PCI Security Standards Council®

Payment Application Qualified Security Assessor Feedback

Payment Application Qualified Security Assessor (PA-QSA) Companies are organizations that have been qualified by the PCI Security Standards Council to perform PA-DSS Assessments for PA-DSS Program purposes. PA-QSA Employees are individuals who are employed by a PA-QSA Company and have satisfied all PA-QSA Requirements applicable to employees of PA-QSA Companies who will conduct PA-DSS Assessments, as described in further detail in the PA-QSA Requirements.

This form is used to review PA-QSAs and their work product, and is intended to be completed
by the client, after a PCI PA-DSS Assessment.

Information collected from the Feedback Form will be held in strict confidence and used for the
sole purpose of improving the quality of service provided by the PA-QSA.

Fields marked * are required.

Client (software vendor) Payment Application Qualified  Security Assessor Company (PA-QSA)
*
Location of Assessment PA-QSA employee who performed Assessment
*
For each statement, please indicate the response that best reflects your experience and provide comments.
5 = Strongly Agree     4 = Agree     3 = Neutral     2 = Disagree     1 = Strongly Disagree

Statement

Select One

Comments

1. During the initial engagement, the PA-QSA explained the objectives, timing, and review process, and addressed your questions and concerns.

2. The PA-QSA employee(s) understood your business and technical environment, as well as the cardholder data environment.

3. The PA-QSA employee(s) had sufficient security and technical skills to effectively perform this assessment.

4. The PA-QSA sufficiently understood the Payment Application Data Security Standard and Assessment Procedures.

5. The PA-QSA effectively minimized interruptions to operations and schedules.

6. The PA-QSA provided an accurate estimate for time and resources needed.

7. The PA-QSA provided an accurate estimate for report delivery.

8. The PA-QSA did not attempt to market products or services for your company to attain PA-DSS compliance.

9. The PA-QSA did not imply that use of a specific brand of commercial product or service was necessary to achieve compliance. 

10. In situations where remediation was required, the PA-QSA presented product and/or solution options that were not exclusive to their own product set.

11. The PA-QSA used secure transmission to send any confidential reports or data.

12. The PA-QSA demonstrated courtesy, professionalism, and a constructive and positive approach.

13. There was sufficient opportunity for you to provide explanations and responses during the assessment.

14. During the review wrap-up, the PA-QSA clearly communicated findings and expected next steps.

15. The PA-QSA provided sufficient follow-up during your company's remediation efforts, until eventual compliance was achieved.

Please provide any additional comments here about the PA-QSA, your assessment experience, or the PA-DSS documents.


PA-QSA Feedback Form for Payment Brands and Others

This form is used to review PA-QSAs and their work product, and is intended to be completed after a PCI PA-DSS Assessment as needed by Payment Brand participants, banks, and other relevant parties. Information collected from the Feedback Form will be held in strict confidence and used for the sole purpose of improving the quality of service provided by the PA-QSA. This form can be obtained directly from the PA-QSA during the assessment, or can be found online in a printable format at https://www.pcisecuritystandards.org.

Fields marked * are required.

Client (software vendor) Payment Application Qualified  Security Assessor Company (PA-QSA)
* *
Payment Brand Reviewer PA-QSA employee who performed assessment
*
* *
Employee ID Number
* *
* *
For each statement, please indicate the response that best reflects your experience and provide comments.
5 = Strongly Agree     4 = Agree     3 = Neutral     2 = Disagree     1 = Strongly Disagree

Statement

Select One

Comments

1. The PA-QSA clearly understood how to notify your payment brand about compliance and non-compliance issues, and the status of merchants and service providers.

2. The Client had a positive and professional experience with the PA-QSA.

3. The PA-QSA employee(s) had sufficient security and technical skills to effectively perform this assessment.

4. The PA-QSA appropriately documented the results related to their findings.

5. From your understanding, the PA-QSA appropriately scoped the payment application's role cardholder data environment.

Please provide any additional comments here.