Is ControlScan still independent or owned by a parent company?

ControlScan was acquired by Sysnet Global Solutions in 2019 and now operates as part of the Sysnet portfolio. Sysnet itself is owned by Mastercard following Mastercard's 2022 acquisition of Sysnet Global Solutions. The acquisition path matters for pricing context: ControlScan's positioning post-Sysnet integration leans more heavily into SMB and mid-market acquirer partnerships (similar to SecurityMetrics) and less into enterprise Level 1 ROC pursuit. The QSA practice remains active and credentialed.

Is ControlScan cheaper than SecurityMetrics for SAQ work?

Roughly comparable for SAQ A and SAQ B-IP attestation, with each having slight pricing advantages on different products and acquirer partnerships. SecurityMetrics is generally cheaper for high-volume SMB SAQ A throughput (the publishing rate card sits a touch below ControlScan's portal pricing). ControlScan is generally cheaper for the SAQ D self-assessment-with-assist tier where their consulting bench prices more competitively. For Level 2 or compact Level 1 ROC work, ControlScan typically prices 15 to 25 percent below SecurityMetrics.

What is the ControlScan compliance portal used for?

The ControlScan compliance portal handles SAQ attestation, ASV scanning results, attestation submission to acquirers, and basic compliance reporting. It is white-labelled and sold through several acquiring bank relationships (notably TSYS Global Payments deployments where ControlScan and SecurityMetrics both compete for the portal contract). For direct buyers, the portal is competitively priced versus SecurityMetrics; for acquirer-pushed users, the experience and pricing depend on which acquirer relationship surfaced the portal.

Can ControlScan handle Level 1 ROC engagements?

Yes for compact and mid-complexity Level 1 scopes. ControlScan's mid-market QSA practice prices these at $25,000 to $60,000 versus $80,000 to $150,000 at the named-firm tier. The trade-off: ControlScan has narrower bench for complex multi-region scoping, federal-adjacent work, or unusual cardholder data flows. For straightforward Level 1 ROC engagements where scope is well-understood, ControlScan delivers a credible cost arbitrage. For complex engagements, the named-firm tier remains the right choice.

Does ControlScan do pen testing for PCI Requirement 11?

Yes. ControlScan offers external network, internal network, segmentation validation, and web application penetration testing as Requirement 11 work. Pricing runs $5,000 to $20,000 per network pen test and $5,000 to $15,000 per application pen test, mid-band versus the QSA market. The bundled pen testing plus ROC pricing typically saves 8 to 15 percent versus unbundled. ControlScan's pen testing team is smaller and less research-published than Trustwave SpiderLabs or Coalfire Labs, which is a fair trade-off at the price point.

What changed at ControlScan after the Sysnet and Mastercard acquisitions?

Three things visible to buyers. First, deeper integration with acquirer bank relationships through the Sysnet portal product, which means more SMB merchants encounter ControlScan via their acquirer rather than direct. Second, narrower commercial pursuit of enterprise Level 1 ROC work, with the QSA practice focusing on SMB-to-mid-market where the volume economics fit. Third, broader cross-sell of Mastercard's adjacent products (cyber risk scoring, breach response, fraud monitoring) into the ControlScan customer base. The QSA practice itself remains credentialed and active.

QSA pricing

ControlScan PCI compliance cost 2026: an independent pricing read

ControlScan is the mid-market QSA. Post Sysnet acquisition and the subsequent Mastercard ownership change, the firm leans into acquirer portal partnerships at the SMB end and competes credibly against the named firms for compact Level 1 ROC engagements at a 30 to 50 percent pricing discount.

Updated April 2026

Mid-market ROC

$25k - $80k

SAQ attestation: $300 to $1,500 per year

Pricing model

Portal + mid-market QSA consulting

Best fit

Mid-market commercial, compact Level 1

The ControlScan pricing model in plain English

ControlScan operates two distinct product lines that price very differently. The first is the SMB compliance portal, where SAQ attestation and bundled ASV scanning are sold either direct or through acquirer-bank partnerships at SecurityMetrics-comparable pricing ($300 to $1,500 per year depending on SAQ type and ASV scope). The second is the mid-market QSA consulting practice, where Level 2 and Level 1 ROC engagements are priced as fixed-fee proposals at $25,000 to $80,000 for the bands ControlScan competes in.

For mid-market QSA engagements, day rates run $1,400 to $2,200 with senior assessor rates at $1,800 to $2,400. The day rate sits roughly 15 to 25 percent below the named-firm tier (Coalfire, A-LIGN, Schellman, Trustwave) and roughly at parity with regional boutique firms. ControlScan's commercial pitch is "named-firm capability at boutique-tier pricing," and on compact engagements that pitch holds up well.

Multi-year terms typically discount the year-one fee 10 to 15 percent for a three-year commitment, with scope-expansion triggers explicitly documented. The Mastercard-ownership context (post the 2022 Sysnet acquisition) means ControlScan also frequently cross-sells Mastercard's adjacent cyber-risk products into the customer base, which is a useful integration for some buyers and noise for others.

