For FinTech entrepreneurs, regulatory compliance and information security policies are top priorities. When it comes to integrating your financial technology (FinTech) into a Credit Bureau or handling sensitive consumer credit card information, you’re going to need a Qualified Security Assessor (QSA) to ensure that your company’s security posture meets Federal Regulations.

To make your life easier, MK Decision put together a brief guide to help your team locate the right QSA. Our team is here to share what we’ve learned in becoming Payment Card Industry (PCI) Data Security Standard (DSS) Level 1 certified, as well as Experian Independent 3rd Party Assessment (EI3PA) compliant.

Best practices to find and choose a QSA

There are over 380 QSAs approved by the world-wide PCI Council, with over half of those based in the USA. The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection as defined on their website. With so many QSAs to choose from, here are some best practices to help narrow down that list to a few that fit your FinTech’s needs.

  • Think of the QSA as a long-term partner in compliance and improving your security posture, not just a company authorized to tick checkboxes on the Report on Compliance (RoC). On the other hand, stay away from a QSA that conflates their ideas for best practices with the minimum necessary for PCI certification.

  • Look for a QSA firm with experience in your particular industry vertical, not just something PCI-related. In addition to having a thorough knowledge of technology requirements for PCI compliance, you want to deal with auditors that can quickly get up to speed on your business practices. A good QSA will also have a keen eye for minimizing costs and efficiency while making sure you are compliant and more secure.

  • Ask for references and a track record of clients that were audited. Do many of their clients stay on year after year? Were the audits completed on time and on budget? Did their newly-certified clients fair better than average when it comes to avoiding data breaches?

  • Ask about how long first-time audits usually take. Clarify time frames for both preparing for the audit and the audit itself, especially if your FinTech has a deadline to get certified.

  • Ensure all the QSA employees you will be dealing with are professional and on the same page; If one does the preparation / pre-assessment and another does the on-site audit, there should be no disconnect or contradictions between them. High turnover rates at a QSA firm are a red flag - then you might have to deal with multiple opinions, including during the pre-assessment.


  • Clarify any misunderstandings about how much help you will get. Will the QSA answer questions that are not strictly covered by the contract? I.e. those relevant to preparing for the next year’s audit?

  • Be proactive, the QSA is not just finding problems but also offering a variety of solutions. If operating with old technology, the QSA should be familiar with “compensating controls”: options for legacy systems that cannot run an antivirus but can be hardened via an access whitelist.

  • Ask about the QSA company’s accountability to the PCI Council. Should the latter decide to get involved and question the PCI audit, will the QSA stand behind their certification?

  • Be mindful that the compliance audit will likely cover both brick-and-mortar security and cyber security policies (often followed by a Network Vulnerability and Penetration Test), as well as your privacy policies.

  • Build a professional relationship with the selected QSA. There will be a lot of documenting of business-as-usual workflow to include in the audit and it helps to have a strong professional relationship in place.

Why MK Chose RSI Security

In 2018, MK Decision chose RSI Security as its QSA for renewing its PCI compliance, as well as obtaining Experian Independent 3rd Party Assessment (EI3PA), necessary for our integration with the Experian Credit Agency’s back end. As a small and nimble QSA, RSI Security has lived up to its good reputation, providing helpful guidance on both best practices for our security posture as well as how to document our security policies and procedures, would-be incident responses and disaster recovery.

When it comes to documenting your business practices to comply with any international cross-industry standard, there are quite a few prevalent challenges. RSI Security has been helpful navigating the rough edges. For example, because MK is integrated with Amazon Web Services (AWS) for its data storage and computation, much of the scope of PCI compliance is already taken care of by Amazon. However, the PCI questionnaire assumes that customer data is stored in-house, and asks relevant questions. RSI Security helped MK formulate answers to questions that no longer apply to current business practices, but were still part of the questionnaire.

We hope this information will be helpful to any FinTech in narrowing their list of QSA partners, and ultimately selecting the right one. Ideally, you’ll find not only an insurance policy, but also a crisis management partner. From our team to yours, best of luck on your journey!

To learn more about MK Decision, check out