Frequently Asked Question
Is a QSA Employee that designs, develops, or implements specific controls for a customer also permitted to assess those same controls?
No. As per section 2.2 of the QSA Qualification Requirements, “The QSA Company must have separation of duties controls in place to ensure Assessor-Employees conducting or assisting with PCI SSC Assessments are independent and not subject to any conflict of interest.” If a QSA Employee(s) recommends, designs, develops, provides, or implements controls for an entity, it is a conflict of interest for the same QSA Employee(s) to assess that control(s) or the requirement(s) impacted by the control(s).
Another QSA Employee of the same QSA Company (or subcontracted QSA) - not involved in designing, developing, or implementing the controls - may assess the effectiveness of the control(s) and/or the requirement(s) impacted by the control(s). The QSA Company must ensure adequate, documented, and defendable separation of duties is in place within its organization to prevent independence conflicts.