Hmmm, I am not familiar with the variance in hourly rates among the different QSAs, but if it is anything like the audit world I came from, it is not uncommon to have hourly rates vary significantly such that effort (hours) is very similar even though cost may be much lower.

In any case, I hope you agree that my Return-on-Security-Investment approach outlined in the final paragraph is the important one.

Pete

The assumption, which is not well articulated, is that you get what you pay for. If you pay $1 Million for a PCI Assessment, does that get you something more than a $50K one? I would certainly hope so, but is that extra $950K worth the money spent? Probably not. There has to be a middle ground somewhere (there is).

The real catch is if you go into an assessment expecting every gap to be correctly identified by your QSA, you can bet that the low cost bid is not be motivated to do the same amount (think effort) of work and digging as the one with a more reasonable bid.

Thanks again for the comments!