PCI Security Standards Council®

Qualified Security Assessor Feedback

Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS.QSA Employees are individuals who are employed by a QSA Company and have satisfied and continues to satisfy all QSA Requirements.

This form is used to review QSAs and their work product, and is intended to be completed after a PCI assessment by the QSA client.While the primary audience of this form are QSA audit clients (merchants or service providers), there are several questions at the end, under “QSA Feedback Form for Payment Brands and Others,” to be completed as needed by Payment Brand participants, banks, and other relevant parties.

Information collected from the Feedback Form will be held in strict confidence and used for the sole purpose of improving the quality of service provided by the QSA.

QSA Feedback Form

Fields marked * are required.

Client (merchant or service provider)

Qualified Security Assessor Company (QSA)

*

Location of Assessment

QSA employee who performed Assessment

*

Dates QSA was onsite for assessment

From / / To / /

I would like to be contacted by a PCI SSC representative

For each statement, please indicate the response that best reflects your experience and provide comments.
5 = Strongly Agree             4 = Agree     3 = Neutral      2 = Disagree        1 = Strongly Disagree

Question

Select
One

Comments

1.During the initial PCI engagement, the QSA explained the objectives, timing, and review process, and address your questions and concerns.

2.The QSA employee(s) understood your business and technical environment, as well as the cardholder data environment.

3.The QSA employee(s) had sufficient security and technical skills to effectively perform this assessment.

4.The QSA sufficiently understood the PCI Data Security Standard and the PCI DSS Security Audit Procedures.

5.The QSA effectively minimized interruptions to operations and schedules.

6.The QSA provided an accurate estimate for time and resources needed.

7.The QSA provided an accurate estimate for report delivery.

8.The QSA did not attempt to market their own products or services for your company to attain PCI compliance.

9.The QSA did not imply that use of a specific brand of commercial product or service was necessary to achieve compliance.

10.In situations where remediation was required, the QSA presented product and/or solution options that were not exclusive to their own product set.

11.The QSA used secure transmission to send any confidential reports or data.

12.The QSA demonstrated courtesy, professionalism, and a constructive and positive approach.

13.There was sufficient opportunity for you to provide explanations and responses during the audit.

14.During the review wrap-up, the QSA clearly communicated findings and expected next steps.

15.If applicable, the QSA provided sufficient follow-up during your company’s remediation efforts, until eventual compliance was achieved.

Please provide any additional comments here about the QSA, your assessment, or the PCI DSS documents.




QSA FEEDBACK FORM FOR PAYMENT BRANDS AND OTHERS

The "QSA Feedback Form for Payment Brands and Others," is to be completed as needed by Payment Brand participants, banks, and other relevant parties.This form can be obtained directly from the QSA during the assessment, or can be found online in a printable format at www.pcisecuritystandards.org.

Fields marked * are required.

Client (merchant or service provider) Qualified Security Assessor Company (QSA)
* *
QSA employee who performed Assessment
* *
*
*
For each question, please indicate the response that best reflects your experience and provide comments.
4 = Strongly Agree             3 = Agree          2 = Disagree        1 = Strongly Disagree

Question

Select
One

Comments

1.Does the QSA clearly understand how to notify your payment brand about compliance and non-compliance issues, and the status of merchants and service providers?

2.Did you receive any complaints about QSA activities related to this assessment?

3.Did the QSA demonstrate sufficient understanding of the PCI Data Security Standard and the PCI Security Assessment Procedures?

Please provide any additional comments here.


Powered By OneLink