PCI Security Standards Council Bulletin: Updates Made to Qualified Security Assessor Program

PCI Security Standards Council Bulletin: Updates Made to Qualified Security Assessor Program

30 June 2023

PCI SSC has published updates to the QSA Qualification Requirements and the QSA Program Guide.
Included in these updates are assessor expectations and requirements for the completion of the recently
published PCI DSS v4.x Items Noted for Improvement (INFI) Instructions and Worksheet. More
information on the INFI Worksheet and Guidelines can be found here:

PCI Security Standards Council Bulletin: New PCI DSS v4.x Worksheet and Guidelines Published to
Support Security as a Continuous Process

In addition to the updates to include the INFI expectations and requirements, below is a summary of the
changes to the QSA program documents:

QSA Qualification Requirements v4.1:
• Updated document names and terminology for PCI DSS v4.0.
• Added a best practice for QSA Companies to have a documented sampling methodology.
• Clarified wording throughout section 4 (Quality Assurance).
• Made minor wording changes to the QSA Agreement (Appendix A).
• Corrected minor errata.

QSA Program Guide v4.0:
• Updated definitions to align with PCI DSS v4.0.
• Added guidance for QSAs when conducting assessments remotely.
• Added a requirement for completing PCI DSS v4.x Items Noted for Improvement: Instructions and
Worksheet.
• Added Appendix E to clarify Quality Assurance Evidence Requirements.
• Replaced former section 3.1.1 with a reference to the PCI SSC Assessor Requalification Policy.
• Made minor language clarifications throughout.

The updated program documents are effective immediately. Assessors have until 1 October 2023 to
implement these changes.

The updated QSA Qualification Requirements and QSA Program Guide are available now in the PCI SSC
Document Library.

###
The information in this bulletin is no
longer valid as of 20 March 2024 and
has been superseded by a new bulletin
available here.