PCI QSA and ASV

[alucian]

Hello guys,

I am working in a security company that provides professional services in Quebec, Canada. Besides other services, we are doing penetration testing, and soon we will provide other services (as monitoring, vulnerability scanning & others).

My question is if you consider (given your personal experience or known from close contacts) that it is a good thing to became ASV (and if it is profitable, not a hole in the budget).

Also, I would like to convince my boss to became QSA (and I would like to be one of them). Do you have any idea if > 20.000$ / Yr invested in this is a gain or loss for a company.

I hope that you understand my dilemma and I am waiting for your answers.

Thank you!

[Ketchup]

We have considered the same thing in my company several times over the last few years.   So far, we can't justify the cost.   We are a small company and that's a good chunk of change for us.  Unless we have a couple of clients signed up for a PCI audit, I don't see us doing it at this stage.  In other words, profitability would depend on your ability to market these services.   Just because you are PCI ASV or QSA, I am not sure you would have clients knocking on your door.