PCI SSC continually seeks to increase the baseline standard of quality within the assessor community; one key indicator (among many) is the quality of resulting PCI Data Security Standard (PCI DSS) assessments. Recently, the notion of lead Qualified Security Assessor (QSA) rotation has been raised as a best practice to help drive quality improvement of assessments. To help ensure that the quality of assessments are of the highest order, PCI SSC encourages organizations to review, implement and explore this practice.

Benefits of QSA Rotation

The concept of rotation is not new in the audit/assessment field. It is the method of changing the assessor (either company or individual) that leads a client’s assessment from year to year to help ensure a fresh viewpoint is brought to the assessment. Rotation also helps reduce the risk of collusion or lower-quality assessments due to any one assessor becoming overly-familiar with a client.

PCI SSC recognizes the benefit of QSA rotation for ensuring higher-quality PCI DSS assessments. For example, each QSA brings different skills and questions to each assessment. A new lead assessor will also bring diverse skills and knowledge or ask different questions. This fresh review may highlight potential issues that could be missed by someone who has completed the PCI DSS assessment several years in a row.

Implementing a QSA Rotation Policy

QSA rotation can benefit QSA Companies with teams of assessors as well as companies with just one assessor assigned to each client.

If a QSA Company has a team of assessors assigned to a single client, periodically rotating the lead assessor may be straightforward. While the team may be familiar with the technology and complexity of that client’s environment – and understands the client’s needs and communication preferences – changing the lead assessor helps provide a fresh view of the environment. Where the QSA Company cannot do this, quality assessment reviews must focus on reuse concerns, such as whether the same objects are being repeatedly sampled each year.

How QSA rotation implementation works, in practice, will look different for each organization based on variables such as the company size, the number of assessors, risk appetite and current quality assessment processes.

Send us Your Feedback

If you have ideas for improving the quality of PCI DSS assessments, please send them to the QSA Program Manager at qsa@pcisecuritystandards.org.