Our mission is to provide QSA companies and ISA professionals with a tool to facilitate PCI-DSS assessment activities and to automate the creation of PCI-DSS reports. TurboQSA facilitates QSA professional’s work by providing guidance throughout report creation, and convenient, web-based channel to collaborate with and gather information from their clients.
TurboQSA improves PCI-DSS compliance report creation process for both professional security assessors and employees of the merchant or service provider being assessed. On top of this improved experience, TurboQSA lowers the cost of assessment projects while speeding up project completion. TurboQSA facilitates all aspects of each assessment project and improves consistency, quality and productivity of every person involved in the assessment. With TurboQSA, your QSA company can efficiently complete more assessments, creating a competitive advantage and enabling you to win more business.
Use TurboQSA to complete all aspects of the assessment Upon completion, peer review and auto-audit simply click “Export to MS Word” and the PCI ROC Template will be filled in for you within seconds. This button is available at any stage of your assessment to provide a preview of work completed.
Oftentimes when working through a ROC, the customer being assessed has more than a single payment channel. While completing the assessment for each requirement the QSA is required to select a payment channel to provide a response for. You may select and provide a response for each payment channel, or you may select “All Payment Channel” and provide a single response.
When you define a contact for your customer, you assign an “Area of Responsibility”. This allows smart assignment for relative roles when requesting evidence, scheduling interviews and more.
Interview scheduler allows you to find the right audience - and the right ROC controls to cover in your meeting.
A client instance license is issued according to our SaaS agreement. License is issued for a limited term and sets limitations on the number of active client user accounts (think, QSAs, associate QSAs, Project Managers, Administrators, Technical Editors, QA - any employees of the QSA Company). Disabled accounts do not count towards the user account count limit.
“Client Users” accounts - accounts of employees of the company being assessed do not count toward the licensed accounts limit.
For larger installations, there is a limit on the number of simultaneously running servers.
Our preferred option for hosting the TurboQSA system is Amazon AWS. We provide a template that allows for the entire environment to be spun up in minutes, inside the QSA Company’s AWS account. This option ensures you maintain full control over encryption keys and sensitive data storage.
Other options, such as Microsoft Azure, Google Cloud, Oracle Cloud or on premise are possible, but would require a custom installation Work Order and come with a custom support agreement.
In either case, the client is liable for all hosting charges pertinent to the client’s instance.
TurboQSA has some built-in tools for user support: any active user can file a ticket right from the system’s web interface and that’s the preferred way to handle support requests, enabling us to collect additional information that can be used to accurately cross-reference a potential issue to any error logs or site events.
Additionally, we extend support channels to all our clients with our Discord server. Access and authentication for the Discord channel are provided along with your license agreement.
For urgent support needs, you can reach us at +1 (877) 222-5275
There are a number of video walk-throughs covering key pieces of TurboQSA functionality and we recommend these for any educational needs.
We provide our clients with User Manual covering both QSA and Customer sides of TurboQSA.
Additionally, TurboQSA is open to hosting webinars for licensed QSA Company employees.
We are always looking for new ideas for improving our product and providing the best service possible. We consider two buckets of feature requests:
Universal improvements, features and fixes that would benefit any TurboQSA customer. These go straight into our roadmap.
Custom programming improvements designed to fit a particular company’s workflow or business process. These improvements require a Statement of Work and custom programming fee. Changes implemented this way are released behind a feature enablement flag, targeted at the customer ordering the change.
Currently, TurboQSA focuses on PCI DSS Report on Compliance and supports assessments for Merchants and Service Providers alike.
Your clients, employees and contractors affiliated with the company being assessed are using TurboQSA for free for the duration of the assessment, and their user accounts with TurboQSA do not count towards licensed users limit.
There are no extra fees to get your client to use the system.
As of the moment of writing, v4.0 of the standard is only available as a draft and has not been released, therefore we cannot implement its support in the TurboQSA. It will be made available for our customers before it becomes mandatory to use for new assessments, and we shall post a separate announcement on this subject.
