PCI Standards: Terms to Remember

As I have been learning more about the PCI standards, I have come across some acronyms that didn’t make a lot of sense to me. So after doing a little research, I decided to write what I found out just in case any of you have the same confusion as me.

The first one is QSA. QSA stands for Qualified Security Assessor. Qualified Security Assessors are individuals or organizations that have been qualified by the PCI Security Standards Council to perform a PCI DSS Certification Audit. There are different levels of auditing and reporting requirements, but the twelve high-level control objectives, and corresponding sub-requirements, of the PCI Data Security Standard are required to be met either directly or through a compensating control. The QSA certifies that a company is meeting these requirements by conducting an annual onsite audit and then files a report on whether or not they are compliant.

The next term I have come across in my research of the PCI standards, is ASV. ASV stands for Approved Scanning Vendor. An ASV helps companies gain and maintain PCI compliance by conducting scans of their networks and websites. Otherwise known as PCI scanning. If a company electronically stores cardholder data, then they are required to have a quarterly or yearly scan performed by an ASV. The scan will review networks, operating systems, services, and devices and report any vulnerabilities.

The last term I wanted to bring up is the SAQ. (Not to be confused with the QSA) The SAQ stands for Self Assessment Questionnaire. Because there are different merchant levels, some businesses may not be required to have an annual audit, but simply can audit their own pci compliance by filling out a SAQ and submitting it to their acquiring bank. The SAQ consists of questions correlating to the PCI DSS requirements. There are some different variations depending on your merchant level also.

Hopefully this has helped in clearing up any confusion you may have had. The PCI standards can be very confusing and overwhelming, but the more research I do, the more I realize the importance.