A PCI DSS QSA (Qualified Security Assessor) is a professional certified by the PCI SSC who is authorised to conduct formal compliance assessments. Knowing when one is mandatory and when you can do without one can make the difference between spending tens of thousands of euros and a compliance process manageable internally. The answer almost always depends on the merchant level and the breadth of the cardholder data environment.
PCI DSS QSA: the role and required certifications
The QSA is trained and certified directly by the PCI Security Standards Council. To obtain the qualification, the professional must complete an official course, pass an exam, and work for an accredited consulting firm (QSA Company) that meets the PCI SSC's requirements. The updated list of qualified firms is available on the Council's official website. Across Europe, a number of QSA Companies operate, some international with local offices.
The QSA is not just an auditor: they can provide guidance during the compliance journey, identify gaps against requirements, and help define the documentation required for the Report on Compliance (RoC). However, they have no autonomous certifying power: formal recognition depends on the acquirer or payment brand accepting the RoC or the AOC (Attestation of Compliance).
When a QSA is mandatory: Level 1 and special cases
For merchants classified as Level 1 (more than 6 million annual transactions with Visa or Mastercard, or who have experienced a data breach), a RoC prepared by an external QSA is mandatory. So too for Level 1 Service Providers, who process more than 300,000 transactions per year on behalf of other merchants. In these cases there is no alternative: the acquirer requires a RoC signed by an accredited QSA as a condition for maintaining the acquiring contract.
For lower levels (Level 2, 3 and 4), the merchant can often independently complete a SAQ (Self-Assessment Questionnaire) without involving a QSA. The correct SAQ depends on the payment acceptance method and the breadth of the CDE. A merchant using only an external redirect payment page can qualify for SAQ A, which has 22 requirements compared to the 300+ of a full RoC.
How to reduce scope to make the QSA optional
The most direct PCI DSS scope reduction strategy to avoid a mandatory QSA is to drop a merchant level, which requires either reducing transaction volume or exiting the risk perimeter with the help of a certified provider. Tokenising card data with a certified PCI DSS Level 1 service moves the responsibility for storing PANs outside your infrastructure. Your CDE is reduced to only the components that interact with the vault APIs, often qualifiable with a simplified SAQ D or even SAQ A-EP.
Even formally Level 1 organisations can benefit from scope reduction: a smaller CDE means a faster RoC, fewer QSA assessment hours, and proportionally lower costs. An assessment on an environment reduced to a few well-documented components can cost half as much as a distributed environment with dozens of in-scope systems.
Frequently asked questions
Can a QSA also certify my service provider?
Yes, but only if the provider falls within the scope of the assessment. The QSA can evaluate the entire ecosystem, including service providers that form part of the payment flow. If the provider already has its own PCI DSS certification (such as PCI Proxy EU), its AOC can be included as evidence in the assessment, reducing the QSA's work on your supply chain.
How much does a QSA assessment cost in Europe?
The cost depends on the breadth of the CDE and the number of in-scope systems. For a Level 1 merchant with an average environment, costs range between €20,000 and €60,000 for a full RoC. For smaller environments or assisted SAQs, costs fall to €5,000–€15,000. The main differentiator is the number of on-site analysis days, which ranges from 3–5 days for simple environments to 20+ days for complex infrastructure.
Can I use an ISA instead of a QSA?
An Internal Security Assessor (ISA) is an employee of the organisation certified by the PCI SSC to conduct internal assessments. The ISA can manage the compliance process independently for their own organisation, but cannot issue RoCs valid for third parties. For Level 1 merchants who must submit a RoC to their acquirer, the ISA does not replace an external QSA. The ISA is, however, very useful for managing ongoing compliance between one assessment and the next.
Reduce your PCI perimeter before even speaking to a QSA. Discover PCI Proxy EU.