Update, May 2022: We are already working on making v4.0 available for our clients. Stay tuned!
Yes, being able to create a printable version of the report on compliance is a key feature of TurboQSA, and licensed clients would benefit from it when they complete their PCI DSS assessments with the TurboQSA product.
TurboQSA is designed with data protection in mind. Assessment data, including PII and sensitive information is encrypted at rest while stored within databases and file storage systems. You are always in control of the encryption keys, and TurboQSA personnel do not have access to your client’s or company’s data.
Data is also protected in transit over SSL/HTTPS.
It is possible to purchase additional licensed user packs for your license, at a prorated cost.
You can use TurboQSA product for remote assessment practices, as long as you comply with PCI SSC requirements and recommendations. Many of the assessment procedures can be performed remotely, and TurboQSA is here to help you facilitate these.
Currently, TurboQSA does not support generating Self-Assessment Questionnaires documentation. At the same time, we have optimized the ROC assessment process to take advantage of SAQ status and type for clients compliant with different levels of SAQ.
TurboQSA will create an AOC (Attestation of Compliance) document for you, based on the data provided with ROC and additional QSA input.
TurboQSA product comes equipped with Audit Log and Engagement reports that help QSAs, managers and executives track progress and engagement of all parties on the project. Worried that the client is not responding and not providing answers to your questions? - Now you have data to back up your claims.
Report sanitization is currently not supported, but we have this feature in our roadmap.
Currently there is no Zoom integration implemented. Please schedule Zoom meetings using your corporate account.
Currently there is no Google Meet integration implemented. Please schedule Google Meet meetings using your corporate or personal account.
Clients will have limited access to certain controls and requirements on the report, on a need to know basis. Access control is implemented based on assigned responsibility areas.
Your clients will not be able to generate the ROC using TurboQSA product; this feature is limited to QSA users of the QSA Company.
Responsibility Areas can be assigned to Client Contacts or Client Users - employees or contractors affiliated with the company being accessed. As you interview or prepare to interview area experts, you can assign some of them one or multiple Responsibility Areas, to inform the TurboQSA system that these individuals should be considered as sources of information for relevant ROC requirements and controls.
Here is a complete list of currently implemented Responsibility Areas:
Antivirus Software Configuration and Management (not required for Linux)
Database Administrators & Owners
Provisioning, managing and maintenance of company databases
Encryption of Data in Transit (including Wireless)
Encryption Standards and Implementation for storage of cardholder data (not required if they do not store any CHD)
Firewall and Routers Configuration and Management
Human Resources and Training Coordination
Incident Response and Log Monitoring (policy, IR plan)
Information Security Management (risk assessments, security policies, service provider management, security awareness program, background checks, legal)
Internal and External Vulnerability Scanning
Network Architecture Operations and Management
Patch Installation & Management
Testing, configuration, installation and maintenance
Physical Access Control (video cameras, locks, keys, visitors, security of media)
Servers and Workstations Configuration and Management
Software Development Processes (coders, managers, approvers, change control)
User Account Management (manages new users, maintaining user accounts, ensures no shared account use, terminating users, multi-factor auth)
Users Privilege Management (DBs, filesystems, logins etc - defines access restrictions and policies)
Wireless Configuration and Management
Currently TurboQSA does not support creating custom Responsibilities Areas, we believe that our curated list covers 100% of scenarios.
Yes, you are free to assign or unassign as many QSAs on a project as you see fit. We recommend having a Lead QSA and a Reviewer (with QSA credentials) as a minimum.
TurboQSA supports several quality control measures:
Tracking items progress to make sure no stone is left unturned, no control remains without a response.
Highlighting incomplete Compensating Controls Worksheets.
Review process to ensure each control or requirement eligible for review receives attention from another person with QSA credentials.
Optional QA stage in the workflow, enabled at the QSA Company level.