Had a couple of personal email regarding the "Listed Service Providers" and those that go through the rigor of ensuring compliance internally, but not the cost of hiring an external QSA. We are at the same point. I tried to get that across. So let me state it again, either of the two is acceptable to me: 1. On list of approved service providers **OR** 2. Willing to be transparent and help you adequately evaluate their compliance to PCI-DSS Do not dismiss a potential partner because they are not on the list. If you are going to dismiss them, do it because they are not transparent.