What is the Difference Between a PCI Gap Analysis and a QSA On Site Assessment?

When clients are trying to get PCI compliant, Triaxiom has two primary offerings that can help them. First, we offer a PCI Gap Analysis where we will come in, identify the scope of your environment and take an interview-based approach to identifying any gaps in your compliance and strategies to close those gaps. Alternatively, Triaxiom is certified by the PCI Council to perform Qualified Security Assessor (QSA) on-site assessments. This is a more involved engagement that requires onsite validation to verify the existence of security controls. The next logical question is what are the primary differences between a PCI Gap Analysis and a QSA On Site Assessment?

PCI Gap Analysis

During a PCI Gap Analysis, Triaxiom will assign a PCI QSA to your project who will sit down with you and take an interview-based approach to auditing your adherence to PCI DSS standards. To start, your QSA will discuss with you the scope of PCI within your organization, as well as different strategies to help reduce that scope. Once your scope is established, we’ll work through the PCI Self-Assessment Questionnaire (SAQ) and evaluate your compliance. At the end of the project, you will have an SAQ and an Attestation of Compliance (AOC) filled out for you. Triaxiom will be listed as a QSA who assisted you in filling out the SAQ, however, the key distinction is that you will be the one ultimately signing off and attesting to your own compliance.

QSA On Site Assessment

Meanwhile in a QSA On Site Assessment, the steps are roughly the same, but the rigor is significantly increased. In this case, Triaxiom is acting as a certified auditor and specifically auditing your compliance. Therefore, we are required to not only ask whether you meet a specific control, but then validate and observe for ourselves that you are in fact meeting the intent of the requirements with those controls. An easy example of this are your password requirements. In a gap analysis, we will ask what your password policy is and make sure that policy meets compliance, but ultimately we are taking your word for it. However, in a QSA On Site Assessment we will ask what your password policy is and then observe you logging into the domain controller and pulling up the applied password policy. Finally, we will collect a screenshot of the password policy and retain it as evidence for the next 3 years. This is necessary because at the end of the audit, Triaxiom will be signing off attesting to your compliance.

Key Differences

As a result of the rigor required for a QSA On Site Assessment, there are several differences that arise. These include:

  • Time required – PCI Gap Analysis is a much shorter assessment (typically 1 week versus 3 or more).
  • Cost involved – QSA On Site Assessments are more expensive, given how much more involved they are.
  • Travel – PCI Gap Analysis can be completed remotely, as it is interview-driven, whereas a PCI QSA On Site Assessment requires the auditor to be onsite for a portion.


In summary, while both a PCI Gap Analysis and a QSA On Site Assessment follow the same basic procedure, the QSA On Site Assessment is much more in-depth. This allows Triaxiom to attest to your compliance. Should you have any additional questions, please reach out to us.