QSA Assessment Cost: What a PCI Audit Actually Costs and What's Included
QSA (Qualified Security Assessor) engagements are the most significant single expense in PCI compliance for Level 1 merchants. With costs ranging from $40,000 to $200,000+, understanding exactly what you are paying for, how firms price their services, and how to evaluate proposals is essential for budgeting. This guide provides the pricing transparency that QSA firms rarely offer publicly.
Last verified: April 2026
QSA Assessment Cost Ranges
QSA pricing varies widely based on engagement type, environment complexity, and the QSA firm's prestige. The following ranges represent typical market pricing as of 2026, based on published data, industry surveys, and merchant-reported costs.
First-Time ROC Assessment
$40,000 – $200,000
First-time assessments cost more because the QSA must build complete documentation of your environment, and remediation efforts are typically more extensive. Allow 3-9 months.
Renewal ROC Assessment
$25,000 – $120,000
Renewal assessments leverage prior-year documentation and established controls. 40-60% less expensive than first-time. Allow 2-4 months.
Day Rate Reference
QSA day rates typically range from $1,500 to $3,000 per consultant per day. Big 4 and premium firms charge at the higher end. Regional and mid-market firms are more competitive. A typical Level 1 assessment requires 100-150 consultant days for first-time and 60-100 days for renewal.
What Is Included in a QSA Assessment
A QSA assessment is a structured engagement with distinct phases. Understanding the phases helps you evaluate proposals and identify where costs can be managed. Below is the typical breakdown of a QSA engagement by effort allocation.
Scoping & Planning
10% of effortDefine assessment scope, identify CDE boundaries, plan fieldwork schedule
Evidence Collection & Testing
60% of effortOn-site and remote testing of controls, document review, interviews, technical validation
Report Writing
20% of effortDraft ROC document, compile evidence, create executive summary
Remediation Support
10% of effortGuidance on fixing identified gaps, re-testing remediated controls
QSA Cost Breakdown: What Drives the Price
The difference between a $40,000 assessment and a $200,000 assessment comes down to several key factors. Understanding these helps you anticipate your likely cost and identify areas where you can reduce the price through pre-assessment preparation.
Environment Size and Complexity
The number of systems in your cardholder data environment (CDE) is the primary cost driver. An environment with 20 servers and one location costs far less to assess than one with 500 servers across 10 locations. Each system must be individually validated for each applicable requirement. Cloud environments (AWS, Azure, GCP) add complexity because the QSA must assess your cloud configuration, shared responsibility model compliance, and cloud-specific security controls in addition to traditional infrastructure.
Number of Physical Locations
Each physical location with PCI scope may require an on-site visit for physical security validation (Requirement 9). Multi-location assessments involve travel costs, additional consultant days, and the complexity of validating consistent security controls across different sites. Some QSA firms use statistical sampling for large numbers of identical locations (e.g., retail chains with 100+ stores), which can reduce the cost of multi-location assessments.
QSA Firm Prestige and Size
Big 4 and premium consulting firms charge 50-100% more than regional QSA firms. The premium buys brand recognition (useful if your customers or partners want to see a name-brand QSA), deep bench strength, and (usually) broader expertise. For most Level 1 merchants, a reputable mid-market QSA firm provides equivalent quality at significantly lower cost. The key is to verify the firm's current PCI SSC listing and check references from similar organisations.
First-Time vs. Renewal
First-time assessments cost 40-100% more than renewals because the QSA must build everything from scratch: document the environment, establish assessment procedures, and address the remediation backlog. Renewal assessments benefit from prior-year documentation, established relationships, and (ideally) a mature compliance programme with fewer gaps to address. Switching QSA firms resets some of this efficiency, so there is a cost benefit to maintaining a long-term QSA relationship.
How to Choose a QSA Firm
Choosing the right QSA firm is critical -- a poor choice can result in a prolonged, expensive engagement with an assessor who does not understand your environment. Follow these guidelines to evaluate QSA proposals effectively.
Verify PCI SSC listing
Check the PCI SSC website (pcisecuritystandards.org) to confirm the firm is currently listed as an active QSA company. Listings expire, and firms can be suspended.
Request industry-specific references
Ask for 3-5 references from organisations in your industry and at a similar merchant level. A QSA experienced in retail POS environments will be much more efficient than one who primarily assesses cloud service providers.
Evaluate the proposal structure
Good proposals include a clear scope definition, named assessors (not just 'TBD'), milestone schedule, fixed-price or capped T&M pricing, and clearly defined assumptions and exclusions.
