Choosing a QSA company for third-party audits

Acumera Insights Image

Organizations that require an annual PCI compliance audit have many options when it comes to choosing a Qualified Security Assessor (QSA) company. While the PCI Security Standards Council validates each QSA company’s adherence to the PCI DSS, there are still differences between QSA companies, their approaches to the audit process, and the resources they can provide.

The key question: Is the audit firm on the official PCI Qualified Security Assessor (QSA) company list?

Due to the structure of compliance as defined by the council, an organization cannot obtain an official Attestation of Compliance (AOC) from any company that is not a QSA company. If you cannot find the audit firm you are evaluating on this list, do not proceed!

Once you have selected a current QSA company, below are other key areas to consider.

Knowledge and Experience

  • How long have they been doing PCI assessments?
  • Have they audited companies like yours?
  • Do they have experience in similar industries?
  • Do they do more than one type of audit?


  • Do they see themselves as your advocate?
    This is a key distinction in how the role of the QSA is defined for the PCI audit. The PCI council directs that all QSAs should view themselves as the advocate for their clients. The relationship should never feel “adversarial!”
  • Do they want to educate and inform or just look for issues?
  • Are they open to communication outside of the audit event?
    Compliance is an ongoing journey, not a point-in-time event. Most auditors welcome a continuous discussion throughout the year to ensure there are no surprises during the annual audit event.


  • Do they approach the audit process from a risk-based perspective, or do they view the PCI DSS as a “checkbox activity?”
  • Are they familiar with the use of compensating controls?
  • Do they have their own internal controls for the audit process?
  • Do they involve multiple people in the assessment process?

Other general questions to ask include:

  • Do they have references or client recommendations?
  • Have they ever provided a failing Report on Compliance to a company? If so, how did they help the company achieve a passing Report on Compliance?
  • Has their company ever experienced a data breach? If so, how did they respond?
  • Does their company have any complaints filed against them with an entity like the Better Business Bureau?

Bottom Line

Choosing a QSA company is a key decision in your organization’s compliance strategy. Ensuring that your QSA company is officially validated by the PCI Security Standards Council is critical and required. Ultimately, organizations should choose a QSA company that compliments their experience, skills, abilities, and approach to PCI compliance.

To learn more about choosing a QSA company for third-party audits, contact Acumera at or 512.687.7410.

You may also like these