There are no formal league tables published which rank how much volume each PCI QSAC handles. At least, that information is not generally available publicly, and for good reason: the volumes handled by a QSA company are commercially sensitive. They give insight into whether the business is growing or shrinking, thriving or dying.
Much of work done by QSACs never results in any public record. As an example, I work with colocated data centers which are responsible for the physical security of my data. They all have AOCs, prepared by a QSA on their behalf. None of those are registered with the card brands, or otherwise published. To even know that a particular facility has a PCI AOC, you have to ask an account manager who can get you a copy of the current AOC to review.
At most, company websites tend to mention that they have a PCI AOC, and that you should contact them for details. Given that the only way for outsiders to know who performed an assessment is to review the AOC, this makes it difficult to get a true picture of which QSACs are performing assessments, in what volume.
So getting a global view of all QSAC business is basically impossible. However, we can measure their relative market prowess using one metric. Both Mastercard and Visa publish lists of all level 1 service providers. That is, service providers who have had a QSA-led PCI DSS assessment, and who then provided the ROC and AOC to the card brands to review. These lists are updated regularly, giving us some visibility into the top tier end of the PCI DSS assessment business.
Service Provider Assessment Rankings
Neither Mastercard nor Visa directly publish the volumes of reports they receive from each QSAC. However, their published lists do include each service provider, together with the name of the QSAC performing the assessment. It’s a simple job to take these lists, and count the number of assessments performed by each QSAC.
Assuming that both Mastercard and Visa see similar levels of submissions, we can use the data for one as a proxy for both. The following table was generated from a snapshot of service providers downloaded from Visa in mid-April 2021.
Points to note in the table:
- Only the top 25 QSACs by reports submitted are shown;
- Only PCI DSS assessments are counted, not PCI PIN or any of the others;
- In some instances, Visa left the name of the QSAC blank for some reason. In those cases, the entry was ignored.
|Trustwave Holdings, Inc.||190|
|Payment Software Company (PSC)||88|
|Compliance Control Ltd.||76|
|Coalfire Systems, Inc.||69|
|SISA Information Security Pvt Ltd||67|
|A-LIGN Compliance and Security, Inc., dba A-LIGN||53|
|MCI Communications, Inc. dba Verizon Business Services||48|
|Schellman & Company, LLC||41|
|Sysnet Limited, dba Sysnet Global Solutions||36|
|atsec (Beijing) Information Technology Co., Ltd.||34|
|1stSecureIT LLC (dba GM SECTEC)||32|
|Information Exchange Inc.||30|
|1st Secure IT, LLC||29|
|SRC Security Research & Consulting GmbH||28|
|International Certificate Authority of Management System||28|
|MegaplanIT Holdings LLC||27|
|Panacea Infosec (P) Ltd.||24|
|Secure Vectors Information Technologies Inc.||23|