← Glossary·Audit

QSA (Qualified Security Assessor)

PCI DSS

PCI SSC-certified individual or firm authorised to perform PCI DSS assessments.

A Qualified Security Assessor is an individual or company qualified by the PCI Security Standards Council to perform PCI DSS on-site assessments. Level 1 merchants and many service providers require a QSA-signed Report on Compliance (RoC).

Why it matters
QSA selection materially affects scope interpretation. A QSA that won't engage on segmentation evidence can double the scope of your CDE.

Related terms

PCI DSS
Card-brand mandated standard for any entity that stores, processes, or transmits cardholder data.
PCI SAQ (Self-Assessment Questionnaire)
PCI DSS self-assessment for merchants meeting eligibility criteria; nine SAQ types (A, A-EP, B, B-IP, C, C-VT, D, P2PE).
CDE (Cardholder Data Environment)
The people, processes, and technology that store, process, or transmit cardholder data — and connected systems.

Does your program actually cover QSA (Qualified Security Assessor)?

Run a free ComplianceIQ audit against PCI DSS and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free PCI DSS auditBack to glossary