Using one of the big 4 consulting firms is a lot like buying Bose sound equipment. Your paying as much for the name as for the quality. I'm not knocking Bose, I'm making a factual statement. I've been told that they put as much as 60% of the revenue from each sale into advertising and 'brand recognition'. But those little no-name speakers at Listen-Up, that sound like the Voice Of God? You aren't paying for brand-name there...just quality.

I have some experience with more security-focused firms, and I happen to work for one now, so I am a bit jaded. But I know for a fact that you can get as good or even better quality assessment from Qualys, VeriSign, and many others. If you want an exhaustive list, check out the companies approved by Visa to perform PCI audits. It's a long list, and most are pretty decent consulting firms, I'd guess, or Visa wouldn't do business with them.