Our Journey to becoming PCI QSA Registered

Axenic has a very special ‘breaking news’ update! We are very pleased to announce that Axenic is now a PCI QSA registered company! This is a hugely important milestone for Axenic and an important part of our next stage of business development.

Just what is a QSA company?

First up though, just what is a QSA company? Qualified Security Assessor (QSA) companies are independent security organisations that have been qualified by the PCI Security Standards Council to validate an organisation’s adherence to the PCI DSS credit card payment standard.

Our PCI Journey

Last year, after significant planning and market research, the Axenic team decided to start building our own PCI DSS capability. There was an Axenic sized hole in the local PCI market and given Axenic’s reputation for quality and our existing auditing capability, we decided that it was the right time to break into the PCI business.

The first person the Axenic leadership team thought to bring on board for this project was Kyle. Unfortunately, he had just joined one of the “Big Four” but generously offered to mentor our leadership team on the requirements, practicalities and any speed bumps that we’d likely encounter as we set up our PCI practice. Step one was recruiting the right person to lead our PCI practice – without the right person to lead the practice, it was going to be a non-starter. Following a coffee with Jim and myself some months later, Kyle informed us that he was interested in a change of scenery. The immediate follow-up question was ‘So, do you want a job then?’…which was met with a smile by Kyle and a ‘Yes, I think I do!’.

Now all we needed to do was hire a QSA, build a sales pipeline from scratch, compete for new customers and convince potential customers to move from their established QSA incumbent providers to Axenic – easy as right!

A massive curveball

Then Covid hit.

The next three months were a blur of quarantine, video conferencing and new ways of working for the team. After the initial Covid ‘fog’ lifted we renewed our efforts to carry on building our fledgling PCI practice. Finding QSA consultants was going to be a challenge under the new Covid norm. Added to this challenge, in order for Axenic to become a QSA company we needed to transfer an existing QSA into our business. This would have required one of our PCI competitors to agree to transfer their QSA staff member from themselves to ourselves to remain certified OR undertake the expensive QSA in-person only training at an overseas training facility…at a time when no one was allowed to go out of or into New Zealand. Fortunately, the PCI council EVENTUALLY relented on the need for this training to be in-person only. The only problem was that this training only occurred periodically AND it filled to capacity very quickly. On the positive, our potential QSA now no longer needed to magically transport themselves overseas to do the exam.

Next, we needed to find the right QSA

Through our usual recruitment process, we were lucky to find a great match of skills, attitude, and self-sufficiency in Johan, who joined us in September. As we were processing Johan’s acceptance letter, we were also busy signing him up for the next QSA course.

Johan was issued the challenge: study for, sit and pass your QSA exam… so we could become a QSA company, so that we could deliver PCI assessments.

After some sleepless nights, Johan passed his QSA course and exam towards the end of October! Everyone involved breathed a sigh of relief. After a lot of back and forth communication the PCI council FINALLY and DEFINITIVELY deemed us a worthy addition to their QSA qualified companies!

Axenic is the PCI Council’s latest QSA registered company. It has been quite a journey, however, we got there in the end and now the hard work begins, making Axenic the PCI provider of choice for New Zealand businesses and agencies. Contact us today for information on how we can help with your PCI DSS requirements.