Top QSAs for Universities and Who To Choose [Unique Offerings, Pricing, Customer Testimonials]

Read to learn who the top QSAs are for higher education, what they do best, their pricing, what their customers are saying, and more.

PCI Audit
PCI Trends
PCI DSS v4.0
Top QSAs for Universities and Who To Choose [Unique Offerings, Pricing, Customer Testimonials]

If you work for a college or university and are in charge of PCI, you understand the importance of selecting the correct partner for your PCI assessment. In fact, universities face some of the most unique challenges when choosing the right PCI QSA. 

To simplify this process, I’ve created a list of PCI QSAs and their benefits to help you evaluate your options. 

SecurityMetrics: Best for Universities that want PCI Assessors with 20+ Years of Experience

Who is SecurityMetrics?

What they're known for: SecurityMetrics is a full-service PCI Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV) with 20+ years of experience conducting PCI audits for universities. SecurityMetrics also offers ecommerce solutions, ASV scanning, penetration testing, PCI programs, training, PCI policies, and much more. If you're looking for an assessor with extensive audit experience in the university space who offers more than just assessments, SecurityMetrics is a good fit for your university. 

What makes SecurityMetrics a good PCI compliance match for universities? 

SecurityMetrics has several qualities that make them an excellent match for universities that need to reach PCI compliance. These include: 

  • 20+ years of experience conducting PCI assessments for universities: SecurityMetrics understands the intricacies of university merchant networks and how to protect sensitive data against threat actors. Assessors collaborate closely with each other, so you benefit from their collective experience. 
  • Tailored experience for universities: Some of the competitors on this list don’t explicitly list their experience working with universities to reach PCI compliance. SecurityMetrics has several case studies (like this one) that demonstrate their process of working with higher education institutions. Having a PCI team that understands the intricacies of university environments, including multiple merchant IDs, various payment flows (tuition, housing, dining, sports, donations, online stores), and the decentralized nature of many campus departments, is vital to the success of your PCI program or audit. 
  • Effective PCI Products and Solutions: Currently, SecurityMetrics is one of the only PCI partners to offer a code-free solution to PCI compliance requirements 6.4.3 and 11.6.1. They also offer PCI assessments, PCI Policies, ASV scans (which are mandatory for external network vulnerability assessments), penetration testing, card data discovery (PANscan), and other ecommerce solutions. 
  • Emphasis on Support and Education: Just by their nature, universities typically have a mix of IT professionals and non-technical staff handling payment data. This means universities need solid support and education to succeed. SecurityMetrics QSAs are not overbooked, ensuring they are available to meet your PCI deadlines. Training is a strong point of SecurityMetrics because they take the burden off universities to develop adequate training programs by scheduling university-wide training for you, ensuring everyone understands their responsibilities and roles when it comes to PCI. 

SecurityMetrics is a good choice if your primary need is not only a ROC but also other tools and services to meet PCI requirements, with industry-best compliance products.

What are SecurityMetrics customers saying?

“SecurityMetrics is an integral part of the team in our PCI program. We depend on the assessors to make sure that we stay on the compliance track. They do it by developing relationships across campus, discussing upcoming projects or application changes, and being available to us for consulting. They are knowledgeable, helpful, and help us keep the campus engaged by their friendly demeanors.” (Robbyn Lennon, University of Arizona). 

“It’s been a great partnership during my ten years working with SecurityMetrics. I appreciate the knowledge of the assessors and compliance experts and how they work well with all the departments at USC. If I have questions, I get answers quickly from SecurityMetrics support. I feel more peace of mind partnering with SecurityMetrics because of their extensive background working with universities and their complex environments.” (Richard Mariscal, University of Southern California). 

“SecurityMetrics’ deep understanding of the PCI DSS requirements combined with their ability to apply the standards to our specific landscape built credibility with our campus stakeholders and allowed us to confidently report our compliance.” (Carnegie Mellon University, PCI DSS compliance project team).

What does a SecurityMetrics PCI assessment cost? 

SecurityMetrics has a PCI Audit Price Range Estimator that lets you input your specific requirements and needs to determine a range of what a PCI audit could cost your university. SecurityMetrics is one of the few vendors with this type of transparent pricing. 

CampusGuard: Best for Organizations That Want a Firm That Exclusively Works with Universities

Who is CampusGuard?

