Should You Stay with Your PCI QSA? [Pros, Cons & Testimonials]

If you’ve successfully completed your first PCI DSS audit, you might have forgotten that your one-year renewal mark is approaching. Four to six months before your renewal mark is a great time to decide whether you should renew your contract with your current PCI audit vendor, or start searching for a new one.

Read more to hear expert advice from VP of Enterprise Sales Jason Leland about the pros and cons of renewal, how to evaluate your first experience, and what to establish for a successful, long-term partnership.

The Pros and Cons of Renewing with the Same PCI Audit Vendor

Pro: Save Time and Money

No matter which way you look at it, you’re probably going to save some time and money if you choose to renew with the same vendor. 

When you first chose your PCI audit firm, your assigned QSA had to learn your environment and specific needs, which typically takes a good chunk of time. This time has a cost attached to it, which is included in your current year’s audit cost, so you won’t have to worry about this if you’re renewing.

Con: If you Chose Poorly the First Time, You Risk Another Bad Experience

If there were some aspects of your first audit experience that you didn’t appreciate, if you choose to renew, you risk having that same experience again. 

True, there’s always the chance that you resolved any issues and this year could go smoother. 

But if you choose a partner who was a bad fit for you, you might save time and money, but you risk another disappointing audit experience. 

Pro: The Known Quantity

A major reason customers renew is the continuity and familiarity they have with their current QSA (Qualified Security Assessor). 

Your QSA already understands your environment, people, and processes, and has a rapport with your team. This can significantly reduce the time and effort needed for the next audit. 

As SecurityMetrics VP of Enterprise Sales Jason Leland notes, “Having the same assessor year-over-year saves customers time and money because they avoid the learning curve associated with a new assessor, who would need to understand the company's environment, processes, and goals.”

Con: The Risk of Complacency

While convenience is a major benefit, a new QSA might offer a fresh perspective and uncover issues or compliance gaps that your current vendor has overlooked. 

Continuing with a vendor who simply "checks boxes" for compliance might not align with your broader security goals. 

Another risk is becoming overly reliant on one vendor, potentially missing out on new services or competitive pricing from other firms.

How to Evaluate Your First PCI Audit Experience with a QSA

Jason Leland recommends that “your decision to renew should largely depend on your overall experience. This is the most crucial part of your decision-making process.”

Use this actionable checklist to evaluate your first audit.

• Did they act as a partner or just an auditor?
  A great QSA offers guidance and support throughout the year, not just during the audit window. They should help you understand why a requirement is important and provide a clear, actionable remediation plan.
• What was the level of communication and project management?
  The evidence collection process should be smooth, with a clear timeline that the vendor sticks to. Poor communication and delayed report delivery are good reasons not to renew.
• Did they provide value beyond the Report on Compliance (ROC)?
  Your QSA should offer insights into your broader security posture or recommend solutions that simplify your compliance burden (or let you know if that's even possible). They also should help you prepare for new and future requirements.
• Did they offer a great cost-to-value ratio?
  Your final cost should be in line with the initial proposal. you should also have the benefits of the partnership (e.g., peace of mind, expert guidance) to help justify the expense. You also should have received help to reach your overall security goals, not just your PCI audit requirements

What do SecurityMetrics customers say about their PCI audit communication? 

“It’s been a great partnership during my ten years working with SecurityMetrics. I appreciate the knowledge of the assessors and compliance experts and how they work well with all the departments at USC.
If I have questions, I get answers quickly from SecurityMetrics support.
I feel more peace of mind partnering with SecurityMetrics because of their extensive background working with universities and their complex environments.”
-Richard Mariscal,
Merchant Services and PCI manager,
USC Treasury Department

What to Do When You Want to Renew

If you decide to renew, you may want to see what your PCI audit firm will do to make your next year even better. Here’s how to have that conversation. 

Set Clear Expectations

It's important to set clear expectations for the coming year. 

This includes establishing a schedule for proactive engagement, such as quarterly check-ins or interim meetings, to ensure you're maintaining compliance throughout the year. 

You should also agree on a process for your vendor to review your remediation progress on an ongoing basis.

Pro Tip: A reputable PCI audit firm should prioritize your deadlines as a returning customer. See what their policy is for helping you meet your exact dates. 

Review and Negotiate the Contract

Ensure the scope of work is clearly defined. Check for any new services or add-ons that might benefit you, and discuss the pricing structure. 

Pro Tip: Most PCI Audit firms aren’t going to offer a financial discount for returning customers, however they will oftentimes be willing to negotiate discounted rates for bundling other services you need or let you decide who your assigned QSA is. 

Prepare for PCI DSS v4 Changes

The shift in PCI DSS version 4 from a "snapshot in time" audit to continuous compliance makes your ongoing relationship with a QSA even more critical. 

Discuss how the vendor will help you implement PCI DSS v4 requirements and best practices, such enhanced authentication measures.

What do SecurityMetrics customers say about the PCI DSS version 4 audit process? 

“I don’t think it was much harder, and I have to equate that with SecurityMetrics helping us out with version 4. I believe we were one of the first version 4 assessments your team did. 

Our team and your team were on top of communicating things that were changing and how requirements were unfolding. 

We got instructions on things that had to be approved and what evidence was needed. The PCI DSS certification process starts months before your actual assessment, so we had a good conversation going and we set expectations for audit timing” 

-Ryan Kuenneke,
Anedot Director of Engineering
Anedot

Essential Questions to Ask Your PCI Audit Firm

Use this list of questions to have a productive conversation with your current vendor or to evaluate potential new partners.

On the Partnership

• "How will you help us move from a point-in-time audit to a continuous compliance model?"
• "What proactive support will you provide throughout the year to help us maintain compliance?"
• "How do you stay up-to-date on emerging threats and changes to the standard, and how will you communicate that to us?"

On Process and Technology

• "What has changed in your audit process since our last engagement? Have you adopted new tools or technologies that will make it more efficient?"
• "How will we manage the evidence collection process for this next audit?"
• "What is your approach to handling the new customized approach requirements in PCI DSS v4?"

What do SecurityMetrics customers say about new technology? 

“I appreciate that you guys are always there for us to contact if we have questions. As things change and new technologies come out, we can always bounce ideas off of our assessor or other SecurityMetrics professionals for advice.
We can ask if new technology can be used and what we should be looking out for so we stay in compliance.”
-Martin Kenney
Senior Systems Engineer
Infosend

Final Thoughts: To Stay or Not to Stay? 

Jason Leland explains that “while budget cuts can sometimes lead to non-renewals, the decision often comes down to the overall customer experience. The goal is to find a strategic partner who will help you not only meet compliance requirements but also strengthen your overall security posture. The right partner can turn a dreaded annual audit into a valuable opportunity for growth and security.” 

Before choosing to renew your contract, ask yourself, is my PCI Audit Firm:

• Trustworthy?
  Are they fair, honest, and have integrity when it comes to their customers and the compliance standard?
• Accessible?
  Will they give me a handheld experience with elite communication, and be accessible as I have questions?
• Collaborative?
  Do they include my entire team, and do they identify everyone’s specific role in the PCI audit process? 
• Thorough?
  Do they avoid a checkbox mentality and provide me with real value?
• Innovative?
  Do they have a wide range of solutions, with new technologies emerging year after year? 

Using the provided questions above, you can have a productive conversation with your current vendor or begin evaluating potential new partners.

‍