QSA vs ISA: Choosing PCI DSS Assessor Resources
PCI DSS recognizes two assessor roles — QSAs are external consultants certified by the PCI SSC; ISAs are internal employees certified by the PCI SSC for use within their own organization. Knowing when each is required can save hundreds of thousands in assessment costs over time.
Detailed Comparison
Employer
Employed by a QSA Company (QSAC) — independent firm certified by PCI SSC.
Employed by the assessed organization itself.
Scope of Work
Performs Report on Compliance (ROC) for any Level 1 merchant or service provider.
Performs SAQ assessment internally; supports QSA-led ROC; cannot independently sign Level 1 ROC.
Required For
Required for ROC submission for Level 1 merchants and Service Providers.
Optional — supplements internal compliance program; saves money on consulting.
Certification Process
PCI SSC training + exam + work experience + sponsorship by QSAC; renewed annually.
PCI SSC training + exam + employment by assessed organization; renewed annually.
Independence
Independent — employed by external firm; cannot have material conflicts.
Internal employee — must demonstrate organizational independence from PCI scope being assessed.
Cost
External consulting fees typically $50,000-$500,000+ per ROC engagement.
Salary cost of the employee plus $1,500-$3,000 annual training.
When You Need Them
Always required for Level 1 merchants ($6M+ Visa/MC transactions/year) and Level 1 SPs.
Best fit for organizations with ongoing PCI compliance work and SAQ-eligible payment channels.
Continuous Compliance Support
Engaged for assessment; supports remediation guidance during the engagement.
Embedded in the organization — supports continuous compliance, change reviews, segmentation validation.
Typical Use Together
Leads the formal ROC engagement.
Prepares the organization for QSA assessment — gap analysis, evidence collection, control testing.
Limitations
Cannot perform an internal compliance program day-to-day for the assessed organization.
Cannot sign the formal Level 1 ROC — must use a QSA for that.
Our Recommendation
For most organizations, you need a QSA for the formal Level 1 ROC and benefit from one or more ISAs for ongoing compliance. The ISA prepares the organization year-round; the QSA validates and signs the ROC. For Level 2-4 merchants completing SAQs, an ISA may be sufficient. Service providers and Level 1 merchants always need a QSA for the formal report.
Frequently Asked Questions
No — only a QSA from a QSAC can sign a Level 1 Report on Compliance. An ISA can sign internal Self-Assessment Questionnaires (SAQs) for Levels 2-4 if their organization is SAQ-eligible.
You cannot hire an external QSA full-time — by PCI SSC rules, a QSA must be employed by a QSAC. You can hire someone with QSA experience to be your ISA, which gives you internal expertise without the external billing rates.
Both QSAs and ISAs renew annually with continuing education requirements (typically 20 CPE credits) and a renewal exam. The PCI SSC publishes renewal requirements and any updates to the standard each year.
More Comparisons
SIEM vs XDR: Which Security Operations Platform Should You Choose?
Internal vs External Penetration Testing: Complete Assessment Guide
MSSP vs MDR: Choosing the Right Security Service Model
MDR vs XDR: Understanding Managed Detection and Extended Detection
Need Help Deciding?
Our cybersecurity experts can evaluate your specific situation and recommend the right approach for your organization.