A man sitting at a desk working on a computer

How to Find a QSA

by

How to Find a QSA

Bottom Line Up Front

If you just received a PCI compliance questionnaire from your payment processor and you’re wondering if you need to hire a QSA (Qualified Security Assessor), here’s the good news: most small businesses don’t need one. A QSA is only required if you process over 6 million transactions annually or if your acquirer specifically demands one. For everyone else, you can complete your Self-Assessment Questionnaire (SAQ) on your own or with basic compliance tools. Let’s demystify what PCI compliance actually requires and help you determine if you truly need professional assessment services.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business that accepts credit card payments. Think of it as a security checklist created by the major card brands — Visa, Mastercard, American Express, and Discover — to protect customer card data.

The card brands formed the PCI Security Standards Council to write and maintain these standards, but they don’t enforce them directly. Instead, your acquiring bank or payment processor (the company that handles your card transactions) is responsible for making sure you comply. That’s why you received that questionnaire — they’re required to verify your compliance annually.

What happens if you don’t comply? Your payment processor can:

  • Fine you (typically $5,000-$100,000 per month)
  • Hold you liable for fraud losses if there’s a breach
  • Terminate your ability to accept credit cards
  • Increase your processing rates

But here’s what they don’t tell you: PCI compliance for small merchants is usually straightforward. If you’re a Level 4 merchant (processing under 20,000 e-commerce transactions or under 1 million transactions total per year), you can typically complete a simple questionnaire in under an hour.

Do You Need to Be PCI Compliant?

Simple answer: If you accept credit cards in any form, yes. This includes:

  • Physical terminals in your store
  • Online payments on your website
  • Phone orders where customers give you their card number
  • Mobile card readers attached to phones or tablets
  • Even paper forms where customers write their card information

Your merchant level determines what type of compliance validation you need:

Level 4 (most small businesses): Under 20,000 e-commerce transactions OR under 1 million total Visa transactions annually
Level 3: 20,000 to 1 million e-commerce transactions annually
Level 2: 1 to 6 million total transactions annually
Level 1: Over 6 million transactions annually OR any merchant that’s experienced a breach

That compliance questionnaire your processor sent? It’s their way of confirming you meet the security requirements for your merchant level. Level 4 merchants complete an SAQ (Self-Assessment Questionnaire). Only Level 1 merchants and some Level 2 merchants need a QSA to perform a full assessment.

Which SAQ Do You Need?

The PCI Security Standards Council offers nine different SAQ types, but most small businesses fall into one of these four categories:

How You Accept Payments SAQ Type Number of Questions Complexity
Fully outsourced (PayPal only, Square online) SAQ A 22 Simplest
E-commerce with hosted checkout (Stripe, Authorize.net) SAQ A-EP 139 Moderate
Standalone terminals only (Square Reader, Clover) SAQ B or B-IP 41 or 82 Simple
Taking cards over the phone SAQ C-VT 83 Moderate
Storing card numbers anywhere SAQ D 329 Complex – avoid!

SAQ A is for merchants who fully outsource all payment processing. If customers are redirected to PayPal or another hosted payment page and you never see their card data, this is you.

SAQ A-EP applies to e-commerce merchants whose website touches card data, even briefly. If you use Stripe Elements, Square Web Payments, or similar tools where card fields appear on your site, you’re likely SAQ A-EP.

SAQ B covers merchants using only standalone terminals with no electronic cardholder data storage. If you have a countertop terminal that dials out over a phone line, this is probably your type.

SAQ B-IP is similar to SAQ B but for IP-connected terminals. Most modern Square Readers, Clover devices, and similar terminals fall here.

SAQ C-VT is for merchants who take orders by phone or mail but don’t store card data electronically. You manually enter cards into a virtual terminal or payment gateway.

SAQ D is the full questionnaire for merchants who store card data. If you’re saving card numbers in spreadsheets, databases, or even paper files, you’re SAQ D — and you should seriously consider stopping this practice.

Not sure which one applies? Use PCICompliance.com’s SAQ Wizard — answer a few simple questions about how you accept payments, and we’ll identify exactly which questionnaire you need.

When Do You Actually Need a QSA?

A Qualified Security Assessor is a certified professional who can perform on-site assessments and validate PCI compliance for merchants who can’t self-assess. Here’s when you actually need one:

You MUST hire a QSA if:

  • You’re a Level 1 merchant (over 6 million transactions annually)
  • Your acquirer specifically requires it (check your merchant agreement)
  • You’ve experienced a data breach
  • You’re a service provider handling card data for other businesses

You MAY need a QSA if:

  • You’re a Level 2 merchant and your acquirer requires on-site assessment
  • You have complex payment environments spanning multiple locations
  • You want to use compensating controls instead of meeting standard requirements
  • You’re having trouble determining your correct SAQ type or scope

You DON’T need a QSA if:

  • You’re a Level 3 or 4 merchant completing an SAQ
  • You use simple payment methods (standalone terminals, hosted checkout)
  • Your payment environment is straightforward and well-documented
  • You can answer “yes” to all applicable SAQ questions

For most small businesses reading this guide, the answer is clear: you don’t need a QSA. Save your money and complete the SAQ yourself or with basic compliance tools.

How to Find a Qualified QSA

If you’ve determined you actually need a QSA, here’s how to find the right one for your business:

1. Verify Their Certification

Only use QSAs listed on the PCI Security Standards Council website. The Council maintains an official directory of all certified QSA companies. Individual assessors work for these companies — make sure both the company and the individual assessor assigned to you are properly certified.

