Top PCI DSS QSA Companies & Auditors
PCI DSS assessments must be performed by a Qualified Security Assessor (QSA) company approved by the PCI Security Standards Council. There are approximately 389 QSA companies globally. Choosing the right QSA affects the efficiency of your assessment, the quality of your Report on Compliance (ROC), and your ongoing relationship with your acquiring bank.
What to Look For in a PCI DSS Auditor
- Verify the firm is listed on the PCI SSC website as an approved QSA company — this is non-negotiable for issuing a Report on Compliance (ROC).
- Ask how many PCI DSS assessments the firm performs annually and their experience with your specific SAQ type or Level 1 ROC.
- Check if the firm has experience with your payment processing architecture (e-commerce, in-store POS, mobile payments, payment facilitator, etc.).
- Ask about their approach to scope reduction and segmentation — a good QSA helps minimize your Cardholder Data Environment (CDE).
- Confirm the firm offers PCI DSS v4.0 assessments, as v3.2.1 has been retired.
- Request references from merchants or service providers at your PCI reporting level.
- Ask whether the firm also offers ASV (Approved Scanning Vendor) services, penetration testing, and P2PE validation.
PCI DSS Auditor Firms
Trustwave (VikingCloud)
The world's largest PCI QSA company, having assessed more organizations for PCI compliance than any other firm. Now operating under the VikingCloud brand, they offer QSA services, managed security, and compliance technology platforms.
Coalfire
Major cybersecurity firm and PCI QSA company with extensive experience across all merchant levels and service provider types. Coalfire is known for complex, large-scale PCI assessments in retail, financial services, and payment processing.
SecurityMetrics
One of the most affordable QSA companies, SecurityMetrics is popular with smaller merchants and service providers. They also serve as an Approved Scanning Vendor (ASV) and offer integrated compliance management tools.
Schellman
PCI QSA company that excels at multi-framework assessments. Schellman can combine PCI DSS with SOC 2, ISO 27001, and HITRUST assessments, which is valuable for service providers who need multiple compliance reports.
A-LIGN
PCI QSA company offering assessments alongside SOC 2, ISO 27001, and HIPAA services. A-LIGN is popular with technology companies and payment service providers that need efficient multi-framework compliance.
KirkpatrickPrice
Nashville-based QSA company known for competitive pricing and a technology-forward audit approach. They serve merchants and service providers across all PCI reporting levels.
Foregenix
UK-based QSA company with global operations, specializing in PCI DSS and payment security. Foregenix also provides payment forensic investigation services (PFI) for payment card data breaches.
ControlCase
US-based QSA and compliance firm with global delivery capabilities. ControlCase is known for their unified compliance approach, offering PCI DSS alongside dozens of other frameworks through a single integrated assessment.
Pricing & Timeline
Typical Pricing
$10,000 – $90,000
Depending on organization size, scope, and complexity. First-time assessments may include readiness and gap analysis fees.
Expected Timeline
2-4 weeks for scoping and gap assessment, 4-8 weeks for the on-site/remote assessment, and 2-4 weeks for ROC/AOC issuance. Total time from kickoff to final report is typically 2-4 months.
Prepare for your PCI DSS audit with PoliWriter
Walk into your audit with policies already drafted and evidence organized. PoliWriter generates PCI DSS-specific policies customized to your infrastructure, saving weeks of preparation and reducing auditor billable hours.
Frequently Asked Questions
What is a QSA and why do I need one?
A Qualified Security Assessor (QSA) is an individual certified by the PCI Security Standards Council to perform PCI DSS assessments. QSA companies employ these individuals. Level 1 merchants and service providers must have their PCI DSS assessment performed by a QSA.
What is the difference between SAQ and ROC?
A Self-Assessment Questionnaire (SAQ) is for smaller merchants who can self-assess their PCI compliance. A Report on Compliance (ROC) is a detailed assessment report completed by a QSA, required for Level 1 merchants and service providers.
How often is a PCI DSS assessment required?
PCI DSS assessments are required annually. Level 1 merchants need an annual QSA assessment, while smaller merchants typically complete annual SAQs. Quarterly ASV scans are also required for externally-facing systems.
What changed in PCI DSS v4.0?
PCI DSS v4.0 introduced a customized approach (in addition to the defined approach), new requirements for multi-factor authentication, expanded encryption requirements, and stronger e-commerce security controls. PCI DSS v3.2.1 was retired on March 31, 2024.
How much does a PCI DSS assessment cost?
PCI DSS assessments range from $10,000 for smaller merchants to $90,000+ for Level 1 merchants or complex service providers. Cost depends on scope, number of locations, cardholder data environment complexity, and whether remediation support is included.
Can I reduce the scope of my PCI assessment?
Yes. Scope reduction through network segmentation, tokenization, and point-to-point encryption (P2PE) can significantly reduce PCI DSS assessment costs and effort. A good QSA will help you identify scope reduction opportunities.
Do I need an ASV scan in addition to a QSA assessment?
Yes. PCI DSS requires quarterly external vulnerability scans by an Approved Scanning Vendor (ASV), which is separate from the annual QSA assessment. Many QSA companies also hold ASV status and can provide both services.
Other Auditor Directories
Get audit-ready with PoliWriter
Generate all the PCI DSS policies your auditor will ask for. Customized to your tech stack and practices. Hours, not months.
Get Started Free