PCIComplianceCost

QSA cost

What a PCI QSA assessment actually costs

QSA pricing is opaque. Most firms refuse to publish day rates or sample fees. Here is the data we have collected from public proposals, vendor pricing pages, and merchant disclosures, with the variables that move the number around.

Updated April 2026

First-time ROC

$40,000 - $200,000

QSA fees vary by scope

Renewal ROC

$25,000 - $120,000

scope already documented

Day rate

$1,500 - $3,000

across QSA market

Where the budget goes

Sixty percent of fees are fieldwork: control testing, evidence collection, interviews, on-site visits. Report writing is the second largest line. The timeline is 3-9 months for first-timers, 2-4 months for renewals.

Scoping & Planning

10%

Define assessment scope, identify CDE boundaries, plan fieldwork schedule

Evidence Collection & Testing

60%

On-site and remote testing of controls, document review, interviews, technical validation

Report Writing

20%

Draft ROC document, compile evidence, create executive summary

Remediation Support

10%

Guidance on fixing identified gaps, re-testing remediated controls

How to choose a QSA

  1. Start with the PCI SSC's official QSA directory.
  2. Filter by industry experience: e-commerce, retail, healthcare, SaaS each have different control patterns.
  3. Ask for three references in your industry, not just generic ones.
  4. Insist on a fixed-fee proposal where possible. Day-rate engagements have a way of expanding.
  5. Confirm scope of fieldwork in writing before signing.
  6. Confirm whether remediation support is included or billed separately.

Hidden costs that surprise people

  • Remediation work after gap discovery (typically 20 to 40 percent of project budget for first-timers).
  • Internal staff time for evidence collection (usually 200 to 600 person-hours).
  • Re-assessment fees if you fail and need a re-test.
  • Travel and on-site fieldwork for multi-location operations.
  • Scope expansion mid-engagement when undocumented systems are found.
  • Tooling that gets bought to satisfy specific controls (SIEM, FIM, MFA).

QSA, ISA, or SAQ?

PathAnnual costBest for
SAQ (self-assessment)$50 - $5,000Level 4 and most Level 3 merchants
Consultant-assisted SAQ$3,000 - $50,000Level 2 to 4 merchants needing expert help
Internal Security Assessor (ISA)$3,000 - $5,000 training, then internal timeLevel 1 to 2 with qualified internal staff
Full QSA ROC$25,000 - $200,000+Level 1 (required), Level 2 by acquirer mandate

Want a list of vetted QSAs?

The PCI Security Standards Council maintains the only authoritative QSA directory. Filter by region, industry, and PCI scheme. Pricing is requested directly from the QSA firm.

Open the QSA directory

Frequently asked

A first-time PCI Report on Compliance (ROC) costs $40,000 to $200,000. Renewals run $25,000 to $120,000. Pricing depends on scope size (number of in-scope systems and locations), QSA firm tier, and whether the assessment is on-site or remote. QSA fees vary by firm and engagement scope; quotes from three QSAs typically span a 2-3x range.

Continue reading

Cost by merchant level

Where QSA becomes mandatory.

What QSAs audit against

All 12 PCI DSS 4.0 requirements.

Pre-audit scope reduction

Cut hours before fieldwork starts.