2. Check Their Industry Experience

Not all QSAs understand every business type. Look for assessors with experience in:

  • Your specific industry (retail, e-commerce, healthcare, hospitality)
  • Your payment processing methods
  • Businesses of your size
  • Your technology stack

Ask potential QSAs: “How many assessments have you completed for businesses like mine?”

3. Understand Their Assessment Approach

Good QSAs are partners, not just auditors. During your initial conversations, they should:

  • Explain the assessment process clearly
  • Help you understand your actual scope
  • Suggest practical ways to reduce scope and simplify compliance
  • Provide a clear timeline and deliverables list

Red flags include QSAs who:

  • Can’t explain requirements in plain language
  • Immediately push expensive solutions
  • Don’t ask about your business processes
  • Quote assessments without understanding your environment

4. Compare Pricing Structures

QSA pricing varies widely based on:

  • Merchant level and complexity
  • Number of locations
  • Scope of card data environment
  • Travel requirements

Typical ranges for Level 1 merchant assessments:

  • Simple environments: $15,000-$30,000
  • Medium complexity: $30,000-$60,000
  • Complex environments: $60,000-$150,000+

Level 2 on-site assessments typically cost $10,000-$25,000.

Always get written quotes that include:

  • All assessor time and travel
  • Report preparation and remediation support
  • Any re-assessment needs
  • Ongoing support terms

5. Evaluate Their Remediation Support

The best QSAs don’t just find problems — they help you fix them. Ask about:

  • Remediation guidance and templates
  • Technical support during fixes
  • Re-testing failed requirements
  • Compensating control evaluations

6. Check References

Ask for references from similar businesses. Good questions for references:

  • Was the QSA easy to work with?
  • Did they help you pass on the first attempt?
  • Were there any surprise costs?
  • Would you use them again?

Alternatives to Hiring a QSA

Before committing to a full QSA assessment, consider these alternatives:

Self-Assessment with Compliance Tools

Platforms like PCICompliance.com provide:

  • Guided SAQ completion with plain-English explanations
  • Automated evidence collection
  • Policy templates and procedure guides
  • Technical vulnerability scanning
  • Compliance tracking dashboards

Cost: Typically $500-$2,000 annually vs. $15,000+ for QSA assessment

Internal Security Assessor (ISA)

Large organizations can train employees to become ISAs. They can:

  • Perform internal assessments
  • Complete SAQs with more authority
  • Reduce ongoing QSA costs

ISA training costs about $3,000 per person plus annual requalification.

Managed Security Providers

Some security companies offer “QSA-lite” services:

  • Remote assessment support
  • SAQ completion assistance
  • Compliance program management
  • Ongoing monitoring and support

These hybrid services cost less than full QSA engagements while providing expert guidance.

FAQ

Q: Can I just ignore PCI compliance if I’m a small business?

A: No. Your payment processor can fine you, increase your rates, or terminate your merchant account. One data breach without PCI compliance could bankrupt a small business through liability alone.

Q: My payment processor says I need a QSA — is this true?

A: Check your actual transaction volume first. Some processors incorrectly require QSAs for all merchants. If you’re processing under 6 million transactions annually, push back and ask to self-assess unless they have specific concerns about your security.

Q: How much does a QSA cost for a small business?

A: If you genuinely need one (rare for small businesses), expect $10,000-$25,000 for a Level 2 assessment. Level 3 and 4 merchants typically don’t need QSAs at all — self-assessment tools cost under $2,000 annually.

Q: Can I use any cybersecurity company as my QSA?

A: No. Only companies certified by the PCI Security Standards Council can perform official QSA assessments. Regular IT security firms can help you prepare, but the final assessment must come from a certified QSA.

Q: How long does a QSA assessment take?

A: For Level 1 merchants, expect 2-4 weeks of on-site work plus 2-4 weeks for report preparation. Level 2 assessments typically take 1-2 weeks on-site plus reporting time. SAQ completion without a QSA takes hours to days.

Q: What’s the difference between a QSA and an ASV?

A: A QSA (Qualified Security Assessor) performs comprehensive on-site compliance assessments. An ASV (Approved Scanning Vendor) runs automated vulnerability scans of your external-facing systems quarterly. Most merchants need ASV scans; few need QSAs.

Q: Can I switch QSAs if I’m not happy?

A: Yes, but it’s expensive and time-consuming. A new QSA must start the assessment from scratch. Choose carefully upfront by checking references and ensuring good chemistry during initial meetings.

Q: Do I need a QSA if I failed my SAQ?

A: Not necessarily. If you answered “no” to some SAQ questions, you need to fix those issues and reassess. Only repeated failures or significant security gaps might prompt your acquirer to require QSA involvement.

Conclusion

Finding a QSA starts with determining whether you actually need one — and for most businesses reading this guide, you don’t. If you’re a Level 3 or 4 merchant with a straightforward payment setup, save yourself thousands of dollars and complete your SAQ using self-assessment tools.

For the few who genuinely need QSA services — Level 1 merchants, those who’ve suffered breaches, or those with complex environments — take time to find the right partner. Verify their credentials, check their experience with businesses like yours, and ensure they’ll help you achieve compliance, not just document problems.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance without the complexity or cost of unnecessary QSA engagements. Our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with our free SAQ Wizard to determine your requirements, then use our guided tools to complete your assessment in hours, not weeks. For businesses that do need QSA services, our compliance team can provide referrals to trusted assessors who understand your industry. Take the first step toward compliance today.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP