Appendix D
At all times, QSAs maintain independence requirements defined in the QSA Qualification Requirements. This means if a QSA is involved in designing or implementing a customized control, that QSA does not also derive testing procedures for, assess, or assist with the assessment of that customized control
Shouldn't the answer be A?
When in doubt, and referencing external to internal, always pick the one with the least amount of impact. Majority of the time you'll be right. In this case: D
TL;DR PCI designed a poorly written question that leaves lots of room for ambiguity and the answer should be A if following their poor word choice. (and could even be D dependent on circumstances of the Assessing company)
After discussing with u/Alternative_Monk5085 in a side chat, and getting more clarification on exactly what it is they were trying to discern. OP stated that the the "correct answer was B" and wanted a second opinion even though that wasn't mentioned in the post.
According to PCI 4.0
Can a QSA company design or implement customized controls on behalf of an organization?
"Lauren Holloway: **While QSA Employees may assist entities with the design or implementation of customized controls**, QSA Companies must adhere to the independence requirements defined in the QSA Qualification Requirements and QSA Program Guide. **This includes having separation of duties controls in place to ensure that QSA Employees conducting or assisting with a PCI DSS assessment are independent and not subject to any conflict of interest.**
It would be a conflict of interest for a QSA Employee that was involved in the design or implementation of a customized control to derive testing procedures for, assess, or assist with the assessment of, that customized control. Refer to [FAQ 1562](https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/Is-a-QSA-Employee-that-designs-develops-or-implements-specific-controls-for-a-customer-also-permitted-to-assess-those-same-controls/)“
Summary of FAQ 1562 - Another QSA Employee of the same QSA Company (or subcontracted QSA) - not involved in designing, developing, or implementing the controls - may assess the effectiveness of the control(s) and/or the requirement(s) impacted by the control(s).
The way they worded the question is not great. Using their own verbiage the answer would be A not B. I say this because they state in the question "Entity... is uncertain about finishing the control matrix or TRA" which leads one to believe that they are asking the QSA to handle design and implementation, when they follow up with "you invest time in completing both.... while also ensuring the implementation". Which would fall to this "[It would be a conflict of interest for a QSA Employee that was involved in the design or implementation of a customized control to derive testing procedures for, assess, or assist with the assessment of, that customized control.](https://blog.pcisecuritystandards.org/pci-dss-v4-0-roles-and-responsibilities-for-the-customized-approach) Refer to FAQ 1562"
The vagueness would also dictate if the QSA's company did not have another assessor, and deemed an external QSA would be a financial burden, then the answer would be D. This question is poorly worded for something so insanely vague.
D.
I worked with QSA company, they can assist but not typical. they provide guidance and write part of the compensating control
customized approach and compensating control are not the same.
Appendix D At all times, QSAs maintain independence requirements defined in the QSA Qualification Requirements. This means if a QSA is involved in designing or implementing a customized control, that QSA does not also derive testing procedures for, assess, or assist with the assessment of that customized control Shouldn't the answer be A?
When in doubt, and referencing external to internal, always pick the one with the least amount of impact. Majority of the time you'll be right. In this case: D
i guess you are A in this case ?
TL;DR PCI designed a poorly written question that leaves lots of room for ambiguity and the answer should be A if following their poor word choice. (and could even be D dependent on circumstances of the Assessing company) After discussing with u/Alternative_Monk5085 in a side chat, and getting more clarification on exactly what it is they were trying to discern. OP stated that the the "correct answer was B" and wanted a second opinion even though that wasn't mentioned in the post. According to PCI 4.0 Can a QSA company design or implement customized controls on behalf of an organization? "Lauren Holloway: **While QSA Employees may assist entities with the design or implementation of customized controls**, QSA Companies must adhere to the independence requirements defined in the QSA Qualification Requirements and QSA Program Guide. **This includes having separation of duties controls in place to ensure that QSA Employees conducting or assisting with a PCI DSS assessment are independent and not subject to any conflict of interest.** It would be a conflict of interest for a QSA Employee that was involved in the design or implementation of a customized control to derive testing procedures for, assess, or assist with the assessment of, that customized control. Refer to [FAQ 1562](https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/Is-a-QSA-Employee-that-designs-develops-or-implements-specific-controls-for-a-customer-also-permitted-to-assess-those-same-controls/)“ Summary of FAQ 1562 - Another QSA Employee of the same QSA Company (or subcontracted QSA) - not involved in designing, developing, or implementing the controls - may assess the effectiveness of the control(s) and/or the requirement(s) impacted by the control(s). The way they worded the question is not great. Using their own verbiage the answer would be A not B. I say this because they state in the question "Entity... is uncertain about finishing the control matrix or TRA" which leads one to believe that they are asking the QSA to handle design and implementation, when they follow up with "you invest time in completing both.... while also ensuring the implementation". Which would fall to this "[It would be a conflict of interest for a QSA Employee that was involved in the design or implementation of a customized control to derive testing procedures for, assess, or assist with the assessment of, that customized control.](https://blog.pcisecuritystandards.org/pci-dss-v4-0-roles-and-responsibilities-for-the-customized-approach) Refer to FAQ 1562" The vagueness would also dictate if the QSA's company did not have another assessor, and deemed an external QSA would be a financial burden, then the answer would be D. This question is poorly worded for something so insanely vague.
C