Can An ISA Sign Off On A ROC Or SAQ?

This question came up recently on one of the LinkedIn PCI groups and drove a lot of discussion.  However, one of the things that concerned me the most is that no one belonging to this group bothered to submit the question to the PCI SSC to be answered.

When such questions come up, the first thing you should do is go to the PCI SSC Web site’s FAQ page to see if the question has already been answered.  There is an amazing wealth of information contained in the FAQs.

If you search the FAQs and you do not come up with an answer to your questions, then submit your question to the PCI SSC.  Technically, anyone can submit a question to the PCI SSC.  However, if you are a QSA in a QSAC, the person listed in your QSAC listing should be the focal point and should submit all questions you have to the PCI SSC.

Questions are submitted to info@pcisecuritystandards.org.  Expect a few days to a few weeks to get a response.  Simple procedural questions such as whether an ISA can sign a ROC or SAQ like a QSA can get a response in a day or two.  Questions that require the PCI SSC to formulate a position, may take a number of weeks before a response is provided.

So, can an Internal Security Assessor (ISA) sign off on a Report On Compliance (ROC) or Self-Assessment Questionnaire (SAQ)?  The answer provided by Cathy Levie, Senior ISA Program Manager, PCI SSC, is as follows.

“The ISA can sign off as long as their Processor/Acquirer has approved of that. This is not up to the PCI SSC.”

In the future, if you have a question and cannot find an answer, ask the PCI SSC.  When you get your answer, please post the answer to any of the PCI groups on LinkedIn or send them to me so that the rest of the PCI world can benefit from the knowledge.  One of the unfortunate issues the PCI SSC has is that not all questions seem to make it into the FAQs or the FAQs are not updated as quickly.


12 Responses to “Can An ISA Sign Off On A ROC Or SAQ?”

  1. 1 Phi
    April 5, 2018 at 1:57 PM

    Hello Guru,

    I work for a large (level 2 merchant) municipality and the ISA. 3 years ago it was decided that the position should be moved out from the IT department to an internal auditing department. Specifically the department that manages revenue control systems. This seemed like a no brainer at the time. Now there is a push to move the position back under the IT department. This is the the same IT department that would be implementing my advised changes to become compliant. I feel strongly that this a definite conflict of interest however the push back is strong which seems to be alerting me even more to this fact. I was wondering if you could weigh in this topic, as I feel this could be a mistake on the leadership here, that could prevent compliance even further.

    • April 7, 2018 at 6:04 AM

      A PCI ISA is required to maintain independence from those areas that they assess. See page 5 section (f) of the ISA Qualification Requirements that discusses independence.

  2. October 29, 2016 at 2:40 AM

    Hi PCIGuru,

    In SAQs v3.1 there was a formal signature required for all three of Exec Officer, the QSA and the ISA. I just noticed that in version 3.2, the ISA signature field disappeared. Do you have any idea why ? I find this pretty silly as it disengages them, and reduces that much the credibility of an SAQ which wasn’t that high before that already.

    Not to mention that MasterCard still formally requires that SAQs are filled by ISA so it looks weird to not have to countersign anymore.


    • November 16, 2016 at 6:18 AM

      It appears that the Council feels that the merchant’s executive’s signature is good enough and that the ISA only needs to acknowledge their involvement.

      In regards to MasterCard, the only ISA requirement that I am aware is that an ISA can perform the Report On Compliance (ROC) for Level 1 and 2 merchants. Other than that requirement, I am not aware that MasterCard has any ISA requirement for any SAQ filed with them. In the past, some of the card brands outside of the US had QSA/ISA requirements for SAQs, but those have I believe disappeared.

      • November 25, 2016 at 5:56 AM

        I know it wasn’t largely advertised and debated, but since 2012 Mastercard is requiring that merchants “must ensure” that Level 1 ROC and Level 2 SAQ (Level 2 ROC MUST be done by a QSA) are filled by certified PCI ISA. This is as per their official Merchant Validation documentation on https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/merchants-need-to-know.html (read the tiny characters clauses at the bottom of the matrix)

        Hence my question of why did the council remove the ISA Signature which for me is a sign of accountability. Now I have asked the question to the council and they promised me an answer within… 10 weeks (meh!)

      • November 25, 2016 at 8:47 AM

        Just to clarify, under MasterCard’s rules, Level 2 merchants have a choice of either, (a) having a ISA perform the ROC, or (b) have a QSA perform the ROC. In either case, the AOC used has spaces for the signature of an ISA and/or QSA as well as an officer of the organization.

        Why the ISA signature space was removed from the SAQ forms I have no idea, so it will be very interesting to find out the answer the Council provides you. I hope you share it.

  3. March 23, 2016 at 12:55 PM

    These questions relate to PCI ISA 2nd certification on-site exam.
    Are there a lot of “case” questions in the exam? In the e-learning, those questions are answered by free text
    instead of options to select.
    Anyone knows where to find practice questions for the exam?

    • March 25, 2016 at 6:56 AM

      I have no idea as I have never taken the ISA examination. However, if it is anything like the QSA examination, the questions are all multiple choice.

  4. 9 Ken B
    February 12, 2015 at 5:01 AM

    Have you seen a QSA rely on testing performed by an ISA to confirm control validation in lieu doing their own testing or interviews, i.e. review their work papers from onsite testing?

    • February 12, 2015 at 6:57 AM

      Yes, I have. A lot of large organizations now have ISAs that conduct their own assessment work that is turned over to a QSA. However, all of the QSAs I have observed still do their own interviews and observations in addition to their own sampling. As far as sampling goes, it is typically a smaller sample set than what the ISA used.

      As a reminder. The PCI SSC tells QSAs it is up to them to accept or reject an ISAs work. So just because an ISA has done an assessment, the QSA is not required to accept it as evidence.

      • May 19, 2015 at 10:54 AM

        So I’m a little confused on one aspect of this; Even though a company has certified a ISA they are still required to use a QSA?

      • May 19, 2015 at 12:56 PM

        If an organization has a PCI SSC certified ISA, they are not required to use a QSA as long as they follow the rules for conducting and filing a ROC or SAQ.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

May 2013

%d bloggers like this: