Qualified security assessors (QSAs) from chartered
accounting firms with formal internal controls audit and
information security backgrounds are best placed to assess
retailers’ payment card transaction processing security, according
to Grant Thornton Canada.
The Payment Card Industry Data Security Standard
(PCI DSS) is designed to help organisations that process card
payments prevent credit card fraud.
The standard applies to all cards branded by one of
the participating brands, including Visa, Mastercard and American
The QSA designation is a formal qualification
granted by the Payment Card Industry Security Standards Council,
which also sets the PCI DSS. QSAs assess compliance with the PCI
Grant Thornton has suggested the severe
consequences of non-compliance point to the advantages of engaging
QSAs with audit backgrounds.
One example of the severity of non-compliance is a
$60 million settlement by payment card processors Heartland Payment
with Visa following a security breach, Grant Thornton said.
“A QSA with this background has the experience
necessary to confirm compliance, the skills to integrate PCI DSS
with other governance, risk management and compliance initiatives
and also deliver a higher level of assurance of a more formal
approach rooted in often decades of experience of providing
independent assurance services,” Grant Thornton business risk
advisor Chris Anderson said.
Grant Thornton Canada has released a white paper on
PCI DSS auditing, Out of the breach.