I was on a call the other day with a number of QSAs from various firms. We were all complaining about how “cheap” prospects are when it comes to PCI consulting.
I said, “You know, this is because our clients do not understand the overhead that is required to be a Qualified Security Assessor Company (QSAC) and employ QSAs. Gee, sounds like a great blog post!”
I can hear all of you merchants and service providers out there asking, “Overhead? What overhead could there possibly be to be a QSA?” Quite a bit as it turns out.
To employ one or more QSAs, an organization must be a QSAC. In order to be a QSAC, an organization must meet the requirements of the PCI Security Standards Council published in the QSA Qualification Requirements. See this Web page for determining the fees involved. If you are curious, the lucrativeness of these PCI fees was well discussed in a post by Branden Williams a little over a year ago.
For a QSAC to be validated in the United States, it costs $22,000 USD for the first year of registration and then $11,000 USD for every year thereafter. Other parts of the world carry similar charges with the exception of Latin America and the Caribbean (LAC) which are significantly cheaper.
So those fees only get an organization to be allowed to have QSA employees. For a QSAC to have QSAs on staff they must pay $2,750 USD for each new QSA or $1,650 USD annually for each recertifying QSA (European new QSA training is a whopping $3,550 USD per QSA). Those fees are for training and certification of all QSAs employed by a QSAC.
In addition to those fees, there are insurance requirements that will add around another $800 USD to the costs for at least a $1M USD consulting malpractice insurance policy. There is also a 40+ hours of continuing professional education (CPE) requirement that typically adds in another $3,000 USD to $5,000 USD annually. Finally, there is the cost of maintaining two professional certifications such as CISSP and CISA that will cost around $500 USD annually.
With that as background, for a single QSA shop to set up as a QSAC in the United States, the cost is $29,050 USD and $18,950 USD for every year thereafter. In a 1,920 billable hour year for a sole practitioner, that works out to an overhead amount of around $15.13 USD per hour the first year and $9.87 USD per hour for every year thereafter.
As I write this, the current going rate for information security professionals seems to run around $100 USD per hour to $125 USD per hour. The higher rate typically is for an information security professional with specific skills such as with a system information and event monitoring (SIEM), file integrity monitoring (FIM) solutions or other similar specific information security tools skills.
That higher rate will usually be offered to a QSA as well, but not always. When you add in the PCI SSC’s mandated overhead into the mix, is it any wonder why QSAs balk at only $125 USD per hour when there is, at a minimum, $10 USD per hour coming off the top just to be a QSAC and QSA?
But there is one final cost that gets very little consideration, let alone recognition and discussion. That topic is the risk to the QSAC for conducting PCI assessments. The Council always likes to remind QSAs that it is up to the QSA and the QSAC to accept the risk when they conduct a PCI assessment. Supposedly the acquiring bank is also supposed to share in those risks, but in my experience, the acquiring bank almost always tosses those risks back into the QSAC’s lap. Even the best QSA can be buffaloed by the client bent on hiding their dirty PCI “laundry” during an assessment.
Think those risks are inconsequential? Right now, Trustwave is facing a lawsuit by their insurers over the recovery of $30M USD that they paid out for Trustwave’s flawed Heartland PCI assessment and resulting data breach. $30M USD is hardly inconsequential and definitely adds significantly to the costs of a QSAC conducting PCI assessments.
These are the economics that make being a sole practitioner QSA financially impossible. It is also why most QSAs are looking for a minimum of $150 USD per hour, if not more. The Council makes being a QSAC and QSA an expensive proposition compared to just being a typical information security professional.
So, the next time you are discussing rates with your QSA, please keep this math in the back of your mind.
PCI Guru 
As to ‘Trustwave’s flawed Heartland PCI assessment’; do we know what the flaw was in their assessment?
Given that a PCI assessment is a point in time assessment, they could have been fine on June 1, and vulnerable on June 10.
I never heard specifics, only generalities that the assessment had marked numerous controls as ‘In Place’ that were determined by Visa’s breach assessment as not being in place.
PCIGuru,
Great post but IMHO the insurance costs and therefore impact on overhead are under stated. As per the QSA Program Guide Version 2.0 dated Dec 2017 Section 6.4.3 Insurance must cover the following (or otherwise be acceptable to PCI SSC):
Worker’s compensation
Employer’s Liability (with a limit of $1,000,000)
Commercial General Liability Insurance ($1,000,000 minimum, $2,000,000 annual
aggregate) including:
– Products
– Completed Operations
– Advertising Injury
– Personal Injury
– Contractual Liability Insurance
Commercial Automobile Insurance ($1,000,000 minimum limit)
Crime/Fidelity Bond, both first and third party ($1,000,000 minimum for each loss and
annual aggregate)
Technology Errors and Omissions, Cyber-Risk, and Privacy Liability Insurance
($2,000,000 minimum for each loss and annual aggregate)
Further insurance requirements are listed under Appendix B of the QSA Qualification Requirements Version 3.0 also dated December 2017.
While I am not disputing the limits (our QSA company is outside the US, and we do carry higher limits for some type of cover and other cover we don’t need e.g. automobile), in looking at the Policies in detail, I do note our insurance cover is ultimately underwritten by a syndicate at Lloyds of London. An insurance company would not typically underwrite these policies themselves, unlike standard business insurance.
Our premiums for 2018 have increased by 20% over 2017.
Good information. Thanks.
PCIGURU,
What will be the insurance premium of this below :
1) Commercial General Liability Insurance ($1,000,000 minimum, $2,000,000 annual
aggregate) including:
– Products
– Completed Operations
– Advertising Injury
– Personal Injury
– Contractual Liability Insurance
2) Crime/Fidelity Bond, both first and third party ($1,000,000 minimum for each loss and
annual aggregate)
3)Technology Errors and Omissions, Cyber-Risk, and Privacy Liability Insurance
($2,000,000 minimum for each loss and annual aggregate)
No idea. I’d have to get with my insurance broker to find out how cheap I could get coverage these days.
I am increasingly coming to the view that while the PCI SSC likes to pose as a standards body it is actually a very lucrative training and convention organiser operating in a monopoly market.
In addition to the fees for training, a QSAC will likely have to pay travel costs – e.g., airfare, lodging, and food – as QSA training is only currently available in-person at select times and locations.
No sympathy because there would not be QSACs if that line of business was not a lucrative venture.
https://polldaddy.com/js/rating/rating.js
Thanks Jeff for the explanation and analysis. The increasing costs for becoming a QSAC is making it more difficult for Companies providing the services to provide economically feasible to provide their services to customers. And one has to wonder, what does the PCI SSC do with all the money they get from QSACs, Participating Organizations, etc.? And we are talking about a “non profit” organization.
Perhaps the PCI SSC needs to cut down on their costs on things like the Community Meetings, and other items? Certainly it seems that the PCI SSC generates more income than it incurs in expenses? Would be interesting if the Council made their income statements publically available (oh, that would put them under the public eye for scritiny… silly me… 😂🤣
https://polldaddy.com/js/rating/rating.js
What is the difference between Transaction Processor and Merchant Processor in terms of Service Providers? Which type of Service Providers fall under these categories.
A transaction processor is an entity that processes transactions on behalf of merchants. Examples of transaction processors are Chase Paymentech, Bank of America Merchant Services (BAMS) and TrustCommerce.
As far as I am aware, merchant processor is equivalent to a transaction processor.