Results

A PCI Qualified Security Assessor (QSA) is an individual who has been certified by the PCI Security Standards Council (SSC) to perform PCI DSS assessments for other companies/organizations through independent external consulting services.

The PCI Security Councils list 389 PCI QSA companies on its website. How can you choose a QSA that meets you company’s needs?

In this article we’ve reviewed and compared the top PCI QSA firms that serve US and international clients, in an attempt to shorten your due diligence and make choosing a QSA easier. We’ve also included guidance on the major differences between QSAs and some tips on selecting the right one for your organization.

First: Who Needs a PCI QSA?

Generally speaking, only Level 1 merchants are required to use a QSA. Level 1 merchants are generally entities with over 6 million credit card transactions annually. Level 2 through Level 4 merchants may opt to use a QSA to ensure their PCI compliance. Typically entities that are Level 2 through Level 4 qualify for a self-assessment questionnaire (SAQ) which normally don’t require a QSA, unlike the report on compliance (ROC) which typically requires a QSA. If you aren’t sure if you need a PCI QSA or what your assessment level is, be sure to confirm with your acquirer.

If you have any other questions about QSAs or how to choose a QSA for your business, check out our other article titled PCI Qualified Security Assessors: A Buyer’s Guide.

Value-Added QSAs vs. Cost Leader QSAs

QSAs can generally be grouped by two different types: Value Added QSAs (VAQSA) and Cost Leader QSAs (CLQSA). For simplicity, we will use these acronyms in the remainder of this article. These are not commonly used acronyms in PCI compliance. 

A VAQSA is a company that will add value to your business and compliance processes. A VAQSA will typically go above and beyond just performing your annual PCI compliance assessment. They may perform additional activities such as answering questions/providing guidance without additional charges and suggesting areas for improvement.

This type of QSAC are a partner with you in your compliance journey. Ultimately they will be looking out for your best interests, security posture, areas of compliance improvement, better data protection recommendations, methods to reduce PCI scope, and more. 

A CLQSA is primarily led by providing the best value, efficiency, and overall assessment cost to your organization. While this might not necessarily be a bad thing, there are a few details you should keep in mind. 

A CLQSA will be focused on finishing your current PCI assessment and moving on to the next assessment with another company. Since CLQSAs need to maximize their clients, these QSAs will likely be working on multiple assessments at the same time.

Both VAQSAs and CLQSAs will typically perform multiple simultaneous assessments, but most VAQSAs will have a larger number of QSAs available, and service will be their number one priority. This means that if your assessment requires more attention, that QSA will be able to hand off their other assessments to another QSA at the same VAQSA. 

A key point to look out for with CLQSAs is “check-the-box compliance.” This is where a QSAC will look for the bare minimum to meet compliance. Remember, all QSACs and QSAs have QA checks and balances. However, meeting the bare minimum will have you and your company always playing catch-up as new requirements are released and security baselines change. 

In the long run, a VAQSA would provide additional value that far outweighs potential cost savings with a CLQSA. 

Top 5 Value-Added QSAs

Currently, as of the publishing of this article, there are a total of 389 QSACs listed on the PCI SSC website. Some of the QSACs have locations in multiple regions around the world and serve multiple regions. Listed below are some of the best QSACs.

#1: Coalfire Systems Inc.

Pros

  •  Highly recognized 
  •  Strong track record (Performs PCI reports for Google, Amazon, Microsoft, etc.)
  •  QSA and VSA
  •  Performs higher number of assessments 
  • PCI DSS v4 assessor 
  • Flexible pricing 
  • Global company/locations
  • Service multiple regions 
  • Supports multiple languages 
  • Offers multiple services 

Cons

  • Cost (can be expensive)

Coalfire Systems is one of the biggest names in the compliance space. They perform the PCI assessments for large companies like Google Cloud, Amazon Web Services, Microsoft Azure, and more. If these large corporations choose Coalfire, they must be good at what they do. Coalfire also offers other PCI services apart from only QSAs and assessments. 

Apart from compliance services, they offer many other cybersecurity services like penetration testing, cloud security, managed services, and vulnerability management to name a few. 

Coalfire also has multiple certifications, awards, and industry recognitions that put them number one in our ranking. 

#2: Payment Software Company (PSC)

Pros

    • Highly recognized 
    • Strong track record 
    • Performs higher number of assessments
    • Diverse clientele both small and large companies 
    • Dig deep and challenges customers
    • PCI DSS v4 assessor 
    • Flexible pricing
    • Global company/locations
    • Service multiple regions
    • Supports multiple languages
    • Offers multiple services

Cons

    • Unknown cost  

PSC is another industry-leading PCI QSAC. Similarly to Coalfire, PSC also is certified by the PCI SSC to perform as a QSAC, Software Security Framework Assessor (SSF), 3D Secure Assessor Company (3DS), PCI PIN Assessor, Point to Point Encryption QSAC (P2PE QSAC), and more. 

