Will your tool automatically generate the ROC and AOC(s) for v3.2.1 and v4.0?
If you are using TurboQSA, the answer is YES.
Our mission is to provide QSA companies and ISA professionals with a tool to facilitate PCI-DSS assessment activities and to automate the creation of PCI-DSS reports. TurboQSA provides guidance throughout report creation as well as convenient, web-based channel to collaborate with and gather information from their clients.
A Targeted Risk Assessment or TRA is required for each control that is to be replaced with a Customized Approach in PCI 4.0.
Our TRA experience puts the task on your customers as required.
However, it does so in a sensible way that gives them and the QSA confidence in the results. It is comprised of multiple dimensions that are easy to follow.
Our Automated Quality Check or AQC feature was designed as a rules based engine to look for common and not so common errors that lead to ROCs being returned by the acquirers or card brands.
Additionally and equally as importantly, it checks for common problems that cause a ROC to fail a PCI Council audit. By running this one-button click process and responding to each finding, you can lower your chances of being put in remediation by the council.
Since it is a rules processor, we are constantly adding new checks as we learn about them from customers.
TurboQSA transformed our ROC project navigation in 2022 and our customers absolutely are glad we did.
In a single glance it is easy to tell where items have not been started, where they are waiting on the customer or the QSA and where they are ready for peer review.
There is no longer a need to go hunting through the entire project looking to see what is incomplete.
TurboQSA filtering features, which work in tandem with our new project navigation experience, allow your peer reviewer to be fully engaged in the project from day one.
Our customers tell us this improves the outcomes for the assessed entities as the peer reviewer understands the environment and the individual nuances of each project better from the very outset.
Peer reviewers should finish each workday by spending 10 or 15 minutes looking through the projects where they are assigned in a review role to provide feedback on any items awaiting their input. This removes the typical back-loaded review process which is far less accurate and useful.
Who loves filling in the ROC template? Who loves filling in the AOC template(s)? We are guessing very few QSAs or ISAs have raised their hands to either of these questions.
Use the rich, powerful and time saving features of TurboQSA and leave the filling out of the ROC template to us. For the AOCs, we support all languages supported in the templates. We also now support the “Items Noted for Improvement” or INFI document which is intended to be shared back with your assessed customers for work before the next assessment.
Languages supported: English, German, French, Spanish, Portuguese, Japanese and Chinese.
Use TurboQSA to complete all aspects of the assessment Upon completion, peer review and auto-audit simply click “Export to MS Word” and the PCI ROC Template will be filled in for you within seconds. This button is available at any stage of your assessment to provide a preview of work completed.
Oftentimes when working through a ROC, the customer being assessed has more than a single payment channel. While completing the assessment for each requirement the QSA is required to select a payment channel to provide a response for. You may select and provide a response for each payment channel, or you may select “All Payment Channel” and provide a single response.
When you define a contact for your customer, you assign an “Area of Responsibility”. This allows smart assignment for relative roles when requesting evidence, scheduling interviews and more.
Interview scheduler allows you to find the right audience - and the right ROC controls to cover in your meeting.
A client instance license is issued according to our SaaS agreement. License is issued for a limited term and sets limitations on the number of active client user accounts (think, QSAs, associate QSAs, Project Managers, Administrators, Technical Editors, QA - any employees of the QSA Company). Disabled accounts do not count towards the user account count limit.
“Client Users” accounts - accounts of employees of the company being assessed do not count toward the licensed accounts limit.
For larger installations, there is a limit on the number of simultaneously running servers.
Our preferred option for hosting the TurboQSA system is Amazon AWS. We provide a template that allows for the entire environment to be spun up in minutes, inside the QSA Company’s AWS account. This option ensures you maintain full control over encryption keys and sensitive data storage.
Other options, such as Microsoft Azure, Google Cloud, Oracle Cloud or on premise are possible, but would require a custom installation Work Order and come with a custom support agreement.
In either case, the client is liable for all hosting charges pertinent to the client’s instance.
TurboQSA has some built-in tools for user support: any active user can file a ticket right from the system’s web interface and that’s the preferred way to handle support requests, enabling us to collect additional information that can be used to accurately cross-reference a potential issue to any error logs or site events.
Additionally, we extend support channels to all our clients with our Discord server. Access and authentication for the Discord channel are provided along with your license agreement.
For urgent support needs, you can reach us at +1 (877) 222-5275
There are a number of video walk-throughs covering key pieces of TurboQSA functionality and we recommend these for any educational needs.
We provide our clients with User Manual covering both QSA and Customer sides of TurboQSA.
Additionally, TurboQSA is open to hosting webinars for licensed QSA Company employees.
We are always looking for new ideas for improving our product and providing the best service possible. We consider two buckets of feature requests:
Universal improvements, features and fixes that would benefit any TurboQSA customer. These go straight into our roadmap.
Custom programming improvements designed to fit a particular company’s workflow or business process. These improvements require a Statement of Work and custom programming fee. Changes implemented this way are released behind a feature enablement flag, targeted at the customer ordering the change.
Currently, TurboQSA focuses on PCI DSS Report on Compliance and supports assessments for Merchants and Service Providers alike.
Your clients, employees and contractors affiliated with the company being assessed are using TurboQSA for free for the duration of the assessment, and their user accounts with TurboQSA do not count towards licensed users limit.
There are no extra fees to get your client to use the system.
TurboQSA supports the new standard, v4.0 rev 1 (as of the moment of writing this answer).
