Qualified security assessors (QSAs) from chartered accounting firms with formal internal controls audit and information security backgrounds are best placed to assess retailers’ payment card transaction processing security, according to Grant Thornton Canada.
The Payment Card Industry Data Security Standard (PCI DSS) is designed to help organisations that process card payments prevent credit card fraud.
The standard applies to all cards branded by one of the participating brands, including Visa, Mastercard and American Express.
The QSA designation is a formal qualification granted by the Payment Card Industry Security Standards Council, which also sets the PCI DSS. QSAs assess compliance with the PCI DSS.
Grant Thornton has suggested the severe consequences of non-compliance point to the advantages of engaging QSAs with audit backgrounds.
One example of the severity of non-compliance is a $60 million settlement by payment card processors Heartland Payment with Visa following a security breach, Grant Thornton said.
“A QSA with this background has the experience necessary to confirm compliance, the skills to integrate PCI DSS with other governance, risk management and compliance initiatives and also deliver a higher level of assurance of a more formal approach rooted in often decades of experience of providing independent assurance services,” Grant Thornton business risk advisor Chris Anderson said.
Grant Thornton Canada has released a white paper on PCI DSS auditing, Out of the breach.