Three concrete cost scenarios

Scenario	ControlScan fee range	What is included
Level 3 multi-store retailer (20 IP terminals)	$1,200 - $3,000/year	SAQ B-IP attestation, quarterly ASV scanning, multi-location scope, compliance portal access
Level 2 SaaS (SAQ D with assist)	$8k - $15k	SAQ D self-completion with consultant assist, evidence review, quarterly ASV scanning
Compact Level 1 ROC (single-region commercial)	$35k - $65k	Full ROC, two to three week fieldwork, external pen test bundled, ASV scanning bundled

Sources: aggregated buyer data from Vendr, public ControlScan customer disclosures, and PCI engagement quotes on practitioner forums. The Level 1 ROC pricing window is for ControlScan's mid-market sweet spot; complex Level 1 work crosses into the named-firm tier.

The Sysnet and Mastercard acquisition context

ControlScan's commercial positioning has shifted twice through M&A in the last decade. The 2019 Sysnet acquisition pulled ControlScan toward the SMB-via-acquirer-portal channel, which is Sysnet's commercial strength. The 2022 Mastercard acquisition of Sysnet brought ControlScan into Mastercard's broader cyber-risk product portfolio, which includes Mastercard cyber risk scoring, breach response services, and fraud monitoring products. The QSA practice itself remained intact through both acquisitions and continues to be listed on the PCI SSC directory.

For buyers, the practical effect is a wider product surface available through the ControlScan relationship and a stronger pull toward acquirer-led SAQ workflows. The pricing on standalone QSA consulting work has remained consistent through the acquisitions, which is meaningfully different from how other post-acquisition QSA firms have shifted (some named-firm post-acquisition repricing has been aggressive). ControlScan's QSA pricing today is broadly in line with where it sat pre-Sysnet, adjusted for general QSA market inflation of roughly 5 to 8 percent annually.

Buyers who want pure QSA work without the Mastercard adjacent-product cross-sell should signal that clearly during scoping. The engagement team will scope the consulting work cleanly without bundle pressure, but the account team may continue to surface the Mastercard product portfolio in renewal conversations. For buyers who do want integrated cyber-risk products beyond the QSA work, the Mastercard portfolio is a genuine differentiator versus pure-play QSAs at the price point.

When ControlScan wins and when it does not

ControlScan wins for SMB SAQ attestation through an acquirer-portal relationship where the pricing is competitive with SecurityMetrics, for mid-market SAQ D with-assist engagements where the consulting bench delivers materially below named-firm pricing, and for compact Level 1 ROC engagements where the 30 to 50 percent cost arbitrage versus Coalfire or A-LIGN is real and the scope complexity does not exceed what ControlScan's mid-market bench is sized for.

ControlScan does not win for multi-region Level 1 ROC engagements (Coalfire, A-LIGN, Schellman are better equipped), for federal-adjacent PCI work where Coalfire's FedRAMP bench is materially deeper, for multi-framework engagements requiring PCI plus SOC 2 plus ISO 27001 (A-LIGN and Schellman's combined-engagement pricing is more competitive), or for buyers who explicitly want assessor independence from Mastercard's adjacent product portfolio.

How to negotiate with ControlScan

For SAQ-tier products, negotiation room is similar to SecurityMetrics: minimal on direct-buyer pricing, more available on multi-year commitments and volume purchases. For mid-market QSA engagements, the negotiation room is wider. Bring a comparison quote from SecurityMetrics (for compact ROCs) or from a regional boutique (for engagements where ControlScan and the boutique are at parity capability), and ControlScan engagement managers will typically match down by 8 to 15 percent.

For engagements where the buyer wants the Mastercard adjacent-product cross-sell (cyber risk scoring, breach response retainer, fraud monitoring), bundling these explicitly during contract negotiation produces materially better pricing than buying them post-engagement. The integrated proposal is where ControlScan's commercial advantage from the Mastercard ownership genuinely lands.

ControlScan on the PCI SSC directory

ControlScan is listed in the official PCI SSC Qualified Security Assessor directory and the PCI SSC Approved Scanning Vendor directory.

Verify on pcisecuritystandards.org →

Frequently asked

ControlScan pricing spans the SMB-to-mid-market spectrum. SAQ attestation products run $300 to $1,500 per year similar to SecurityMetrics. Mid-market SAQ D with assist runs $5,000 to $15,000. Level 2 or compact Level 1 ROC engagements run $25,000 to $80,000, materially below the named-firm tier (Coalfire, A-LIGN, Schellman) for like-for-like commercial scope. For multi-region Level 1 or complex enterprise engagements, ControlScan is generally not the right fit and the named firms are better equipped.

SecurityMetrics PCI cost

SMB-focused, published rate card.

A-LIGN PCI cost

Multi-framework efficiency at mid-market commercial parity.

Coalfire PCI cost

Federal-adjacent QSA premium.

QSA assessment cost

The market-wide rate card and what is included.

Level 2 PCI cost

$10k to $50k for 1M-6M transactions per year.

SAQ D cost

$5k to $20k for the full-scope self-assessment.