QSA Explained: A Step-by-Step Guide to the Post-PFI QSA Process

14 September 2021

What many people don’t know is that a Qualified Security Assessor (QSA) assessment is integral to the Payment Forensic Investigation (PFI) process. Once a PFI has been completed, the follow-up QSA procedure ensures that the PFI recommendations (or pain points) are actioned, in order to help clients achieve their full mandatory Payment Card Industry Data Security Standards (PCI DSS) compliance.

Whilst PCI DSS is not a legal obligation, it is a standard which applies to any merchant that stores, processes and/or transmits cardholder data. Involving a QSA in the outset of any discussion on compliance will ensure you know exactly what to do (and conversely exactly what not to do).

By implementing the controls within the PCI DSS, your business will benefit from robust measures to drastically reduce the risk of card data compromise and reputational damage. The added benefit from an organisational perspective is a firm understanding of your responsibilities and your environment, to enable you to maintain and manage on-going compliance and embed the processes within your day-to-day operations.

A QSA is an experienced security professional with a technical and auditing background, who has attained the PCI Qualified Security Assessor certification. As part of a customer’s PCI compliance journey, the QSA reviews and samples the environment as a whole –including people, processes, and systems.

To ensure that our clients don’t receive any unwelcome surprises, we’ve outlined the post-PFI QSA procedure below.

1. PFI Process and Report Delivery

IntaForensics QSAs will detail the compliance process as early as possible after the merchant has contacted us. This ensures there are no surprises down the line and enables us to be on hand to respond to any client questions.

The PFI final report will be delivered and the QSA team will then contact the client and agree the scope, which is then used to  initiate proposal/schedule Stage 1 Prioritised Approach Report (PAR) work.

2. Client Contact and QSA Discussions

The QSA will discuss the next steps in detail and suggest performing the Stage 1 work as soon as possible. This will also involve contacting the merchant’s acquirer to inform them of the QSA involvement and an initial indication of when the PAR will be submitted. During this call the QSA will identify the environment to determine what areas are non-compliant.

The QSA will also follow up with an email to the merchant to get the Stage 1 proposal prepared and sent out. If the environment is known and is not likely to change, we can then issue both a Stage 1 and a formal assessment (Stage 2) proposal if the client agrees. In the interest of full transparency, the total costs are known from here on.

3. Stage 1 – Prioritised Approach Report (PAR)

This part is performed remotely, although the QSA will need to visit the client location/s during Stage 2. It can be a good indication of the security culture of the client, and sometimes an opportunity to discuss other areas of interest to the client if required.

A PAR can be used to identify areas which may be hard for the client to reasonably comply with such as Mail Order/Telephone Order (MOTO). Telephony generally brings the entire network into scope which means nearly every PCI DSS requirement will, whilst still being achievable, be time consuming and costly.

The QSA will also identify any possible de-scoping options for the client to reduce the cost/management overhead.

After that, the QSA will confirm with the acquirer as to which channels they are expecting the PAR to cover. This is usually the breached Merchant ID (MID), but sometimes the acquirer will only ask for the channel that was breached, which usually makes that particular compliance easier and quicker to report.

However, this leaves the merchant only ‘partially’ compliant, which means their acquirer may contact them in future to request compliance for other channels.

4. Stage 2 – Formal Assessment

Now it’s time to initiate Stage 2 of the process. The time taken to perform the Stage 2 formal assessment can vary depending on the scope of the environment .

The QSA will work with the merchant to confirm the scope, and once this has been agreed, the QSA will work with our sales team to create the proposal.

The formal assessment also involves the QSA working through the applicable PCI DSS requirements, and requiring the merchant to demonstrate how they comply.

The QSA gathers evidence provided by the merchant to verify compliance which could include logs, screenshots, emails, documents, photographs and even records of conversations. Essentially it involves providing as much information as possible to demonstrate that the merchant is compliant and that our QSA has performed the assessment effectively. We are required by the Payment Card Industry  Security Standards Council (PCI SSC) to retain the evidence for a period of three years, after which we dispose of it securely.

Once all of the requirements have been evidenced correctly, the QSA will create the Report on Compliance (RoC) and the associated Attestation of Compliance (AoC).

These documents are then put through our rigorous quality assurance process. The AoC is signed by the merchant and the QSA prior to being released to both the merchant and the acquirer.

5. Acquirer Involvement

The acquirer manages risk on the merchant’s behalf and reports the compliance of the merchants it manages to the payment card companies (such as Visa, MasterCard and American Express).

The QSA will keep the acquirer updated at all stages of the work. Any compliance queries must be confirmed with the acquirer. This includes queries such as merchant level, PAR expectations and anything else where the QSA will be required to deliver to the acquirer.


And that completes the process! We are accredited to offer specialist consultancy for mandatory PCI DSS compliance and can also add value by offering in-house technical expertise to further improve network and information security for retail, MOTO, e-commerce organisations and service providers.


IntaForensics provides a comprehensive range of security services designed to prevent, monitor, and respond to security breaches.

We boast a team of over 50 cyber security and digital forensic experts and a growing market presence. Our consultants will be able to assist with all digital forensic investigations, PCI/DSS QSA, PCI/DSS PFI, Cyber Security and Incident Response.

Quality underpins everything we do, and we are proud to be UKAS 17025:2017 accredited and ISO/IEC 27001:2013, ISO 9001:2015 and ISO 14001:2015 certified.

To find out more about our services Tel: 0247 77 17780 to speak with a member of our team or fill-in our online contact form.

Talk to our consultation team today

Contact Us

I can honestly say that your excellent customer service and communication has made our forensic instructions to you exceptionally easy. I am very conscious of the amount of time I must have taken up with various queries, requests, and then changed requests but you have always been very patient, polite and extremely helpful.

Case Review Manager - Criminal Cases Review Commission