A client instance license is issued according to our SaaS agreement. License is issued for a limited term and sets limitations on the number of active client user accounts (think, QSAs, associate QSAs, Project Managers, Administrators, Technical Editors, QA - any employees of the QSA Company). Disabled accounts do not count towards the user account count limit.
“Client Users” accounts - accounts of employees of the company being assessed do not count toward the licensed accounts limit.
For larger installations, there is a limit on the number of simultaneously running servers.
Our preferred option for hosting the TurboQSA system is Amazon AWS. We provide a template that allows for the entire environment to be spun up in minutes, inside the QSA Company’s AWS account. This option ensures you maintain full control over encryption keys and sensitive data storage.
Other options, such as Microsoft Azure, Google Cloud, Oracle Cloud or on premise are possible, but would require a custom installation Work Order and come with a custom support agreement.
In either case, the client is liable for all hosting charges pertinent to the client’s instance.
TurboQSA has some built-in tools for user support: any active user can file a ticket right from the system’s web interface and that’s the preferred way to handle support requests, enabling us to collect additional information that can be used to accurately cross-reference a potential issue to any error logs or site events.
Additionally, we extend support channels to all our clients with our Discord server. Access and authentication for the Discord channel are provided along with your license agreement.
For urgent support needs, you can reach us at +1 (877) 222-5275
There are a number of video walk-throughs covering key pieces of TurboQSA functionality and we recommend these for any educational needs.
We provide our clients with User Manual covering both QSA and Customer sides of TurboQSA.
Additionally, TurboQSA is open to hosting webinars for licensed QSA Company employees.
We are always looking for new ideas for improving our product and providing the best service possible. We consider two buckets of feature requests:
Universal improvements, features and fixes that would benefit any TurboQSA customer. These go straight into our roadmap.
Custom programming improvements designed to fit a particular company’s workflow or business process. These improvements require a Statement of Work and custom programming fee. Changes implemented this way are released behind a feature enablement flag, targeted at the customer ordering the change.
Suitable ways to let us know of a potential improvement or request a new feature are Support or Discussion Discord channel or an email to support@turboqsa.com and/or sales@turboqsa.com
Currently, TurboQSA focuses on PCI DSS Report on Compliance and supports assessments for Merchants and Service Providers alike.
Your clients, employees and contractors affiliated with the company being assessed are using TurboQSA for free for the duration of the assessment, and their user accounts with TurboQSA do not count towards licensed users limit.
There are no extra fees to get your client to use the system.
YES.
TurboQSA supports the new standard, v4.0 rev 1 (as of the moment of writing this answer).
Please sign up for a demo to see the new process in our Pilot portal.
Yes, being able to create a printable version of the report on compliance (v3.2.1 and v4.0) is a key feature of TurboQSA, and licensed clients would benefit from it when they complete their PCI DSS assessments with the TurboQSA product.
TurboQSA is designed with data protection in mind. Assessment data, including PII and sensitive information is encrypted at rest while stored within databases and file storage systems. You are always in control of the encryption keys, and TurboQSA personnel do not have access to your client’s or company’s data.
Data is also protected in transit over SSL/HTTPS.
It is possible to purchase additional licensed user packs for your license, at a prorated cost.
You can use TurboQSA product for remote assessment practices, as long as you comply with PCI SSC requirements and recommendations. Many of the assessment procedures can be performed remotely, and TurboQSA is here to help you facilitate these.
Currently, TurboQSA does not support generating Self-Assessment Questionnaires documentation. At the same time, we have optimized the ROC assessment process to take advantage of SAQ status and type for clients compliant with different levels of SAQ.
TurboQSA will create an AOC (Attestation of Compliance) document for you, based on the data provided with ROC and additional QSA input.
For the DSS v4.0 standard we provide limited localization support for AOC.
TurboQSA product comes equipped with Audit Log and Engagement reports that help QSAs, managers and executives track progress and engagement of all parties on the project. Worried that the client is not responding and not providing answers to your questions? - Now you have data to back up your claims.
Report sanitization is currently not supported, but we have this feature in our roadmap.
