Frequently Asked Questions

< Back to search page

How can I determine whether a QSA is authorized to perform PCI DSS assessments in all countries that are in scope for my company’s PCI DSS assessment?

FAQ Response

The Servicing Markets element of the Qualified Security Assessor (QSA) listing indicates the geographic regions or countries for which the QSA Company is authorized by PCI SSC to perform PCI DSS assessments and QSA-related duties. Under no circumstances may QSA Companies perform PCI DSS Assessments—or act as a QSA Company in any capacity—outside of the regions or countries for which they are qualified.

The Place of Business element of the QSA listing indicates the QSA Company has a physical presence in that country. This is provided for information only and does not supersede the Servicing Markets element of the listing. 

If QSA-related tasks must be performed outside of the geographic regions or countries for which the QSA Company is qualified, it may be necessary to engage a QSA Company qualified for that region/country to perform the related tasks. Further information is available in the QSA Program Guide available on the PCI SSC website. 

Questions about which countries are included in a particular region should be addressed to the QSA Program Manager via qsa@pcisecuritystandards.org.
 

November 2019
Article Number 1472

Related Articles

Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?

Are operating systems that are no longer supported by the vendor non-compliant with the PCI DSS?

What does “Servicing Markets” on the QSA listing mean?

What date should be used for “Date of Report” in the ROC?