For most organisations the answer is ‘probably not’. A QSA is generally required to sign off a completed self assessment questionnaire (SAQ) and in effect acts as an auditor to show you are compliant with the controls. The standard however does not mandate that a QSA is required to sign off SAQs for Merchant levels 2, 3 and 4. Even if your Acquirer insists on a QSA signing off the SAQ, you can still take advantage of independent, cost effective advice and guidance from consultancies such as Advent IM.
It is our role to assess your current situation, guide you through the standard and assist you in identifying appropriate controls to meet compliance. It is a QSA’s role to ensure controls are in place by conducting an evidential audit against the SAQ. The two activities should be carried out independently as clearly it is not recommended best practice to audit your own work. Many QSA’s are also part of a product or managed service provider, which makes it difficult for them to demonstrate unbiased and independent advice.