I was on a call the other day with a number of QSAs from various firms. We were all complaining about how “cheap” prospects are when it comes to PCI consulting.
I said, “You know, this is because our clients do not understand the overhead that is required to be a Qualified Security Assessor Company (QSAC) and employ QSAs. Gee, sounds like a great blog post!”
I can hear all of you merchants and service providers out there asking, “Overhead? What overhead could there possibly be to be a QSA?” Quite a bit as it turns out.
To employ one or more QSAs, an organization must be a QSAC. In order to be a QSAC, an organization must meet the requirements of the PCI Security Standards Council published in the QSA Qualification Requirements. See this Web page for determining the fees involved. If you are curious, the lucrativeness of these PCI fees was well discussed in a post by Branden Williams a little over a year ago.
For a QSAC to be validated in the United States, it costs $22,000 USD for the first year of registration and then $11,000 USD for every year thereafter. Other parts of the world carry similar charges with the exception of Latin America and the Caribbean (LAC) which are significantly cheaper.
So those fees only get an organization to be allowed to have QSA employees. For a QSAC to have QSAs on staff they must pay $2,750 USD for each new QSA or $1,650 USD annually for each recertifying QSA (European new QSA training is a whopping $3,550 USD per QSA). Those fees are for training and certification of all QSAs employed by a QSAC.
In addition to those fees, there are insurance requirements that will add around another $800 USD to the costs for at least a $1M USD consulting malpractice insurance policy. There is also a 40+ hours of continuing professional education (CPE) requirement that typically adds in another $3,000 USD to $5,000 USD annually. Finally, there is the cost of maintaining two professional certifications such as CISSP and CISA that will cost around $500 USD annually.
With that as background, for a single QSA shop to set up as a QSAC in the United States, the cost is $29,050 USD and $18,950 USD for every year thereafter. In a 1,920 billable hour year for a sole practitioner, that works out to an overhead amount of around $15.13 USD per hour the first year and $9.87 USD per hour for every year thereafter.
As I write this, the current going rate for information security professionals seems to run around $100 USD per hour to $125 USD per hour. The higher rate typically is for an information security professional with specific skills such as with a system information and event monitoring (SIEM), file integrity monitoring (FIM) solutions or other similar specific information security tools skills.
That higher rate will usually be offered to a QSA as well, but not always. When you add in the PCI SSC’s mandated overhead into the mix, is it any wonder why QSAs balk at only $125 USD per hour when there is, at a minimum, $10 USD per hour coming off the top just to be a QSAC and QSA?
But there is one final cost that gets very little consideration, let alone recognition and discussion. That topic is the risk to the QSAC for conducting PCI assessments. The Council always likes to remind QSAs that it is up to the QSA and the QSAC to accept the risk when they conduct a PCI assessment. Supposedly the acquiring bank is also supposed to share in those risks, but in my experience, the acquiring bank almost always tosses those risks back into the QSAC’s lap. Even the best QSA can be buffaloed by the client bent on hiding their dirty PCI “laundry” during an assessment.
Think those risks are inconsequential? Right now, Trustwave is facing a lawsuit by their insurers over the recovery of $30M USD that they paid out for Trustwave’s flawed Heartland PCI assessment and resulting data breach. $30M USD is hardly inconsequential and definitely adds significantly to the costs of a QSAC conducting PCI assessments.
These are the economics that make being a sole practitioner QSA financially impossible. It is also why most QSAs are looking for a minimum of $150 USD per hour, if not more. The Council makes being a QSAC and QSA an expensive proposition compared to just being a typical information security professional.
So, the next time you are discussing rates with your QSA, please keep this math in the back of your mind.
PCI Guru 