A QSA (Qualified Security Assessor) company or an ASV (Approved Scanning Vendor) company is not considered a service provider in the context of the Payment Card Industry Data Security Standard (PCI DSS). They are highly specialized assessors and validators, rather than service providers involved in processing, storing, or transmitting cardholder data.
I have seen many instances where a company demands an AOC from their QSA or ASV, believing or being told that they need an AOC from all their service providers.
Here’s a clear breakdown of the differences:
Qualified Security Assessor (QSA)
- Role: A QSA is an independent security organization, certified by the PCI Security Standards Council (PCI SSC), to assess and validate a company’s compliance with PCI DSS.
- Function: QSA companies perform formal audits and issue a Report on Compliance (ROC), which confirms that an entity meets all PCI DSS requirements.
- Relationship to service providers: A QSA will assess a service provider and/or merchant’s compliance, but the QSA itself is not a service provider.
Approved Scanning Vendor (ASV)
- Role: An ASV is a company approved by the PCI SSC to perform external vulnerability scanning services.
- Function: An ASV utilizes specialized tools and services to remotely scan an organization’s network perimeter, identifying security vulnerabilities. A passing scan is required quarterly for PCI DSS compliance.
- Relationship to service providers: An ASV provides a scanning service to both merchants and service providers, but is not considered a service provider in the same sense as a hosting provider or payment gateway.
Service provider (for PCI compliance)
In contrast, a service provider is a business entity that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another organization. Examples include:
- Managed firewall providers
- Hosting companies
- Payment gateways
- Cloud service providers
Here are the PCI Security Standards Council’s official definitions:
- Service Provider: Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data (CHD) and/or sensitive authentication data (SAD) on behalf of another entity. This includes payment gateways, payment service providers (PSPs), and independent sales organizations (ISOs). This also includes companies that provide services that control or could impact the security of CHD and/or SAD. Examples include managed service providers that provide managed firewalls, IDS, and other services as well as hosting providers and other entities.
- If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
- Third-Party Service Provider (TPSP): Any third party acting as a service provider on behalf of an entity.
- Multi-Tenant Service Provider: A type of Third-Party Service Provider that offers various shared services to merchants and other service providers, where customers share system resources (such as physical or virtual servers), infrastructure, applications (including Software as a Service (SaaS)), and/or databases. Services may include, but are not limited to, hosting multiple entities on a single shared server, providing e-commerce and/or “shopping cart” services, web-based hosting services, payment applications, various cloud applications and services, and connections to payment gateways and processors. See Service Provider and Third-Party Service Provider.
The post Understanding the Distinctions: ASVs and QSA Companies Are Not Service Providers appeared first on .
