PCI Compliance Information from a PCI QSA

PCI DSS FAQS

Frequently Asked Questions about the Payment Card Industry Data Security Standards (PCI DSS)


Are you thinking of becoming a Qualified Security Assessor (QSA), new to the PCI DSS space, or are a merchant looking for some answers?  Here are FAQs related to the payment card industry data security standards, or more commonly referred to as PCI DSS.  The PCI Council’s website  has a lot of great information as well, but it can be overwhelming.  I’ve tried to keep my information simple and to the point.

  1. What is a Qualified Security Assessor (QSA)?
  2. If I leave my firm am I still a QSA?
  3. How do I become a QSA and start doing assessments?
  4. I’m a QSA and have a questions on one of the requirements, who I can I get answers from?
  5. Do I have to hire a QSA to say I’m PCI Compliant?
  6. I’m a merchant who accepts credit cards, no one has ever asked me to prove I’m compliant, do I have to do anything?
  7. What does PCI Stand for?
  8. Can I get a PCI Certification?

PCI DSS FAQ Answers
  • QSA is the designation given to employees of a company/consulting firm that are authorized by the PCI Council to attest that merchants and service providers are PCI compliant.  (You have to have gone though training and pass a test provided by the PCI Council)
  • If you leave your firm you cannot continue to preform PCI Assessment on your own.  A QSA is only a QSA when they work for a QSA Firm.  This is because there are other rules the PCI council has in place on QSAs that go beyond the skills of the assessor (e.g., liability insurance, policies and procedures, QA process)

  • To become a QSA you need to get hired by a QSA firm that already does PCI Assessments, you can find a list here.

  • Ask your question here!  This is the best place to get real honest information from a seasoned QSA.  However, this is not “official advise” the PCI Council or your bank/acquirer can give you authoritative information to a specific question.

  • No, you don’t.  The card brands (Visa/MasterCard/Amex/Discover) have various levels of reporting for merchants and service providers based mainly on credit card volume.  But ultimately you should ask your acquiring bank what they want to see.

  • Yes, all merchants and service providers who accept or process credits cards have to be compliant.  In fact, you should have been compliant years ago.

  • PCI Stands for Payment Card Industry, it is the shorted acronym of PCI DSS (Data Security Standard) which is the industry standard that all merchants and service providers that take or process credit and debit cards must comply with.  There are many industry requirements that must be followed in order to protect customers credit card information.
  • PCI Certification –  PCI Certification is a term most used by merchants and service providers to claim they are meeting the PCI DSS requirements.  A merchant or service provider only officially states their compliance for a point in time, there is no assurance that their compliance is valid the rest of the year.

PCI DSS FAQS PCI DSS FAQS Reviewed by Stewart Fey on 11:00:00 AM Rating: 5