If you are a level 1 merchant or service provider, or your acquiring bank views your organization as high risk, you must be compliant with the full Payment Card Industry (PCI) Data Security Standard (DSS). Additionally, in order to validate your compliance, you will be required to have a Qualified Security Assessor (QSA) perform a detailed audit that provides you with a Report on Compliance (RoC) and Attestation of Compliance (AoC). If your organization falls into this category, you are likely concerned with trying to budget appropriately. In this blog, we will explore the cost of a QSA on-site assessment and the main factors contributing to the cost.
Cost of a QSA On-Site Assessment
As with every type of assessment and service we offer, the cost of a QSA on-site assessment is directly correlated with the amount of time it will take our engineers to complete the assessment. The most expensive operating cost for any security firm is the salary of the engineers. We pride ourselves in acquiring and retaining top talent in the realm of information security, penetration testing, and compliance audits. In addition to these high standards for quality, the engineer for a QSA On-Site Assessment must be a certified Qualified Security Assessor (QSA) by the PCI Council (and our company must be a certified QSA company, as well).
Unfortunately, because of the time involved, the quality of the resources required to complete the assessment, and the cost associated with maintaining our status as a QSA company, a QSA on-site assessment is one of the more costly services we offer. This cost will vary depending on the size and complexity of the assessment, but on average you should budget between $20,000 – $30,000 for the assessment.
Contributing Factors to the Cost of a QSA On-Site Assessment
Understanding that this is a significant cost for most of our clients, we want to work with you in every way possible to ensure you understand how we arrive at this cost and help keep this cost down as much as possible. There are several things we can try and do to reduce this cost:
- Sampling – PCI DSS allows the QSA to sample, where applicable. For example, if you are a retailer with 100 stores, and there is some reasonable assurance that these stores are all configured exactly the same, the QSA can choose to audit 10 of them each year. This is ultimately up to the QSA to determine the sample, and will depend on the confidence that they do not vary from site to site, as the end goal must be to reduce sampling risk and perform a valid assessment. At Triaxiom, we will have your QSA on the initial scoping call so we can determine an appropriate strategy that balances the cost with sufficiency of the audit to meet PCI DSS requirements.
- Multi-Year Contracts – Another way to significantly reduce the cost associated with a QSA On-Site Assessment is to have a multi-year contract in place. This helps for two reasons. First, we offer a 10% discount on multi-year contracts as it allows us to forecast resources better. Second, because we have a relationship with you, we will be able to more accurately scope the assessment and potentially even reduce the sample size each year. As we are familiar with your business practices and procedures, your engineer will not be required to start from scratch learning your environment, which reduces the amount of time it takes and ultimately reduces the cost.
- Preparation – Finally, ensure you are prepared for the audit. This means dusting off the PCI DSS requirements and ensuring your company is fully compliant prior to the auditor arriving. Gather all of the required documentation and evidence you can ahead of time. Perform a self assessment, or have a qualified third-party come in and do a pre-consultation. If during the actual assessment, there are controls that are not in place, then that will require us to come back out and re-validate after the remediation actions have been completed. For more tips on preparing for an onsite assessment, check out our top 10 recommendations.
In this blog, we explored the cost of a QSA on-site assessment, what makes it more expensive than other assessments, and several tips that may help reduce the cost of the assessment. As always, we are committed to partnering with our clients. If you have a question or want to talk through what it would look like in your organization, give us a call.