Please sign up for a demo to see the new process in our Pilot portal.
Yes, being able to create a printable version of the report on compliance (v3.2.1 and v4.0) is a key feature of TurboQSA, and licensed clients would benefit from it when they complete their PCI DSS assessments with the TurboQSA product.
TurboQSA is designed with data protection in mind. Assessment data, including PII and sensitive information is encrypted at rest while stored within databases and file storage systems. You are always in control of the encryption keys, and TurboQSA personnel do not have access to your client’s or company’s data.
Data is also protected in transit over SSL/HTTPS.
It is possible to purchase additional licensed user packs for your license, at a prorated cost.
You can use TurboQSA product for remote assessment practices, as long as you comply with PCI SSC requirements and recommendations. Many of the assessment procedures can be performed remotely, and TurboQSA is here to help you facilitate these.
Currently, TurboQSA does not support generating Self-Assessment Questionnaires documentation. At the same time, we have optimized the ROC assessment process to take advantage of SAQ status and type for clients compliant with different levels of SAQ.
TurboQSA will create an AOC (Attestation of Compliance) document for you, based on the data provided with ROC and additional QSA input.
For the DSS v4.0 standard we provide limited localization support for AOC.
TurboQSA product comes equipped with Audit Log and Engagement reports that help QSAs, managers and executives track progress and engagement of all parties on the project. Worried that the client is not responding and not providing answers to your questions? - Now you have data to back up your claims.
Report sanitization is currently not supported, but we have this feature in our roadmap.
Currently there is no Zoom integration implemented. Please schedule Zoom meetings using your corporate account.
Currently there is no Google Meet integration implemented. Please schedule Google Meet meetings using your corporate or personal account.
Clients will have limited access to certain controls and requirements on the report, on a need to know basis. Access control is implemented based on assigned responsibility areas.
Your clients will not be able to generate the ROC using TurboQSA product; this feature is limited to QSA users of the QSA Company.
Responsibility Areas can be assigned to Client Contacts or Client Users - employees or contractors affiliated with the company being accessed. As you interview or prepare to interview area experts, you can assign some of them one or multiple Responsibility Areas, to inform the TurboQSA system that these individuals should be considered as sources of information for relevant ROC requirements and controls.
Here is a complete list of currently implemented Responsibility Areas:
Antivirus Software Configuration and Management (not required for Linux)
Database Administrators & Owners
Provisioning, managing and maintenance of company databases
Encryption of Data in Transit (including Wireless)
Encryption Standards and Implementation for storage of cardholder data (not required if they do not store any CHD)
Firewall and Routers Configuration and Management
Human Resources and Training Coordination
Incident Response and Log Monitoring (policy, IR plan)
Information Security Management (risk assessments, security policies, service provider management, security awareness program, background checks, legal)
Internal and External Vulnerability Scanning
Network Architecture Operations and Management
Patch Installation & Management
Testing, configuration, installation and maintenance
Physical Access Control (video cameras, locks, keys, visitors, security of media)
Servers and Workstations Configuration and Management
Software Development Processes (coders, managers, approvers, change control)
User Account Management (manages new users, maintaining user accounts, ensures no shared account use, terminating users, multi-factor auth)
Users Privilege Management (DBs, filesystems, logins etc - defines access restrictions and policies)
Wireless Configuration and Management
Currently TurboQSA does not support creating custom Responsibilities Areas, we believe that our curated list covers 100% of scenarios.
Yes, you are free to assign or unassign as many QSAs on a project as you see fit. We recommend having a Lead QSA and a Reviewer (with QSA credentials) as a minimum.
TurboQSA supports several quality control measures:
Tracking items progress to make sure no stone is left unturned, no control remains without a response.
Highlighting incomplete Compensating Controls Worksheets.
Review process to ensure each control or requirement eligible for review receives attention from another person with QSA credentials.
Optional QA stage in the workflow, enabled at the QSA Company level.
TurboQSA is a software product for QSA Companies and ISAs. TurboQSA helps facilitate PCI DSS Assessments supporting versions 3.2.1 and 4.0 of the standard.
Unlike most of the other QSA tools on the market, TurboQSA is capable of not only capturing evidences, responses and other assessment artifacts, but also of printing a ROC - Report on Compliance.
TurboQSA fills a gap that exists in the market - while many QSA companies have their home-grown productivity tools for v3.2.1 PCI DSS assessments, few have any software support for the new version v4.0.
While the standard organically evolved from v1.0 to v2 and all the way to v3.2.1, allowing companies to evolve their tools as well, the change to v4.0 is more radical and calls for a new tool set. TurboQSA is that tool set.
Yes. While you can work with TurboQSA in an almost air-gapped setting, with only QSAs accessing the product, it is really built with collaboration features in mind.
TurboQSA lets you get your client fully engaged in the assessments, allowing them to provide responses, evidences and in case of the Customized Approach, even a Custom Controls Matrix.
QSAs and Client Representatives can use TurboQSA to schedule and track interviews, feeding right into the Evidences sections of the report.
Multiple assessors can work on the same report simultaneously, removing peer review and QA bottlenecks from the assessment process.
Yes. TurboQSA supports generating the following documents:
ROC (Report on Compliance), PCI DSS v3.2.1 and v4.0
AOC (Attestation of Compliance) - for Merchants and Service Providers.
7 languages supported
Supplemental Attestation of Compliance
INFI (Items Noted for Improvement)
7 languages supported
Project Status Report