PCI QSA Onsite Assessment Methodology

In this blog, we’ll outline our methodology for conducting PCI QSA Onsite Assessments, also known as a Level 1 Assessment or PCI ROC Assessment. A PCI QSA onsite assessment verifies and validates an organization’s compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). This assessment produces a full Report on Compliance (RoC) and the accompanying Attestation of Compliance (AoC). Per PCI, this assessment must be conducted by a Qualified Security Assessor (QSA) employed by a QSA-approved company. Additionally, while most of the assessment can be completed remotely, the QSA must travel on-site for a portion of the assessment to validate the controls in place. We’re going to outline the standards and processes that Triaxiom Security’s QSAs will follow when completing this type of assessment.

Standards

• PCI DSS
• QSA Program Guide
• QSA Qualification Requirements
• PCI Scoping and Segmentation Guidance

Minimum Qualifications

The lead QSA for any PCI QSA onsite assessment shall at a minimum meet the following:

• Have a minimum of 5 years of experience in Information Security.
• Be a certified PCI QSA and in good standing with the PCI Council.
• Completed all internal shadowing and training requirements.

Process

Our PCI QSA onsite assessment methodology can be broken into 3 primary stages, each with several steps.

Planning

1. Project Initiation Meeting – Rules of Engagement

The first part of the process will involve a brief meeting between the Triaxiom team and the client to review and acknowledge the rules of engagement, confirm projected testing timeline, document any testing limitations or restrictions, and answer any questions related to the project.

2. Scope Validation and Assessment Planning

After initiating the project, a follow-up meeting between the lead QSA conducting the assessment and the client will be scheduled. During this meeting, the assessment team will need to confirm/validate scoping information for the target environment. This consists of reviewing the overall business, payment card-related processes and flows, operating locations, network diagrams, asset inventories, etc. All of this background information will influence the specifics of the sampling approach used, project schedule, travel plans, interview sessions, and time required onsite. A request for documentation will also be provided to the client as part of this process to gather what will be needed to start the next phase.

Execution

1. Documentation/Configuration Review

Once the test has officially begun, a start notification will be sent to the client. The first phase will involve reviewing as much of the client organization’s documentation as possible prior to arriving onsite. This documentation will drive interview questions and validation efforts, so it is critical to get this prior to the onsite portion of the assessment. The lead QSA will also be looking to review any network device configuration files that were provided with the documentation request.

2. Onsite Interviews and Control Validation

This portion of a PCI QSA assessment must be conducted onsite per the PCI Council. The Triaxiom assessment team will visit each of the in-scope locations, or a selected sample chosen by the QSA, to validate the presence of all required security controls. The assessment will evaluate the entire scope of PCI processes within the organization and will include interviews with the relevant internal teams, inspection of physical security controls, and manual/automated validation of host-based security controls.

3. Remote Analysis and Follow-Up

Following the onsite portion of the assessment, the Triaxiom team will finish evaluation of controls remotely, comparing evidence collected onsite to company documentation, continuing to review configuration files, and scheduling any interviews that couldn’t be completed while onsite. The QSA will request any required follow-up documentation, evidence, or screenshots from the client to complete the assessment successfully.

Post-Execution

1. Reporting

After completing the active potion of the assessment, Triaxiom will formally document the findings and details from the assessment using the PCI Council’s standard RoC reporting template. Any requirements marked as non-compliant will include details in the RoC as to the reason and recommended remediation steps. During this phase, the lead QSA will also collected, inventory, and document all required evidence that will be archived with the assessment to meet PCI DSS requirements.

2. Quality Assurance

All assessments go through a rigorous technical and editorial quality assurance phase. This may also include follow-ups with the client to confirm environment details or collect additional evidence, as appropriate.

3. Presentation

The final activity in any assessment will be a presentation of all documentation to the client. Triaxiom will walk the client through the information provided, make any updates needed, and address questions regarding the assessment output. Following this activity, we’ll provide new revisions of documentation and schedule any formal retesting, if applicable.

This onsite assessment methodology is presented at a fairly high-level, as most organization environments are very different and will require different approaches. PCI QSA onsite assessments are extremely involved, however, and do take a significant amount of time and preparation for both the client and the assessor. If you have any questions or are looking to schedule a future assessment, please reach out!