Frequently Asked Question

What are the Council's requirements for QSA and ASV Companies to maintain a Quality Assurance (QA) manual?
Companies participating in a PCI SSC program, including QSAs and ASVs, must establish and maintain an internal quality assurance (QA) process as set forth by the individual program's qualification or validation requirements. These QA processes must also be formally documented within an internal QA manual. The Council recognizes that each organization has unique needs and therefore does not mandate specific requirements to be included within an organization's QA manual; however, the following items have been identified as a set of best practices which are expected to be present:
- Company name
- List of PCI SSC programs the company participates in
- Descriptions of job functions or responsibilities
- Identification of QA manual process owner
- Approval and sign-off processes
- Requirements for independent quality review of work product
- Requirements for handling and retention of work papers
- QA process flow
- Distribution and availability of the QA manual
- Evidence of annual review by the QA manual process owner
October 2012
Article Number: 1169
Related
-
Are Approved Scanning Vendors and Qualified Security Assessors considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
-
What are the expectations for entities when assigning risk rankings to vulnerabilities and resolving or addressing those vulnerabilities?
-
Is phishing-resistant authentication alone acceptable as multi-factor authentication for PCI DSS Requirements 8.4.1 and 8.4.3?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used as a guide for determining applicability of PCI DSS requirements for merchant assessments documented in a Report on Compliance?
Most Popular
-
Are Approved Scanning Vendors and Qualified Security Assessors considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
-
What are the expectations for entities when assigning risk rankings to vulnerabilities and resolving or addressing those vulnerabilities?
-
Is phishing-resistant authentication alone acceptable as multi-factor authentication for PCI DSS Requirements 8.4.1 and 8.4.3?
-
Are passkeys synced across devices, implemented according to the FIDO2 requirements, acceptable for use as phishing-resistant authentication to meet PCI DSS Requirement 8.4.2?
-
How should PCI DSS v4.x requirements noted as superseded by another requirement be reported after 31 March 2025?
Most Recently Updated
-
Can unencrypted PANs be sent over e-mail, instant messaging, SMS, or chat?
-
Are entities allowed to request that cardholder data be provided over end-user messaging technologies?
-
Does PCI DSS allow faxing of payment card numbers?
-
What is the maximum period of time that cardholder data can be stored?
-
To which devices does PCI DSS Requirement 10.4.2 apply?