According to PSC, their clients reach into multiple industries, such as financial services, retail, eCommerce merchants, payment gateways, tech companies, and more. 

PSC ranked second on our list due to their service listings, PCI SSC certifications, and their vast supported client industries. #3:

#3: SecurityMetrics

Pros

    • Highly recognized 
    • Strong track record 
    • Performs higher number of assessments 
    • PCI DSS v4 assessor
    • Great overall understanding of compliance and supports multiple frameworks 
    • Service multiple regions 
    • Supports multiple languages 
    • Offers multiple services 

Cons

    • Unknown cost
    • Focus is on smaller companies 
    • Limited locations

SecurityMetrics is a very well-known security company located in the United States. They have more than 20 years of experience performing data security and compliance services. Their employees hold certifications like CISSP, PCI Forensic Investigator (PFI), and multiple other PCI certifications. 

Like PSC and Coalfire SecurityMetrics has been recognized in the security industry through various awards and recognitions. Based on their experience, their employee certifications, and their industry recognition they ranked number three on our list. #4:

#4: Advantio

Pros

    • Highly recognized 
    • Strong track record 
    • Performs higher number of assessments
    • PCI DSS v4 assessor
    • Global company/locations
    • Service multiple regions
    • Supports multiple languages
    • Offers multiple services
    • Promotes a 3-step compliance approach scope, gap and formal assessment
    • Promotes service being on time and budget
    • Member of the PCI SSC Global Executive Assessor Roundtable (GEAR)

Cons

    • Unknown cost         

Advantio has a wide range of both professional and technical security services. Their professional services include cyber security strategy, a full array of PCI SSC certifications, ISO 27001, NIST Cybersecurity Framework (CSF), GDPR, SOC2, and COBIT assessments. 

Their technical services include penetration testing of infrastructure/web apps/mobile apps, red team assessments, social engineering, phishing campaigns, physical security assessments, vulnerability scanning, ASV scanning, and stress/capacity testing. 

Based on their vast service offerings, Advantio ranked number four on our list. This is a good thing to keep in mind if you want to reduce the number of cybersecurity vendors you utilize. If you are looking for a company that can perform almost any service you need, Advantio is that vendor. 

#5: Compliance Control Ltd.

Pros

    • Highly recognized
    • Strong track record
    • Performs higher number of assessments
    • PCI DSS v4 assessor
    • Global company/locations
    • Service multiple regions
    • Supports multiple languages
    • Offers multiple services 

Cons

    • Unknown cost 
    • Does not serve the U.S.

Compliance Control is one of the most well-known cybersecurity companies in Europe. They perform over 200 audits annually with over 300 clients. Like all other listed companies, Compliance Control also offers a wide array of PCI SSC certifications. 

Due to Compliance Control’s presence and reputation in Europe, they landed number five on our ranking. 

QSAC Cost Considerations

In the above section, we discussed the best QSACs based on brand recognition, reputation, and overall PCI SSC certifications. But what about Cost-Led QSACs?

Unfortunately, most QSACs do not publish their pricing online. This is due to several factors, including the specific scoping for a PCI assessment. For this reason alone, the pricing of a QSAC-Led PCI assessment can vary greatly. 

If you’re primarily in the market for a Cost-Led QSAC we recommend shopping around for several QSACs before making a final decision. Each QSAC will price your assessment differently. The best way to shop for a QSAC is to request a proposal based on your specific PCI Assessment scope and compare proposals. Choose the QSAC that best fits your pricing restrictions while also ensuring that they will best meet your PCI assessment requirements. 

Tips on Choosing PCI QSACs

The PCI SSC’s QSAC and QSA programs provide you with assistance in vetting companies overall. These programs are designed to give you confidence and trust in that organization to provide PCI consulting services to your business.

Even so, it can still be quite challenging for any organization to find the best QSAC for them based purely on the abundant number of options. For this reason alone, it can be quite daunting to even know where to start in choosing the appropriate QSAC.

Price will always be a significant factor but the following tips will help you decide the best type of QSAC for you and your organization.

0. Listed on the PCI SSC Website

Any company that is not listed on the PCI SSC website is not approved by the PCI Council to complete reports on your behalf as a QSAC or QSA. This is step 0. For any QSAC or QSA make sure their credentials are up-to-date and valid. You can use this link to validate both QSAC and QSA certifications. 

