What makes good software for a QSA?

To this day, there is no real productivity tool for a QSA to cover all areas of workflow for a PCI DSS Assessment. Or maybe there is one? Let's find out.

featured image for post What makes good software for a QSA?

There isn’t much specialized software for Qualified Security Assessors (QSAs). The PCI Council provides professionals with a Word document template and that’s it. Microsoft Word is your tool; it is your software. Some QSA companies use business automation software suite solutions to make document / evidence sharing and tracking somewhat easier which enables client employees to participate in the process somewhat. These are good for their purpose, but they still leave a lot in terms of unnecessary complexity and cumbersome paperwork to be handled by the QSA. Other QSA companies have created specialized Excel templates that replicate sections of the ROC template. The benefit of using these is a more structured, tabular form of data and depending on a particular solution, the ability to export a Word document artifact that would be very close to the PCI ROC standard. These solutions are still lacking in terms of collaboration, evidence tracking and control or data input correctness. To this day, there is no real productivity tool for a QSA, no software that can cover all areas of information and workflow around a PCI DSS Assessment.

So, what would be the requirements for such a tool? Feature-wise, the following would be mandatory:

1. Interface for data collection.

2. Interface and means for evidence collection:

  • Ability for QSA to upload evidence (documents reviewed) for every ROC control where evidence is required,
  • Ability for QSA to request evidence from client’s employees,
  • Ability for client’s employees to upload documents as evidence upon request,
  • Ability for QSA and client’s employees to provide evidence in the form of a web link.

3. Evidence tracking: every document uploaded or provided must be reflected in their respective control and under section 4.9 of the ROC.

4. Interviews and Interviewees tracking and management:

  • Ability to schedule interviews for ROC controls where it is required,
  • Ability to notify attendees of the interview date and agenda,
  • Interview and attendee documentation in each individual control under section 6 as well as under section 4.10 of the ROC,
  • Secure storage for evidence with encryption at rest.

5. Payment Channels management:

  • Ability to specify applicable payment channels for the assessed company,
  • Ability to narrow-down assessment scope for each payment channel based on circumstances (such as the client’s retail stores all have a validated P2PE solution),
  • Ability to enter individual responses for each payment channel where applicable.

6. Collaboration features:

  • Web access for QSAs,
  • Web access for client’s employees,
  • Communication features for QSA and client user interactions,
  • Peer review and QA features with web access.

7. Reporting features:

  • Audit and engagement reports,
  • Project progress reports.

8. Knowledge retention features:

  • Best practices exchange,
  • Guidance support.

9. Word document export: the tool must produce a valid ROC for the current version of PCI DSS standard.

We are proud to say that the TurboQSA solution satisfies all these requirements and does much more than the bare minimum, aiming to cut down time spent by QSAs and all the people involved in the assessment project while significantly increasing quality of the report produced. TurboQSA is the first and the only purpose-built tool for QSA PCI ROC management.

Project dashboard screenshot To find out more, send an email to sales@turboqsa.com. We’ll be happy to schedule a demo for you.