What is a PCI DSS QSA?

A Qualified Security Assessor (QSA) is a professional certified by the PCI Security Standards Council to perform on-site PCI DSS assessments and produce the Report on Compliance (ROC). QSAs work for QSA companies (QSACs) that carry their own PCI SSC accreditation.

How much does a PCI DSS QSA assessment cost?

PCI DSS QSA engagements typically cost $40,000 to over $500,000 depending on cardholder data environment complexity, number of locations, existing program maturity, and whether significant remediation support is needed. Boutique firms are often less expensive than Big Four, though the quality gap is narrower than for other audits.

How long does a PCI DSS QSA engagement take?

A typical Level 1 ROC takes 3 to 6 months from kickoff to signed Attestation of Compliance. Highly complex environments or significant remediation can stretch that to 9-12 months. Most QSAs structure the engagement as a scoping phase, a readiness or gap phase, an evidence-collection phase, on-site or virtual fieldwork, and a drafting and QA phase.

Should I reuse the same QSA year over year?

It is permitted and common to keep the same PCI DSS QSA for multiple years — continuity accelerates every subsequent assessment. That said, many mature programs rotate QSAs every few years to get fresh perspective, benchmark pricing, and avoid auditor complacency.

How to Select a PCI DSS QSA: Evaluation, Cost & Engagement Guide

Why QSA selection matters

For any PCI DSS program that requires a Report on Compliance -- typically Level 1 merchants and service providers -- the Qualified Security Assessor (QSA) is the single most important third party you will engage. The QSA signs the Attestation of Compliance that your acquirer relies on, interprets ambiguous PCI DSS requirements in the context of your environment, and sets the tone for how smoothly the assessment runs. A strong QSA makes your PCI DSS program sharper. A weak QSA makes every control feel punitive and every evidence request ambiguous. Selecting the right QSA is therefore a multi-year decision that shapes cost, risk, and internal credibility.

PCI DSS QSAs are individuals; QSA Companies (QSACs) are firms. The PCI SSC accredits both. Individual QSAs pass annual training and requalification, and QSACs carry firm-level accreditation, quality assurance obligations, and reporting duties. The PCI SSC publishes the master list of QSACs and the regions each is authorized to work in. Your first filter is straightforward: the firm must be an active QSAC authorized in your geography.

Criteria for evaluating PCI DSS QSA firms

Look beyond the PCI SSC list when choosing a QSA. The firms on it vary dramatically in size, philosophy, and operational approach. Evaluate candidates on the following:

Industry and technology fit

Does the QSA firm regularly assess organizations like yours -- same transaction volume, same acceptance channels, same cloud and data stack? A QSA that has signed a hundred AWS-native SaaS ROCs will understand your PCI DSS scoping questions in ways a QSA fresh from brick-and-mortar retail will not. Ask for two or three references with similar profiles, and talk to them.

QSA tenure and turnover

Individual QSAs carry the assessment experience. Ask who specifically will be assigned to your engagement, how long they have been a certified QSA, and what their history is with payment technologies relevant to you. High turnover at a QSAC is a yellow flag because the person who scoped your program in year one may not be there in year three.

Methodology and deliverables

Request a redacted sample ROC and sample evidence requests. A well-written ROC is clear, precise, and tells your story without padding. Watch for generic narratives that could describe any merchant -- that is a sign of a firm running every client through the same template.

Technology support

Modern QSA firms use assessment platforms, evidence portals, and integrations into GRC tooling. If your program runs on a GRC platform (like episki), ask how they collaborate via that tool rather than an email chain of spreadsheets. The QSA experience improves dramatically when evidence lives in one system.

Geographic coverage

PCI DSS assessments often require on-site testing at data centers, retail stores, or call centers. Confirm that the QSAC can reach every site you need assessed without stacking excessive travel fees.

Pricing transparency

Ask for a written scoping questionnaire and a fixed or capped fee. Beware of open-ended time-and-materials contracts where the QSA's incentive is to expand hours. Confirm what is included: scoping, readiness, the ROC, the AOC, rescans, and remediation advisory. Clarify what is billed separately: additional sites, pen testing support, scope expansion.

Quality assurance program

The PCI SSC requires QSACs to maintain QA processes over their ROCs. Ask how the firm's QA works, who reviews the ROC before it leaves the firm, and what their error rate has been in PCI SSC audits.

Red flags

Avoid QSAs that promise to "make the assessment easier" in ways that would compromise independence. Avoid firms that pitch aggressive advisory services alongside the assessment engagement -- the PCI SSC has rules on independence that can be violated when advisory work gets too close to the assessment scope. Walk away from QSAs who will not share a sample ROC or references.

