PCI QSA Regions: Why Your Assessor’s Geography Matters More Than You Think

Most organizations preparing for a PCI DSS assessment are focused on their systems, their data, their controls. Understandable. But there’s a lesser-known requirement that catches companies off guard the geographic authorization of the company carrying out the assessment itself. Get this wrong, and the whole assessment could be invalid.

What a PCI QSA Region Actually Is

The PCI Security Standards Council (PCI SSC) divides the world into regions. A Qualified Security Assessor Company (QSAC) the firm that carries out PCI DSS assessments must be formally authorized by the PCI SSC to operate within each region it works in. That authorization isn’t automatic. It requires the company to participate in the relevant PCI program and pay the associated regional fees.

On the PCI SSC’s public website, each listed QSAC has a “Servicing Markets” column. That column tells you exactly which regions the company is cleared to operate in. If a region isn’t listed, the QSAC has no business doing assessment work there.

The PCI SSC’s FAQ 1471 covers this in more detail. The full breakdown of which countries sit within which regions and what it costs to operate in each is published by the PCI SSC directly.

Why Scope Isn’t Just About Technology

Here’s where organizations frequently go wrong. PCI DSS scope isn’t limited to servers, networks, and applications. It covers People, Process, and Technology. All three of them. And the geographic implications of each are different.

People

Anyone involved in activities that fall within the scope of the assessment is in scope including contractors and third-party service providers who don’t have a valid Attestation of Compliance (AOC). That includes staff carrying out functions such as:

• HR and legal
• Security operations and system administration
• Development and networking
• Telephone and card-present payment handling
• Data center operations and procurement

The physical location of those people determines which regions come into scope. A development team based in Bangalore, a SOC in Karachi, a finance function in Colombo each one of those locations pulls the assessment into a new region. The QSAC needs to be authorized in every single one.

This has become an increasingly common issue. Offshoring of DevOps functions to India, Pakistan, and Sri Lanka is now routine. So is hiring remote staff across borders following the shift in working patterns post-pandemic. What used to be a simple single-region assessment can now span four or five regions without anyone noticing until it’s too late.

Process

Processes are generally tied to people, so this largely follows from the people analysis. But it’s worth calling out separately. If a process falls within scope firewall rule reviews, patch management, key management, employee background checks, vendor oversight then the region where that process is carried out needs to be covered. It’s easy to overlook a process that happens to run from a different office.

Technology

Physical technology is straightforward. The location of a Cardholder Data Environment (CDE) or any environment connected to it whether that’s a data center or on-premises infrastructure brings that region into scope.

Cloud is where things get less clear. Cloud environments can operate across multiple geographic regions based on consumer location and redundancy requirements. The current guidance from the PCI SSC is that cloud regions do not affect the QSAC’s required operating regions. The logic holds up: all the organization’s interactions with that cloud environment come from the people managing it, and those people are already captured under the people scope. Until that guidance changes, cloud deployment regions won’t trigger additional QSAC authorization requirements.

SaaS solutions are a different matter. If an outsourced platform say, a third-party e-commerce or card management system comes directly into scope for the assessment (because there’s no valid AOC covering it), then the QSAC needs to pay careful attention to where that provider operates. People, processes, and technology all apply to that third party too.

Why Getting This Wrong Has Real Consequences

A QSAC that operates outside its authorized regions isn’t just bending a rule. It’s creating genuine problems.

Insurance is one of them. The PCI SSC requires QSACs to carry adequate insurance for every region they’re authorized in, and those requirements are checked annually. A QSAC working in a region it isn’t authorized for won’t have the right insurance coverage there. For the organization being assessed, that’s a risk that sits entirely on its side of the table.

Assessment validity is another. An assessment conducted by a QSAC without appropriate regional coverage may not be valid. The PCI SSC hasn’t published a definitive ruling on this specific scenario, but there’s no reasonable reading of the rules where this ends well for the organization that paid for the assessment.

This is why scoping conversations matter so much, and why they need to happen before the engagement starts not midway through when the assessor discovers a development team in a region they’re not cleared for. A well-structured Statement of Works should make the QSAC’s permitted regions explicit and incorporate them into the contract from the beginning.

Organizations don’t get to be passive here either. Before signing with a QSAC, checking the Servicing Markets column on the PCI SSC website takes about two minutes. It’s worth doing.

What Happens When a QSAC Doesn’t Cover the Right Regions

The short answer: they can’t do the work. But there’s a legitimate path forward.

A QSAC that lacks authorization in a required region can partner with another QSAC that does have it. The partner QSAC carries out the assessment activities in those regions on behalf of the primary assessor. This arrangement is called a Subcontracting Utilization Agreement, and it must be formally approved by the PCI SSC before any of that subcontracted work begins. The subcontracting QSAC also needs to provide insurance documentation to confirm it has appropriate coverage for the regions involved.

The approval-before-work requirement is non-negotiable. Starting the work and seeking approval afterward isn’t an option.

A Question Worth Asking Before Any Engagement

As global workforces become more distributed and offshoring continues to expand, the regional scope of PCI DSS assessments is only going to get more complex. The question organizations should be asking early well before an assessor sets foot in the door is whether their QSAC is actually authorized to assess everywhere that matters.

Because if they’re on shaky ground, so is everything they sign off on.