Ask about remediation support
Some QSAs only identify gaps; others actively help you fix them. Remediation guidance can add 10-15% to the engagement cost but often saves more by avoiding costly mistakes and retesting cycles.
Understand the team
Will the named QSA actually do the fieldwork, or will they delegate to junior staff? Large firms sometimes use senior QSAs for sales and junior consultants for delivery. Request the assessment team's qualifications.
Discuss the timeline honestly
A QSA that promises to complete a first-time Level 1 assessment in 8 weeks is either cutting corners or significantly understaffing. Realistic timelines build trust and reduce risk of rushed assessments.
QSA vs. ISA vs. SAQ: When Each Applies
Not every merchant needs a QSA. Understanding the three assessment paths helps you choose the right approach for your organisation and avoid overspending on assessment.
| Assessment Type | Who Needs It | Typical Cost | Pros | Cons |
|---|---|---|---|---|
| QSA (External) | Level 1 merchants, some Level 2, post-breach merchants | $40k-$200k | Highest credibility, independent validation, required by card brands | Most expensive, longest timeline, limited availability |
| ISA (Internal) | Level 1-2 merchants with qualified internal staff | $3k-$5k training + staff time | Significant cost savings, continuous availability, deep environment knowledge | Not accepted by all acquirers, requires qualified staff, independence challenges |
| SAQ (Self-Assessment) | Level 2-4 merchants, some service providers | $300-$20k | Lowest cost, fastest completion, merchant controls timeline | Self-reported (less credible), risk of incorrect answers, no independent validation |
Hidden QSA Costs You Should Budget For
The QSA engagement fee is not the total cost of a QSA assessment. Several additional costs are routinely underestimated in compliance budgets. Plan for these to avoid budget surprises.
Pre-Assessment Remediation: $10,000-$100,000+
Most first-time assessments identify gaps that must be fixed before the QSA can issue a passing ROC. Budget 20-50% of the assessment fee for remediation: firewall rule changes, encryption implementation, MFA deployment, policy writing, and tool procurement.
Internal Staff Time: 200-500+ hours
Your team spends significant time supporting the QSA: gathering evidence, answering questions, coordinating interviews, implementing remediation, and reviewing the draft ROC. For a Level 1 assessment, budget 200-500 hours of internal staff time across IT, security, compliance, and management.
Scope Creep and Change Orders: 10-30% premium
If the QSA discovers systems or networks in scope that were not included in the original scoping, the engagement price increases via change orders. This is common when network segmentation is incomplete or undocumented. Invest in thorough pre-assessment scoping to minimise surprises.
Retesting Fees: $5,000-$20,000
If the QSA identifies failures and you remediate them after the initial testing period, the QSA must return to retest the fixed controls. Most QSA proposals include a limited amount of retesting, but significant remediation may trigger additional retesting fees.
Notable QSA Firms and Pricing Tiers
The following is a reference list of well-known QSA firms with approximate pricing tiers. This is not an endorsement -- pricing and quality vary by engagement. Always verify current PCI SSC listing and check references before engaging any QSA firm.
| QSA Firm | Tier | Typical Price Range | Notes |
|---|---|---|---|
| Coalfire | Premium | $60,000-$200,000 | One of the largest QSA firms. Strong in cloud, multi-cloud environments. Serves major enterprises. |
| Trustwave | Premium | $50,000-$180,000 | Also offers ASV scanning and managed security. Good for one-stop compliance. |
| SecurityMetrics | Mid-range | $40,000-$120,000 | Popular with mid-market. Also offers ASV scanning. Strong small-business programme. |
| A-LIGN | Mid-range | $45,000-$150,000 | Combined PCI + SOC 2 assessments. Good for tech companies needing both. |
| Schellman | Mid-range | $50,000-$160,000 | Strong in SOC 2 + PCI combined. Primarily serves technology sector. |
| RSI Security | Mid-range | $40,000-$100,000 | Focuses on mid-market and growing companies. Competitive pricing. |
| Forvis Mazars (Big 4 adjacent) | Premium | $80,000-$250,000+ | Large accounting/consulting firm. Serves enterprise and financial services. |
Pricing is approximate and based on typical Level 1 merchant engagements. Actual quotes depend on environment complexity, locations, and scope. Data verified April 2026.
Need a QSA? Start Here
First, confirm that you actually need a QSA (Level 1 merchants and some Level 2). If a simpler SAQ applies, you can save $40,000+. Before engaging a QSA, explore scope reduction strategies to minimise the assessment cost. For scanning and pen testing budgets, see scanning costs.