Security Standards (DSS) version 3.2.1 is the current assessment standard, and it cites more than 350 security controls and provides the framework for lower-level assessments (such as SAQs). How credit card processing is done by a merchant or service organization can vary significantly and can cause confusion as to which PCI DSS controls are applicable. Further, there is often confusion about whether or not the controls that an organization has implemented are sufficient to meet the intent of the PCI DSS. These are some of the reasons why I often recommend to my clients that someone within their organization earn the internal security assessor (ISA) certification from the PCI Security Standards Council.
For organizations trying to attain and demonstrate compliance with PCI requirements, having an internal security assessor can reduce the risk of being out of compliance and help them secure their PCI environment. Whether your organization is completing an SAQ to meet its PCI compliance reporting obligation, or employing the services of a QSA company, an ISA can help interpret the PCI requirements internally or serve as a key liaison for the company as the QSA performs an external assessment.