Branden Williams at Verisign (who has a great security blog, especially for its coverage of PCI issues) posts about a Bob Carr, Heartland Payment Systems, interview. The gist of the interview is don't hire the low-cost bidder. Branden's final comments:
I think this question makes an assumption that higher prices lead to better PCI audits (which are supposed to lead to lower likelihood of breach). It is worth keeping in mind that the "unwanted outcome" for PCI is a negative audit that rescinds the ability to process credit cards.
The PCI auditor decision can be framed in the same way we perform any risk assessment - comparing the difference in costs between providers to the anticipated difference in value at risk. So it might be worth it "worth it" to use a low-cost provider if the difference in their costs over another preferred provider is greater than the anticipated increase in risk.