From iced matcha tea to qualification: The rollercoaster ride to becoming a Qualified Security Assessor (QSA)

By Kinza Sarwar, on Filed in Blog / PCI DSS

Axenic PCI QSA JourneyAlways remember this -> Without ambition, one starts nothing. Without work, one finishes nothing. The prize will not be sent to you. You have to win it – Ralph Waldo Emerson.

If you’re reading this blog, you probably already have some experience with security standards and certifications – maybe you even hold a few yourself. In this blog, I will shed some light on my own journey to gain the QSA qualification and break down the steps I took to make this happen. 

Decoding QSA: What does it mean?

A Qualified Security Assessor (QSA) is an expert who helps organisations comply with the Payment Card Industry Data Security Standard (PCI DSS) – a set of rules focused on securing payment card data and promoting the global adoption of consistent data security practices. With the increasing use of debit and credit cards worldwide, safeguarding payment card account data has taken on critical importance across all types of businesses. This has made the role of a QSA even more crucial and in demand worldwide.

Behind the scenes of becoming a QSA

My interest in becoming a QSA began years ago when I started working as a cybersecurity consultant. I had the opportunity to work alongside different QSAs. I learned how they played a vital role in helping organisations protect payment account data to allow continued use of the payment channels by ensuring compliance with PCI DSS. The payment brands and Banks encourage organisations to comply with PCI DSS requirements. If they do not comply, they can face severe penalties, including fines, increased transaction fees, and the loss of the ability to process card payments.

On my way to becoming a QSA, I have faced several challenges, including a break from work during maternity leave and the stringent prerequisite qualification requirements. However, through determination, strategic planning, gaining relevant experience, and maintaining a focused approach, I was able to work towards and ultimately achieve this milestone successfully.

In short, the qualification requirements include:

  • Experience: A strong background in IT security, risk assessment and compliance.
  • Certification: Holding two industry-recognised certifications such as CISSP, CISM, CISA, and Lead Auditor. Certification requires considerable study, experience and examination.
  • Technical knowledge: Expertise in network architecture, encryption, network security controls, applications security and other technical areas.
  • Examination: Completing PCI training and exams independently, including the Assessor Fundamentals and Qualification exams.
  • Being directly employed by a QSA company (like Axenic) unless explicitly approved otherwise.
  • Ongoing annual requalification against the standard.

Climbing the QSA ladder: Steps to meet the qualification requirements

I already had a technical background and expertise in various cybersecurity domains, so the next step was to complete and maintain the prerequisite certification requirements. This was no small task and took 2 years to complete.

Once those were achieved, I progressed towards completing the formal training and exams. In mid-September 2024, I set a clear goal to complete the course and examination by the second week of December 2024. I planned my study timeline to achieve this, grouping the course content into weekly segments.

Initially, I dedicated 10 hours per week to studying. As the deadline approached in November, I increased my study time to 20 hours per week, ensuring I could cover all the critical topics in depth. To achieve this, I adhered to a strict schedule of weekly milestones.

During this period, I focused on thoroughly studying the PCI DSS standard. My study approach allowed me to understand the 12 detailed requirements in the standard. Additionally, working closely with a QSA gave me practical exposure to seeing how PCI DSS requirements are applied and assessed in real-world scenarios.

The PCI SSC training materials, FAQs on the PCI SSC website, and webinars were also invaluable as a learning resource in helping me gain confidence to eventually excel in the QSA exams.

Time for that iced matcha

Although the journey of becoming a QSA was intensive and spanned several years, it has definitely been worth it. I feel as though it has boosted my professional credibility and given me the confidence to apply what I’ve learned to help organisation’s battle through the payment card compliance minefield.

Maybe now I can finally put some time aside to get back to enjoying iced matchas…….