Is SecurityMetrics cheaper than Coalfire or A-LIGN?

Substantially, for SMB and SAQ-tier work. For SAQ attestation through the SecurityMetrics portal, the pricing is 70 to 90 percent below what Coalfire or A-LIGN would charge for an equivalent QSA-assisted engagement. For Level 1 ROC work at small scope, SecurityMetrics prices 40 to 60 percent below the named-firm tier. The trade-off: SecurityMetrics' bench is tuned for high-volume SMB throughput, not for complex enterprise scoping conversations. For Level 1 work at multi-region or multi-site scope, the named-firm tier is genuinely better equipped.

Is SecurityMetrics a real QSA or just a portal vendor?

Both. SecurityMetrics is listed in the PCI SSC Qualified Security Assessor directory and has employed PCI QSAs since 2000. The firm is also one of the largest PCI ASVs by scan volume. The portal product (used by acquiring banks such as TSYS, Worldpay, and others to push SAQ completion to SMB merchants) is one delivery channel; the QSA practice is another. The QSA practice produces full ROCs for Level 1 and Level 2 engagements; the portal handles Level 3 and Level 4 SAQ work at scale.

Why is SecurityMetrics so much cheaper for SAQ A?

Two structural reasons. First, SAQ A only has 22 controls and the evidence requirements are minimal, so the marginal cost of running thousands of SAQ A attestations through a templated portal is genuinely low. Second, the SAQ portal is often pre-paid by the acquiring bank as part of the merchant agreement, so the per-merchant cost flows through the merchant's processing rate rather than appearing as a discrete invoice. The transparent published pricing is what direct buyers pay outside an acquirer bundle.

Does SecurityMetrics include ASV scanning?

Yes. SecurityMetrics is one of the highest-volume PCI ASVs (also listed on the official PCI SSC ASV directory) and routinely bundles quarterly external vulnerability scanning with the SAQ attestation product for SMB merchants. The bundled price for SAQ A plus quarterly ASV scanning runs $200 to $500 per year, materially below the unbundled equivalent. For Level 4 merchants this is the practical cheapest legitimate PCI compliance path.

Can SecurityMetrics handle Level 1 ROC engagements?

Yes for compact Level 1 scopes (single-region, single CDE, e-commerce or SaaS at the lower end of Level 1 volume), where SecurityMetrics ROCs run $15,000 to $35,000 versus $80,000 to $150,000 at the named-firm tier. SecurityMetrics struggles to compete on multi-region, multi-site, or federal-adjacent Level 1 work where Coalfire, A-LIGN, and Schellman have deeper scoping benches. The right way to think about SecurityMetrics in the Level 1 conversation: best value for compact scopes, less competitive as complexity grows.

Should I use SecurityMetrics or just complete the SAQ myself?

For SAQ A, self-completion is reasonable if you understand the 22 controls and have the evidence ready. The SecurityMetrics SAQ A product adds value through the portal workflow, attestation submission to the acquirer, and the bundled ASV scanning. For SAQ A-EP, SAQ C, or SAQ D, the SecurityMetrics-assisted route is materially better than pure self-completion because the question depth is non-trivial and getting it wrong has real consequences if you suffer a breach.

QSA pricing

SecurityMetrics PCI compliance cost 2026: an independent pricing read

SecurityMetrics is the SMB-focused QSA with the most transparent published rate card in the industry. The pricing model is built around high-volume SAQ throughput plus bundled ASV scanning, and for Level 4 and most Level 3 merchants it is the genuinely cheapest legitimate compliance path.

Updated April 2026

Range

$300 - $25k

SAQ A starts at $99-$300; compact Level 1 ROC up to $25k

Pricing model

Published rate card, bundled SAQ + ASV

Best fit

Levels 3 and 4, compact Level 1

The SecurityMetrics pricing model in plain English

SecurityMetrics is the only mainstream QSA that publishes a transparent retail rate card for SAQ attestation and Level 1 ROC engagements on the public website. The headline products and their published price points run roughly: SAQ A at $99 to $300 per year, SAQ A-EP at $400 to $1,200 per year, SAQ B-IP at $200 to $600 per year, SAQ C at $500 to $1,500 per year, SAQ D self-completion with assist at $1,000 to $4,000 per year, and Level 1 ROC at a quote-based fee starting around $15,000 for small-scope engagements.

The transparency is not accidental. SecurityMetrics built the business around high-volume SAQ throughput delivered through acquiring-bank partnerships (TSYS, Global Payments, Worldpay, and others use SecurityMetrics' compliance portal to deliver SAQ completion to their SMB merchant book). The published direct-buyer rate card is approximately what acquiring banks pay per attestation, with modest direct-buyer markup. This pricing transparency is, in itself, a strong reason to prefer SecurityMetrics for the SMB tier: there is no negotiation game to play.

