SecurityMetrics Auditor Profile
SecurityMetrics is a compliance and cybersecurity firm founded in 2000 in Orem, Utah. With over two decades of experience, they've become one of the most recognized names in PCI DSS compliance, serving thousands of merchants and healthcare organizations.
Their forensic investigation capabilities give them a unique perspective on compliance, having seen firsthand what goes wrong when controls fail. This informs their approach to assessments, focusing on controls that actually prevent breaches.
What SecurityMetrics Does Well
- PCI DSS depth — One of the most experienced QSA firms with thousands of PCI assessments completed across all merchant levels.
- Forensic capabilities — PCI Forensic Investigator (PFI) certification means they handle breach investigations, giving them unique insight into common vulnerabilities.
- Healthcare compliance — Strong HIPAA and HITRUST practice with purpose-built tools for healthcare organizations.
Engagement Process
- Scoping — Define cardholder data environment or HIPAA scope.
- Gap analysis — Identify compliance gaps before formal assessment.
- Remediation support — Guidance on fixing identified issues.
- Formal assessment — On-site and remote testing.
- Report delivery — ROC, AOC, or HITRUST validated report.
Pricing Expectations
PCI DSS assessments start around $10,000 for smaller merchants and scale with complexity. HITRUST validated assessments typically cost $30,000-$50,000. HIPAA audits start around $15,000.
Who Should Choose SecurityMetrics
Merchants and payment processors needing PCI DSS compliance, and healthcare organizations seeking HIPAA or HITRUST validation. Particularly strong for organizations wanting forensic expertise alongside compliance.