[madaxe_again]

I've worked with about eight or nine. Two of them are jaw drops in horror. A bunch are "err, what?", but get the job done vaguely competently if in a very procedural fashion. Quite often it's totally nontechnical people with backgrounds in finance/filing who do the assessment. Finally, there are two outfits we've worked with that we liked - one well enough to come audit us.

Oh, also, the big automated platforms like SM and TW are pretty poor.

The way it's set up right now, if you're lucky enough to be deemed a QSA by the PCI council, congratulations, you are now legally welcome to blackmail and extort. Zilch oversight, it's the Wild West, and snake oil salesmen abound.

[tomblomfield]

Who were the two you liked? We're looking at various PCI stuff at the moment.

[hn_user2]

We had a very good experience with the folks at Security Metrics in Utah. Very reasonable people. And. We had some compensating controls and non standard things to be done. They were very much willing to work with us instead of against us.

[madaxe_again]

I had a mixed experience with them - their automated scanner can be painful with misdetection, but their support usually makes up for it, even if they're slow to respond. I've not used them for anything other than the quarterly scans.

[andy_ppp]

The guys here at Digital Assurance love Monzo Tom, feel free to drop us a line...

contact [at] digitalassurance.com

[danpalmer]

Hi Tom, very biased here, but I interned at MWR InfoSecurity and the team there seemed to be consistently very high quality (like finding 0-days in Chrome, Windows Kernel, etc) - would definitely recommend looking at them.