Frequently asked questions

A Qualified Security Assessor (QSA) is a person or company certified by the PCI Security Standards Council (PCI SSC) to audit merchants and service providers for compliance with the Payment Card Industry Data Security Standard (PCI DSS). QSAs issue the Report on Compliance (ROC) that organizations above Level 1 transaction volumes typically need.

Use a current PCI QSA directory (this one is sourced from PCI SSC's official list), filter by the regions your business operates in, and check whether the firm supports Associate QSAs (AQSA) if you need additional assessor bandwidth. The full PCI QSA list is also maintained on the PCI SSC website.

A ROC-level PCI DSS audit typically ranges from $20,000 to $100,000+ for a single year, depending on the size of the cardholder data environment, the number of in-scope systems, and the QSA firm's pricing. Smaller organizations may use a Self-Assessment Questionnaire (SAQ) instead, which is significantly less expensive.

A SOC 2 audit is an independent assessment of a service organization's controls against the AICPA's Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy). The auditor issues a SOC 2 report (Type 1 at a point in time, or Type 2 over a period) that the service organization can share with customers and prospects.

A SOC 2 Type 1 typically takes 4-8 weeks from kickoff to report. A SOC 2 Type 2 requires an observation window of 3-12 months, so the total timeline is usually 3-9 months. Readiness assessments (pre-audit) typically add another 2-6 weeks before the formal audit window opens.

A SOC 2 Type 1 audit typically runs $10,000 to $30,000. A SOC 2 Type 2 audit typically runs $20,000 to $80,000+, depending on the company's complexity, number of systems, and the auditor's pricing. Readiness work (gap analysis, control implementation) is a separate cost, often comparable to the audit itself.

A SOC 2 Type 1 report describes the design of controls at a specific point in time. A SOC 2 Type 2 report tests the operating effectiveness of those controls over a period (usually 3, 6, or 12 months). Type 2 reports carry more weight with customers because they prove the controls actually work in practice, not just on paper.

An Associate QSA is a QSA-in-training who can participate in PCI DSS assessments under the supervision of a fully qualified QSA. Firms that employ AQSAs can scale their assessment capacity. For clients, an AQSA on the engagement means broader staffing and faster scheduling.

No. PCI DSS compliance level depends on the volume of card transactions processed annually. Level 1 merchants (typically 6 million+ transactions per year) and most service providers must undergo an on-site assessment by a QSA. Level 2-4 merchants typically use a Self-Assessment Questionnaire (SAQ) instead. Your acquiring bank determines your level.

Yes. Most QSA firms offer readiness assessments (gap analyses) that identify the controls you need to implement before the formal audit. Readiness work is usually a separate engagement from the audit itself, but it makes the formal audit faster and less likely to surface findings.