Selecting the right QSA is one of the most consequential decisions in a PCI DSS compliance program. The wrong QSA — underprepared assessors, firms that rush through assessments, or firms unfamiliar with your industry or technology stack — can result in a failed assessment, wasted remediation effort, or worse, a compliance report that does not accurately reflect your security posture.
What Makes Someone a QSA
A Qualified Security Assessor (QSA) is an individual who has been certified by the PCI SSC to perform PCI DSS assessments. QSAs work for QSA Companies — organizations that have been approved by the PCI SSC. Individual QSAs must: pass PCI SSC training and examination, maintain their qualification through annual re-qualification, work for a PCI SSC-approved QSA Company, and meet the PCI SSC's independence requirements.
| KEY IDEA | The QSA Company — not just the individual assessor — holds the approval from the PCI SSC. When you engage a QSA firm, verify that the firm is on the PCI SSC's list of QSA Companies (available at pcisecuritystandards.org). Firms that claim to provide "PCI DSS assessments" without being listed as a QSA Company cannot issue a valid ROC or AoC. |
QSA Evaluation Criteria
| Evaluation Criterion | What to Look For | How to Verify |
|---|---|---|
| PCI SSC approval | Listed as approved QSA Company on pcisecuritystandards.org | Check the PCI SSC QSA listing directly |
| Industry experience | Prior assessments in your industry (payment, fintech, banking) | Request client references and case studies |
| Technology stack fit | Experience with your specific tech (cloud, containers, microservices) | Ask about specific cloud PCI DSS experience — AWS, GCP, Azure |
| Team depth | Multiple certified QSAs; backup assessor if primary is unavailable | Ask about team size and continuity plan |
| Report quality | Sample reports showing clear finding descriptions, evidence citations | Request redacted sample ROC or SAQ report |
| Communication style | Responsive, clear, willing to explain findings before finalizing | Reference check with prior clients |
| Fee structure | Transparent pricing; no incentive to find or not find findings | Detailed proposal with scope, hours, deliverables |
| Indonesian presence | Local presence or deep experience with Indonesian regulatory context | Ask about BI/OJK regulatory alignment experience |
The Assessment Engagement Structure
Scoping and Statement of Work
The engagement begins with a scoping discussion where the QSA Company reviews your CDE description, proposed scope, network diagrams, and data flow diagrams. This produces a Statement of Work defining: the assessment scope, the sampling methodology the QSA will use, the timeline, the deliverables (draft ROC/SAQ for review, final ROC/SAQ, AoC), and the responsibilities of each party.
Evidence Submission
Before fieldwork begins, the QSA will request a pre-assessment evidence package — policies, procedures, network diagrams, system inventory, access lists, scan reports, penetration test reports, training records, and vendor AoCs. Organize this evidence package carefully — a well-organized submission reduces fieldwork time and demonstrates organizational maturity.
Fieldwork Phase
Fieldwork typically takes 5–15 days depending on organization size and CDE complexity. During fieldwork, QSA activities include: interviewing key personnel (system administrators, security team, management), observing controls in operation (watching an access provisioning workflow, observing a physical access control), reviewing system configurations (firewall rules, system hardening), sampling evidence (pulling records to verify controls operated during the assessment period), and testing technical controls (reviewing log samples, testing NSC rules).
Working Effectively with Your QSA
Assign an Assessment Coordinator
Designate an internal person as the QSA coordinator — the single point of contact for all QSA requests. This person manages the evidence request queue, schedules interviews, and ensures QSA questions are answered promptly. Without a coordinator, evidence requests fall through the cracks and fieldwork drags.
Be Responsive to Evidence Requests
QSAs issue evidence requests during fieldwork — typically a running list of documents, configurations, and records they need. Responding within 24–48 hours to evidence requests is essential for keeping the assessment on schedule.
| IMPORTANT | The QSA draft report is your opportunity to catch errors before the report is finalized. Review every finding in the draft ROC carefully — check that findings accurately describe the gap, that any remediated items are reflected correctly, and that evidence you provided is properly cited. QSAs are human: factual errors in draft reports are not uncommon, and the draft review process exists to correct them. |
Managing Findings During the Assessment
When a QSA identifies a potential finding, you typically have options: provide additional evidence that demonstrates the control is operating, document a compensating control, or accept the finding and plan remediation. Findings identified during fieldwork that are remediable quickly (patching, policy updates) can sometimes be remediated and re-tested during the assessment window.
| Indonesian organizations often feel anxiety about QSA findings — treating them as adversarial. The best QSA relationships are collaborative: the QSA's job is to accurately assess your controls, not to find failures. When a finding is identified, work with the QSA to understand the exact gap, provide any additional evidence, and — where a control is genuinely absent — accept the finding and plan remediation. Transparency and responsiveness are what make assessments efficient. |