The bundled SAQ plus ASV scanning product is where the genuine cost efficiency sits. For a typical Level 4 e-commerce merchant on SAQ A, the bundled annual fee of $200 to $500 covers SAQ attestation, quarterly ASV scanning of the merchant's internet-facing IP space, attestation submission to the acquirer, and basic compliance portal access. The unbundled equivalent of buying SAQ assistance and ASV scanning separately would run $500 to $1,500.

Three concrete cost scenarios

Scenario	SecurityMetrics fee	What is included
Level 4 Shopify e-commerce store	$200 - $400/year	SAQ A attestation, quarterly ASV scanning, attestation submission to acquirer
Level 3 multi-store retailer (10 IP terminals)	$600 - $1,500/year	SAQ B-IP attestation, quarterly ASV scanning, multi-IP scope, compliance portal access
Compact Level 1 SaaS (single-region cloud CDE)	$18k - $30k	Full ROC for tightly-scoped Level 1 engagement, two week fieldwork (mostly remote), ASV bundled

Anchored to the SecurityMetrics published rate card and corroborated by aggregated buyer reports. The Level 1 ROC band is the only quote-based product in the range; the SAQ tiers are essentially fixed pricing.

What the published rate card actually means

The PCI QSA market is overwhelmingly private-quote-driven. Coalfire, Trustwave, A-LIGN, Schellman, and ControlScan all price by proposal, and headline numbers on their websites are intentionally vague. SecurityMetrics is the outlier: the pricing pages on securitymetrics.com show specific annual fees for specific SAQ types and merchant volumes. This shift in commercial posture is genuine differentiation for buyers who do not want to spend two weeks running a competitive RFP for what is fundamentally a commodity attestation product.

The downside of published-rate-card pricing: limited room for engagement-specific scope adjustments. SecurityMetrics will not bespoke an engagement around your unusual CDE topology the way Coalfire or A-LIGN would. For the SMB tier this is fine because the engagements really are mostly the same shape. For complex Level 1 ROC work it is a real limitation that pushes buyers toward the named-firm tier.

The published rate card also shows the cost of the upsells transparently. Add-on products (Pulse penetration testing, breach response retainer, advanced compliance portal features, PCI training modules) are priced on the website. For buyers who want predictable budgeting without surprise change-orders, this transparency materially reduces the risk of an unexpectedly large year-one invoice.

When SecurityMetrics wins and when it does not

SecurityMetrics wins for Levels 3 and 4 SAQ work where the volume-based pricing model produces genuinely cheaper compliance than the named-firm tier. It wins for compact Level 1 ROC engagements (single-region, single-CDE, tightly-scoped) where the lower pricing reflects the limited scoping conversation rather than reduced quality. It wins for SMB merchants who want predictable annual budgeting without negotiation friction.

SecurityMetrics does not win for multi-region Level 1 ROCs, federal-adjacent PCI work, multi-framework engagements where the buyer needs PCI plus SOC 2 plus ISO 27001 from one firm, or enterprise procurement teams who weight named-firm brand recognition. For these scopes the named-firm tier (Coalfire, A-LIGN, Schellman, Trustwave) is materially better equipped and the price premium is justified.

Negotiating with SecurityMetrics

For SAQ tier products, there is almost no negotiation room. The published rate card is the price, and the engagement team will not customise. The exception is multi-year commitment, where SecurityMetrics offers 10 to 15 percent discount for a three-year prepay on portal-tier products. For volume buyers (franchise networks, multi-location retailers, payment facilitators with downstream sub-merchants), volume pricing is available and is genuinely competitive versus per-merchant SAQ attestation through other QSAs.

For Level 1 ROC quotes, negotiation room exists but is narrower than at named-firm comparators. SecurityMetrics will typically match a competing quote down by 5 to 10 percent if the comparator is a credible firm of similar tier. For procurement teams running RFPs, the time investment in negotiating a SecurityMetrics ROC is usually not worth it relative to taking the headline quote.

SecurityMetrics on the PCI SSC directory

SecurityMetrics is listed in the official PCI SSC Qualified Security Assessor directory and the PCI SSC Approved Scanning Vendor directory.

Verify on pcisecuritystandards.org →

Frequently asked

SecurityMetrics pricing varies dramatically by merchant tier. SAQ A attestation through their portal: $99 to $300 per year. SAQ B-IP or SAQ C through their portal: $200 to $800 per year. SAQ D self-assessment with SecurityMetrics support: $1,000 to $4,000 per year. Level 2 QSA-assisted SAQ D: $5,000 to $12,000 per year. Level 1 ROC engagement: $15,000 to $25,000 for small-scope environments, $25,000 to $80,000 for larger commercial Level 1 work. The published rate card on the SecurityMetrics website is the most transparent in the QSA industry.

ControlScan PCI cost

Mid-market QSA pricing read.

SecurityMetrics ASV cost

Quarterly scanning at the cheapest mainstream rate.

SAQ A cost

The cheapest PCI SAQ for hosted-checkout e-commerce.

Level 3 PCI cost

$5k to $20k for 20k to 1M e-com transactions.

ASV + pen test cost

The two recurring scanning line items.

Reduce PCI costs

Seven proven cost-reduction strategies.