Frequently Asked Question

What are the Council’s requirements for QSA and ASV Companies to maintain a Quality Assurance (QA) manual?
Companies participating in a PCI SSC program, including QSAs and ASVs, must establish and maintain an internal quality assurance (QA) process as set forth by the individual program’s qualification or validation requirements. These QA processes must also be formally documented within an internal QA manual. The Council recognizes that each organization has unique needs and therefore does not mandate specific requirements to be included within an organization’s QA manual; however, the following items have been identified as a set of best practices which are expected to be present:
- Company name
- List of PCI SSC programs the company participates in
- Descriptions of job functions or responsibilities
- Identification of QA manual process owner
- Approval and sign-off processes
- Requirements for independent quality review of work product
- Requirements for handling and retention of work papers
- QA process flow
- Distribution and availability of the QA manual
- Evidence of annual review by the QA manual process owner
October 2012
Article Number: 1169
Featured FAQ Articles
Most Recently Updated
-
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?