What They’re Known For: CampusGuard is a cybersecurity firm specializing in campus-based security. CampusGuard is known for its exclusive focus on the campus and higher education sector.

What makes CampusGuard a good PCI compliance match for universities?  

CampusGuard has several offerings that make them a good match for universities, including: 

  • Dedicated Customer Advocate Team: CampusGuard offers a customer advocate team to provide ongoing guidance and support, acting as consultants and not just auditors who appear once a year.
  • A Proactive Approach to PCI: CampusGuard describes their PCI assessment as an assessment of “your organizational and departmental policies, procedures, practices and controls against the standard and produce a thorough Report on Findings that accurately presents any areas that require remediation and recommended actions to attain compliance.” 
  • QSA and ASV Services Under One Roof: Like SecurityMetrics, CampusGuard provides both Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV) services. This single-vendor approach can simplify the PCI compliance process for universities by consolidating different required assessments and services.
  • More Compliance Services: CampusGuard offers comprehensive PCI DSS compliance services, including direct assistance with Self-Assessment Questionnaires (SAQs), vulnerability testing, penetration testing, and tailored training programs.

CampusGuard is a good choice if your primary need is hyper-specialized, relationship-driven compliance management within the unique higher education context.

What are CampusGuard customers saying? 

“CampusGuard delivered a custom report that provided a complete picture of any exploitable vulnerabilities, as well as a clear, actionable remediation strategy to strengthen the Inn’s security posture.” (Goodman, Virginia Polytechnic Institute). 

What does a CampusGuard PCI assessment cost?

Currently, CampusGuard offers no price range for its PCI assessments. Those interested will need to contact them directly for a quote

RSI Security: Best for Universities that want Managed Security Services, including PCI as a Service (PCIaaS)

Who is RSI Security?

RSI Security operates within the university PCI space as a comprehensive cybersecurity and compliance partner, offering a robust set of services that go beyond just the annual audit. While not as focused on higher education as SecurityMetrics or CampusGuard, they have a proven track record, enabling them to address the unique challenges universities face. RSI offers PCI as a service instead of traditional PCI assessments for compliance

What makes RSI Security a good match for Universities?

RSI Security has several offerings that make them a good match for universities, including: 

  • An Annual PCI Audit Cycle: RSI Security’s PCI as a service is a great choice for universities who want ongoing expert support and a continuous compliance management model. If you have employees with strong PCI expertise and background, this PCI as a service model could be the best choice for your university. 
  • Direct Access to Security Advisors: While all the cybersecurity vendors on this list offer direct access to their PCI experts, if you choose RSI security you will benefit from both this direct access and a continued tracking of your PCI compliance, year-round. 
  • Managed Security Services: In addition to PCI as a service, RSI Security offers additional managed security services that may fit your university’s unique needs. 

In summary, while CampusGuard shines in its higher education-specific focus and SecurityMetrics offers a comprehensive suite of PCI-specific tools, RSI Security's strength lies in its broader and deeper cybersecurity expertise, combined with a highly proactive, continuous PCIaaS model

What are RSI Security customers saying?

“Peter worked with me to make sure I had concrete plans and evidence to bring to management. I could tell them I knew what would work, and how, with confidence,” and “Looking down the line at potential compliance questions, like with FISMA, we can say we’ve implemented the underlying infrastructure that keeps all sensitive data safe.” (Mike Zimmerman, Macomb Community College). 

What does RSI Security’s PCI as a Service (PCIaaS) cost?

Universities that want to purchase RSI’s PCIaaS will need to contact them directly for a quote. 

If you just need external PCI ASV scanning and reporting, RSI lists that cost as $2,575.00.  

Final Thoughts: Understanding Your University or College’s Specific PCI Needs

I’ve often found that the first step to choosing a great PCI partner is a deep understanding of what your university specifically needs. 

For example, a large university with multiple campuses is going to have vastly different needs than a smaller community college. And yet, some problems seem to be universal within the higher-education sphere, so identifying your concerns is a great place to start. 

See Also: How USC Boosted Security Credibility

See Also: How Carnegie Mellon Increased Its Security Posture & Confidence

See Also: What Problems Do Universities Face When Choosing a PCI Partner?

Join thousands of security professionals.
Subscribe Now
Get the Guide To PCI Compliance
Download
Get Quote for PCI Compliance
Request a Quote