Podcast: Confessions of a QSA: An Introduction to the Payment Card Industry Data Security Standard

Key Points:

  • Transaction volume, customer requirements, or contractual obligations can determine if a self-assessment or independent audit by a QSA is required.
  • PCI DSS compliance can be a competitive advantage for service providers
  • A sustainable PCI DSS compliance program begins with a sustainable IT environment.


In 2006 the major card brands formed the PCI Security Standards Council (SSC) with the goal of managing the evolution of the Data Security Standard (DSS). Today that has expanded to several other standards and compliance programs. As part of the DSS compliance program, the PCI SSC certifies Qualified Security Assessor (QSA) companies to perform independent audits of merchants and service providers related to the PCI DSS.

So, as a go-to firm for PCI DSS compliance, how does Weaver help clients understand what they need to know?

On this episode of Weaver: Beyond the Numbers, host Tyler Kern talked with Trip Hillman, Director of Cybersecurity Services at Weaver, and Kyle Morris, Senior Manager in IT Advisory Services at Weaver. The trio dug into insights from Weaver’s cyber and QSA team and explored how Weaver advises clients on how to handle PCI DSS assessments and compliance.

PCI DSS applies to organizations that store, process, transmit or could affect the security of cardholder data. Kyle and Trip look at PCI DSS as an opportunity for these companies to use compliance as a competitive advantage.

Kyle is a QSA and explained that the Council establishes PCI DSS criteria and dictates what a QSA does for testing. Then organizations determine how they meet the criteria. There are over 250 requirements with PCI DSS, so depending on a company’s needs and capabilities, the organization can conduct an annual self-assessment or bring in an independent QSA to do a full-blown audit report on compliance.

Kyle and Trip discuss some of the main challenges that companies face with PCI DSS, including scoping, maintaining compliance and identifying the appropriate internal champions. They also share tips on how to prepare for compliance and define common acronyms: SAQ, ROC and AOC.

Tune in to hear why the Weaver team enjoys helping clients fit their unique environment into the complex PCI DSS framework.

“We help people with self-assessment questionnaires or SAQs and everything from full-on ROCs for Fortune 50 Cloud Providers to small merchants to SaaS solutions,” Kyle said.

Subscribe and listen to future episodes of Weaver: Beyond the Numbers on Apple Podcasts or Spotify.

© 2022