How to choose a PCI QSA firm

A Qualified Security Assessor (QSA) issues the Report on Compliance that your business needs if you're a Level 1 merchant or service provider. Picking the wrong one costs you time, money, and audit findings. Here's how to make a good choice.

1. Confirm they actually need a QSA

Not every organization needs a QSA. Your PCI compliance level is set by your acquiring bank, and it depends on your annual card transaction volume. Level 1 (typically 6M+ transactions per year) and most service providers must undergo a QSA-led on-site assessment. Levels 2-4 can use a Self-Assessment Questionnaire (SAQ), which is significantly cheaper.

If you don't actually need a QSA, the cost of a full audit is a waste. Confirm your level with your acquiring bank before you start shopping.

2. Make sure the firm is currently certified by PCI SSC

QSA status is renewed annually. A firm that was certified in 2022 but didn't renew in 2023 is not allowed to issue a current ROC. Verify the firm's status against our directory, which is sourced from the PCI Security Standards Council's current list, or directly on the PCI SSC website.

3. Match their geography to yours

A QSA firm with assessors in your country and language will move faster and cost less than one that has to fly people in. Most large QSA firms have global coverage; smaller firms may only cover one or two regions. Use the region filters on /qsa or browse by country: Australia, Japan, Canada, and others.

4. Ask about Associate QSA (AQSA) support

Larger engagements benefit from a team rather than a single assessor. Firms that employ Associate QSAs (AQSAs in training) can scale their bench for big projects. The directory shows AQSA support as a filter — see the full list for the count.

5. Look for industry experience

A QSA firm that has done ten assessments in e-commerce will move faster through your assessment than one whose experience is mostly in retail point-of-sale. Ask for two or three references in your industry before you sign.

6. Get a clear statement of work

Before you engage, the firm should give you a written SOW that includes:

• The standard they're assessing against (PCI DSS version, e.g. 4.0)
• The in-scope systems and locations
• Total fixed fee, or a clear hourly estimate with a cap
• Timeline: when fieldwork starts, when the draft ROC is delivered
• What's not included (remediation, retest fees, additional scope)

Avoid firms that quote on time-and-materials without a cap. Audit scope creep is real, and an open-ended engagement can easily double the budget.

7. Understand the readiness vs audit split

Most QSA firms offer a separate readiness assessment (gap analysis) before the formal audit. Readiness is non-mandatory but recommended: it surfaces the gaps your team needs to close before the auditor arrives, and it makes the formal audit faster and cheaper. Don't skip it on a first-time engagement.

8. Check the firm's other clients

A QSA firm that already audits your competitors may have a conflict of interest. Ask directly. Most large firms can wall off teams to avoid conflicts, but smaller firms sometimes can't, and that's worth knowing before you sign.

Common mistakes to avoid

• Picking on price alone. The cheapest firm is rarely the best value. A weak auditor who misses a control gap can leave you exposed; remediating after the fact is expensive.
• Skipping references. Talk to two or three current clients in your industry. Ask about responsiveness, how the firm handled unexpected findings, and whether the engagement finished on budget.
• Not budgeting for remediation time. Almost every first-time ROC has findings. Build at least 30 days of remediation time into your plan after fieldwork.
• Choosing a firm that doesn't do a readiness assessment. If a firm won't help you prepare, they're either too busy (red flag) or they're going to bill you for discovery time during the formal audit (more expensive).

What to ask in your first call

Keep it short. Five questions, fifteen minutes, you'll know whether the firm is worth a deeper conversation.

1. How many PCI DSS 4.0 assessments has your team completed in the last 12 months?
2. Do you have QSAs who can work in [your language]?
3. What's a typical engagement timeline for a company our size?
4. What's your fixed-fee vs time-and-materials approach?
5. Can you give me two references in [your industry]?

Ready to start?

Browse the full PCI QSA directory, filter by region or AQSA support, and reach out to three or four firms for a conversation. For background reading, see the FAQ for common questions about cost, timeline, and QSA scope.