1. Added Value

Besides performing the PCI DSS compliance assessment, a great QSAC will add value to your organization by assisting in improving the overall security posture of an organization. A valuable QSAC will assist you in implementing a plan to maintain PCI compliance and improve overall security practices as well as identify potential weaknesses and suggest areas for improvement in your compliance processes. The easiest way to identify a value-added QSAC is by seeing them go above and beyond. If the QSAC and their QSAs are looking out for the well-being of your security and company, you’ve found a Value-Added QSAC.

2. Interview

Just as you would hire any potential employee for your organization, you should interview the QSAC and any QSAs who will be working on your compliance. During this interview, you should ask curated questions that speak directly to your PCI compliance. Their answers should align with your overall PCI strategy and goals.

Some additional questions may include the following:

How many QSAs will be dedicated to our assessment?

While one QSA may lead the PCI assessment, the QSAC may have multiple employees assisting. This gives you an opportunity to get the credentials and experience of these other assessors/assistants.

What is the working style of this QSA? 

Is it more hands-off or more hands-on? Do they communicate better via email or via IM chat? Will they have weekly status meetings? How will they share assessment progress?

What is the overall assessment methodology?

What’s the process from start to finish? What can you expect the assessment process to be like? What should you communicate to your employees to better prepare for the assessment?

3. Support

When choosing a QSAC it is important to check if they can support the following criteria, as listed on the PCI SSC website:

  • Market: Some QSACs support organizations globally while some may only serve certain regions. It’s important to make sure that the QSAC is able to support your physical market location. 
  • Supported Language: While a QSAC may support multiple regions, it’s important to verify if they can support the spoken and written language of your organization. This is particularly critical if your organization is international or one that requires PCI compliance support across multiple regions in different languages. Having a multilingual QSA might make the assessment process easier if they are able to speak the native language of employees in other countries. 
  • PCI DSS v4 assessor: PCI DSS version 4.0 isn’t mandated just yet, but it will be sooner rather than later. Therefore you want to make sure your QSAC and their QSAs are getting ready for version 4.0. You can validate a QSA and their version 4.0 training on the PCI SSC website using the link above. Version 4.0 QSAs are able to provide guidance and information that can help you and your organization begin the transition from version 3.2.1 to version 4.0. 

4. Location

With the COVID-19 pandemic, remote assessments have been more accepted by the PCI SSC compared to before. However, there are some situations where having QSA onsite might be a better option for your organization. Onsite visits will add QSA travel expenses to your assessment bill. For this reason, when choosing a QSAC, you may want to consider location and potential travel expenses.

5. Experience + Reputation

It’s important to find out how much experience the QSAC and their QSAs have. Here are some helpful questions to ask the QSAC or QSA to establish their experience and reputation:

  • How long has the QSAC been in business for?
  • How many years has the QSA been certified as a QSA?
  • How is the QSA’s technical knowledge and expertise? Do they have any other certifications in this space?
  • How is the QSAs security knowledge and expertise? Do they have any other certifications in this space?

6. Client Retention Rates + References

Another good data point to look into when choosing a QSAC or QSA for your organization is to ask them about client retention rates. This can provide excellent insight into whether or not clients prefer working with them or not. Because it is common in the industry to rotate QSACs for a fresh set of eyes, if the QSAC has great client retention that’s a good indication they are well-liked by their clients. 

In addition to asking the QSAC directly, references can be more valuable. An organization should review at least several references before committing to a QSAC.

7. Availability

There are several availability indicators that you should look into that can help give you some insight into the potential service you might receive with your assigned QSAs from the QSAC. If your assigned QSAs don’t meet your requirements for some of the following questions, you may want to consider asking for other QSAs or looking for a different QSAC. 

  • What kind of availability will the QSA have for your assessment?
  • Will the QSA work during your company’s working hours?
  • Will the QSA be able to meet your company’s compliance deadlines?
  • What is the typical turnaround for the PCI assessments performed by the QSAC and QSA?

8. Service Offerings

If you require other cybersecurity services, the QSAC may also be able to offer additional services to your organization. Some QSACs can offer the following:

  • General Cybersecurity Consulting
  • Penetration Testing
  • Risk Assessments
  • Vulnerability Scanning + ASV Scanning
  • Training

Having the QSAC involved with other projects can help reduce the time they take. As their QSAs become more familiar with your organization they can make better recommendations and become more aware of the intricacies within your organization. 

    
Copyright © 2022 Network Assured