Engagement scope and phases

A standard PCI DSS QSA engagement runs in five phases:

Scoping -- the QSA works with you to confirm the CDE, the in-scope systems, the card acceptance channels, the controls that apply, and the testing approach. Scoping is where customized approach decisions get documented, targeted risk analyses are reviewed, and segmentation boundaries are walked through. Skipping or rushing scoping is the most expensive PCI DSS mistake a program can make.
Readiness or gap assessment -- optional but common. The QSA reviews your existing evidence against every applicable PCI DSS requirement and produces a prioritized findings list. Readiness gives you a runway to remediate before fieldwork begins.
Evidence collection and fieldwork -- the bulk of the engagement. The QSA requests evidence, interviews control owners, reviews configurations, watches live demonstrations, and samples systems. Fieldwork can be on-site, remote, or hybrid.
Drafting and QA -- the QSA writes the ROC, the QSAC performs internal QA, and you review for factual accuracy. This phase usually surfaces last-minute evidence gaps.
Final deliverables -- the QSA issues the final ROC, the AOC, and any supporting attestations. You submit to your acquirer.

Each phase has its own effort profile. Scoping is a few weeks. Readiness is typically a month. Evidence collection and fieldwork is the longest phase and can span two to four months in Level 1 environments. Drafting is a few weeks.

Cost drivers for PCI DSS QSA engagements

PCI DSS QSA costs are driven by complexity, not just size. The major drivers are:

CDE size and heterogeneity -- more systems, more platforms, more clouds, more cost.
Number of physical sites requiring on-site testing.
Acceptance channels -- e-commerce, card-present, MOTO, mobile, and call center each require testing.
Third parties -- each service provider in scope adds evidence review effort.
Program maturity -- mature programs with strong evidence and automation burn less QSA time than programs that assemble evidence manually.
Customized approach usage -- customized approach requirements require targeted risk analyses and additional testing that add cost.
Remediation support -- advisory and rescans between fieldwork and ROC delivery can add meaningful cost if not explicit in the SOW.

A rough range: small service providers with a tight CDE might pay $40,000 to $80,000 for an annual ROC. Mid-size SaaS providers typically land between $100,000 and $250,000. Large multinational retailers with thousands of stores routinely exceed $500,000 per year.

What to expect during the assessment

Expect the PCI DSS QSA to ask for evidence directly from source systems rather than summary spreadsheets. Expect live walkthroughs of SIEM dashboards, patch management consoles, identity systems, and firewall managers. Expect sampling: the QSA will pick a subset of systems, users, or change tickets and test them in depth. Expect questions on exceptions -- every control has edge cases, and the QSA will probe how you handle them.

Plan for a dedicated PCI DSS program lead who is the single point of contact for the QSA. That lead aligns internal subject-matter experts to evidence requests, tracks outstanding items, and keeps the assessment on schedule. A part-time owner trying to juggle the QSA with other duties is the most common cause of schedule slip.

How this fits into PCI DSS compliance

The QSA is the custodian of your PCI DSS attestation. Everything else in your PCI DSS program -- your ASV scans, penetration tests, policies, segmentation, control automation -- exists to be evaluated through the QSA's lens. Choosing the right QSA multiplies the effectiveness of every PCI DSS investment you have already made. Choosing poorly introduces friction, rework, and interpretation disputes that drain PCI DSS program capacity all year.

Common mistakes

Shopping on price alone and ending up with a QSA whose methodology drives months of avoidable rework.
Skipping references and discovering only after signing that the QSA has no experience with your technology stack.
Not locking down scope in the SOW, letting the engagement drift into unbudgeted advisory work.
Giving the QSA raw access to production systems instead of a prepared evidence package, burning time on discovery instead of assessment.
Treating the readiness phase as optional when meaningful remediation is needed before fieldwork.
Rotating QSAs too often, losing the institutional context that makes year two and beyond faster.
Holding the QSA at arm's length instead of making them a collaborative partner through the engagement.
Failing to align the QSA and ASV so findings from one program contradict or duplicate the other.

How episki helps

episki gives your QSA a scoped, read-only workspace where they can see every PCI DSS control, its evidence, and its testing history without chasing spreadsheets and screenshots. That shortens fieldwork, reduces QSA hours, and helps your assessment team focus on the handful of PCI DSS controls that actually need discussion. Learn more on the PCI DSS hub.

How to Select a PCI DSS QSA