Frequently Asked Question

No. As per section 2.2 of the QSA Qualification Requirements, "The QSA Company must have separation of duties controls in place to ensure Assessor-Employees conducting or assisting with PCI SSC Assessments are independent and not subject to any conflict of interest." If a QSA Employee(s) recommends, designs, develops, provides, or implements controls for an entity, it is a conflict of interest for the same QSA Employee(s) to assess that control(s) or the requirement(s) impacted by the control(s).

Another QSA Employee of the same QSA Company (or subcontracted QSA) - not involved in designing, developing, or implementing the controls - may assess the effectiveness of the control(s) and/or the requirement(s) impacted by the control(s). The QSA Company must ensure adequate, documented, and defendable separation of duties is in place within its organization to prevent independence conflicts.