To cut to the chase, the answer is Yes. Triaxiom Security is a QSA company and has multiple QSA employees on staff. According to the PCI Security Standards Council, “Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. QSA Employees are individuals who are employed by a QSA Company and have satisfied and continue to satisfy all QSA Requirements.”
Why Does Being a QSA Matter?
Being a QSA designated company is extremely important when completing PCI-related assessments. Only a certified QSA can perform Level 1 Onsite Assessments that result in a full Report on Compliance (RoC) to validate a company’s compliance with the PCI DSS. Even if you don’t need this level of validation to show PCI compliance for your acquirer, it can be beneficial to have a QSA assist your organization when filling out an SAQ. Having someone who knows what PCI is looking for and can help you translate the requirements into an easily digested format can make sure you aren’t responding incorrectly, and potentially leaving yourself open to liability issues.
Benefits of using a Penetration Testing Firm as a QSA
At Triaxiom Security, our engineers specialize in penetration testing as well as strategic security audits. We have found that having engineers on staff that perform both penetration tests as well as security audits, they can draw on their wealth of technical expertise to conduct more thorough audits. Additionally, our engineers have real world experience as to the true risks associated with particular audit findings, so they can easily draw parallels to help describe, mitigate, and resolve certain deficiencies uncovered during an audit. This allows them to shed some light on the intent of PCI’s requirements and help you understand both the compliance and security implications of insufficient security controls. Finally, our engineers take a consultative approach to performing an audit. What we mean by that, is we’re not just going to take a check-the-box approach to a PCI assessment. Rather, we’ll work with your internal team to help guide you through the requirements, figuring out the best way to meet requirements with your current business processes, helping you develop a realistic roadmap to meet any requirements you are currently delinquent on, and explaining the reasoning behind our determinations during an assessment every step of the way.
At Triaxiom, we pride ourselves on being up to date on the latest information security landscape from both a penetration testing and auditing lens. We always want to make our clients comfortable and work towards improving their security in a manageable and common-sense way, no matter what type of assessment we’re performing. We would be happy to help your firm with penetration testing, QSA assessments, or both. Please let us know how we can help!