QSA audit

The audit is conducted only for legal entities that are financial institutions, payment gateways or data centers. The second prerequisite is a minimum of 300,000 transactions per year. An additional condition is regular ASV scanning in automatic mode.

The audit only affects the enterprise infrastructure that is responsible for payment systems, so the customer is advised to isolate the necessary part of the network in advance.

Audit Requirements

. There are more than 250 requirements for an organization when going through an audit. These are categorized into 6 groups.

• Building and maintaining a secure enterprise infrastructure.
• Securing the confidentiality of information about bank cardholders.
• Implementation of policies and hardware and software complexes to prevent vulnerabilities in the company’s infrastructure.
• Implementation of strict access control measures within the organization.
• Continuous monitoring and testing of all elements of the company’s infrastructure.
• Ongoing monitoring and testing of all elements of the company’s infrastructure.
• Updating the information security policy in accordance with the current requirements of the PCI DSS standard.

Results of QSA audit

. The auditor conducts a compliance audit to verify compliance with the PCI DSS standard. He collects audit evidence and documented proof. A compliance report is provided to the client as a result of the audit.

If the audit is successful, a certificate of compliance and a certificate of compliance are issued. They are valid for one year from the end of the audit. The certificate is further sent to international payment systems (VISA, Master Card) or to acquiring banks. The results of QSA-verification are stored for 3 years.