Do I need to hire a QSA?

The short answer is no, you do not have to hire a QSA – regardless of the level your organisation is categorised as according to PCI. Even if your organisation is level 1, your annual report on compliance can be completed by a competent internal auditor, preferably one who has obtained the PCI SSC Internal Security Assessor (“ISA”) certification.

However, it is highly recommended. QSA’s have a strong understanding of the standard, can help you identify and remediate gaps and can assist with making key scoping decisions which can ensure your organisation gets compliant fast in a way that is cost effective and possibly even improves your underlying business processes.

Posted in FAQ.