In 2018, the PCI SCC introduced the new Associate Qualified Security Assessor (QSA) Program in order to attract new information security talent to the QSA Program, help meet the demand for QSAs, and ensure the sustainability of the QSA Program. With the shortage of information security talent, QSA companies have found it challenging to find new assessors. QSAs have been costly to hire and retain, which has increased the assessment costs for merchants and service providers relying on QSA services. The Associate QSA Program would bring new information security talent into the pipeline and help ease the resource drain on QSA companies. Participants would be funneled into the payment card industry and would gain the necessary experience to qualify as a QSA.
Associate QSAs can assist in PCI DSS assessments under the guidance of a QSA Mentor employed at the same QSA company. However, Associate QSAs cannot confirm PCI compliance or sign off on Attestations of Compliance (AOC) or Reports on Compliance (ROC). Although limited in tasks, the Associate QSA is valuable in offloading the tasks of QSAs within their company while learning the PCI DSS assessment process for future QSA certification.
QSA companies that have been in the QSA Program for at least two years are eligible to nominate appropriate employees for the Associate QSA Program. In order to qualify for the Associate QSA Program, an employee should have a college or university degree in IT or a security-related field or two years of experience in IT or security. A QSA company submitting an Associate QSA application for an employee must also attest that a QSA Mentor within the company will be assigned. In addition, the company must also submit to the PCI SSC a Mentor Manual based on PCI’s available template.
With the rollout of the Associate QSA Program, PCI has ensured the sustainability and continued quality of the QSA Program. QSA companies should see some relief as Associate QSAs begin to pick up some of the tasks of QSAs. The payment card industry as a whole should benefit as information security talent can now be funneled into the QSA pipeline.