Currently there is no Zoom integration implemented. Please schedule Zoom meetings using your corporate account.
Currently there is no Google Meet integration implemented. Please schedule Google Meet meetings using your corporate or personal account.
Clients will have limited access to certain controls and requirements on the report, on a need to know basis. Access control is implemented based on assigned responsibility areas.
Your clients will not be able to generate the ROC using TurboQSA product; this feature is limited to QSA users of the QSA Company.
Responsibility Areas can be assigned to Client Contacts or Client Users - employees or contractors affiliated with the company being accessed. As you interview or prepare to interview area experts, you can assign some of them one or multiple Responsibility Areas, to inform the TurboQSA system that these individuals should be considered as sources of information for relevant ROC requirements and controls.
Here is a complete list of currently implemented Responsibility Areas:
Antivirus Software Configuration and Management (not required for Linux)
ASV Scans
Database Administrators & Owners
Provisioning, managing and maintenance of company databases
Encryption of Data in Transit (including Wireless)
Encryption Standards and Implementation for storage of cardholder data (not required if they do not store any CHD)
Firewall and Routers Configuration and Management
Human Resources and Training Coordination
Incident Response and Log Monitoring (policy, IR plan)
Information Security Management (risk assessments, security policies, service provider management, security awareness program, background checks, legal)
Internal and External Vulnerability Scanning
Network Architecture Operations and Management
Patch Installation & Management
Testing, configuration, installation and maintenance
Penetration Testing
Physical Access Control (video cameras, locks, keys, visitors, security of media)
Servers and Workstations Configuration and Management
Software Development Processes (coders, managers, approvers, change control)
User Account Management (manages new users, maintaining user accounts, ensures no shared account use, terminating users, multi-factor auth)
Users Privilege Management (DBs, filesystems, logins etc - defines access restrictions and policies)
Wireless Configuration and Management
Currently TurboQSA does not support creating custom Responsibilities Areas, we believe that our curated list covers 100% of scenarios.
Yes, you are free to assign or unassign as many QSAs on a project as you see fit. We recommend having a Lead QSA and a Reviewer (with QSA credentials) as a minimum.
TurboQSA supports several quality control measures:
Tracking items progress to make sure no stone is left unturned, no control remains without a response.
Highlighting incomplete Compensating Controls Worksheets.
Review process to ensure each control or requirement eligible for review receives attention from another person with QSA credentials.
Optional QA stage in the workflow, enabled at the QSA Company level.
TurboQSA is a software product for QSA Companies and ISAs. TurboQSA helps facilitate PCI DSS Assessments supporting versions 3.2.1 and 4.0 of the standard.
Unlike most of the other QSA tools on the market, TurboQSA is capable of not only capturing evidences, responses and other assessment artifacts, but also of printing a ROC - Report on Compliance.
TurboQSA fills a gap that exists in the market - while many QSA companies have their home-grown productivity tools for v3.2.1 PCI DSS assessments, few have any software support for the new version v4.0.
While the standard organically evolved from v1.0 to v2 and all the way to v3.2.1, allowing companies to evolve their tools as well, the change to v4.0 is more radical and calls for a new tool set. TurboQSA is that tool set.
Yes. While you can work with TurboQSA in an almost air-gapped setting, with only QSAs accessing the product, it is really built with collaboration features in mind.
TurboQSA lets you get your client fully engaged in the assessments, allowing them to provide responses, evidences and in case of the Customized Approach, even a Custom Controls Matrix.
QSAs and Client Representatives can use TurboQSA to schedule and track interviews, feeding right into the Evidences sections of the report.
Multiple assessors can work on the same report simultaneously, removing peer review and QA bottlenecks from the assessment process.
Yes. TurboQSA supports generating the following documents:
ROC (Report on Compliance), PCI DSS v3.2.1 and v4.0
AOC (Attestation of Compliance) - for Merchants and Service Providers.
7 languages supported
Supplemental Attestation of Compliance
INFI (Items Noted for Improvement)
7 languages supported
Optional documents:
Workpapers Archive
Workpapers spreadsheet
Remediation List
Project Status Report
Evidence Archive