PCI Security Standards Council®

Qualified Security Assessor (QSA)™ Qualification

The Qualified Security Assessor course will teach you how to perform assessments of merchants and service providers who must comply with the PCI Data Security Standard. The course focuses on the 12 high level control objectives and corresponding sub-requirements that are required for compliance. Split into two parts, the course consists of an online component and a two-day instructor-led session.

Those who attend the training and pass the exam will be authorized to perform assessments and prepare appropriate compliance reports (such as Reports on Compliance (RoC)) required by payment card brands and acquiring banks.

Upon completion of the course, you’ll be able to define the processes involved in payment card processing, understand the PCI DSS requirements and testing procedures, conduct PCI DSS assessments, validate compliance, and generate reports.

Registration Process

In order to attend a QSA training class, your company must already be a validated QSA Company and you must be a full time employee. Please see the Qualification Requirements for Qualified Security Assessors (QSAs) v2.1. for more details.

To start the registration process, your Primary Contact must enroll you for QSA training via the online Portal. If you have any questions about the registration process, please contact QSA@pcisecuritystandards.org.

  • Name of candidate
  • Location and Date of desired QSA training
  • Candidate's company email address, country of residence, and native language
  • QSA candidate's resume must be able to show:
    • One or more professional certification*
    • Minimum of one year of experience in EACH of the following security disciplines:
      • Application security
      • Information systems security
      • Network security
      • IT security auditing
      • Information security risk assessment or risk management
    • *Acceptable certifications include:
      • Certified Information System Security Professional (CISSP)
      • Certified Information Security Manager (CISM)
      • Certified Information Systems Auditor (CISA)
      • GIAC Systems and Network Auditor (GSNA)
      • Certified ISO 27001, Lead Auditor, Internal Auditor
      • International Register of Certificated Auditors (IRCA)
      • Information Security Management System (ISMS) Auditor
      • Certified Internal Auditor (CIA)
  • All QSA program training attendees must accept and sign the PCI SSC Code of Professional Responsibility and submit at the training session.
  • An invoice will be issued upon completion of registration and will include instructions to pay by check, credit card or wire transfer.
  • Training registration will close 14-days prior to the instructor-led training.

Note: In 2019, the PCI SSC will increase the industry-recognized professional certifications requirement for QSAs from one industry certification to a minimum of two: one information security and one IT audit certification.

The new industry certifications requirement will be effective 1 January 2019 for new QSA employees. For QSA employees qualified and added to the PCI SSC website prior to 1 January 2019, this requirement will be effective upon the assessor’s requalification date after 30 June 2019.

Course Details

Qualified Security Assessor (QSA) training is a two-part program. The first is a seven-hour prerequisite course and exam on PCI Fundamentals. It’s followed by an in-depth, two-day instructor-led course and exam.

Training Overview

PCI Fundamentals assures that all candidates attending the QSA training course have the same baseline understanding.  The PCI Fundamentals course must be completed within thirty days of initial access and a minimum of one week prior to the start of an on-site training class.  This prerequisite course  covers:

  • Understanding the Payment Card Industry Security Standards Council and its role
  • Defining the processes involved in card processing
  • PCI roles and responsibilities
  • Understanding cardholder data
  • Defining network segmentation
  • PCI DSS assessments

Candidates who successfully complete the prerequisite PCI Fundamentals course may move on to the QSA qualification course. This course builds on the knowledge gained in PCI Fundamentals and delves into the actual PCI DSS requirements, testing procedures, compliance reports and more. The Qualified Security Assessor course covers:

  • Payment card industry overview
    • Terminology, transaction data flow
    • Relationships between various organizations in the process
  • Payment card brand validation and reporting requirements
  • PCI Data Security Standard (DSS)
    • Overview of each requirement and testing procedures
  • PCI Hardware and Communications Infrastructure
  • Overview of compliance issues and mitigation strategies
  • Compensating controls
  • PCI Reporting

The instructor-led course also includes case studies providing a simulation of assessment scenarios that may help you in solving common problems you may experience when assessing a client’s payment environment.

How To Prepare

Prior to beginning the PCI Fundamentals training, you should familiarize yourself with these publications on the PCI website:

  • Glossário PCI
  • PCI DSS Self-Assessment Questionnaire (SAQ)
  • Attestation of Compliance (AOC)
  • ROC Reporting for PCI DSS
  • PCI SSC Frequently Asked Questions (FAQs)
Class Schedule

Upcoming Courses

The Council has two-day instructor-led classes in various locations worldwide. See schedule below.

2019 Classes for New AQSA/QSA Assessor Professionals

Date: 15-16 OCT
Location: Dublin, IE*
Time: 09:00-17:30
Price: $3550 USD*
Date: 14-15 NOV
Location: Melbourne, AU*
Time: 09:00-17:30
Price: $2750 USD*
Date: 13-14 NOV
Location: Baltimore, MD
Time: 09:00-17:30
Price: $2750 USD
Please note: All fees are NON-REFUNDABLE and NON-TRANSFERABLE. Unless otherwise specified the training and exam will be delivered in English.

* price does not include any applicable VAT/HST/GST which will appear on your invoice.

Requalification Requirements

In order to maintain the high standards set for this qualification, all QSA employees must re-qualify every 12 months in order to continue as a Qualified Security Assessor. All QSA Program training attendees will be required to sign and accept the terms of the PCI SSC Code of Professional Responsibility at the time they begin the online training.

All training inquiries and assignments must be submitted through the QSA Company's Primary Contact. PCI SSC requires all training attendees to be full time employees of the QSA Company that is submitting them for requalification training.

Assessors must complete registration for requalification training (and be approved, where applicable) prior to their qualification expiration date. An Assessor who is not registered prior to that expiration date must re-enroll as a new candidate. A two-week grace period is provided beyond the expiration date in order to complete requalification training after the Assessor is successfully registered. However candidates are not qualified by PCI SSC during this time and will not be requalified until the requalification exam is successfully completed. The grace period only applies if the candidate has been enrolled for requalification by their expiration date and cannot be used for registration after the QSA expiration date. For further details regarding Requalification please review section 6.1.1 of the Qualified Security Assessors Program Guide.

Please log into the PCI Portal to start the requalification process outlined below:

Continuing Professional Education (CPE) Hours

QSA candidates are required to upload proof of information systems assessment training within the last 12 months to support professional certifications of a minimum 20 Continuing Professional Education (CPE) hours per year and 120 CPE hours over a rolling three year period.

Submission of CPEs

Each QSA candidate must log in to the PCI Portal to enter the past 12 months of CPEs. Once completed and submitted, the CPE submission will be forwarded to the QSA Primary Contact for final approval and enrollment in online requalification training.

  • To see a complete list of all CPE options and the hours allotted, please click here.
  • Once approval of the CPE submission has been approved by the QSA Primary Contact, PCI SSC will issue a training invoice to the QSA Primary Contact for payment.

CPEs must be submitted and approved by the date of a QSA’s certificate expiration date. Requalification training and exam must be completed prior to the end of the candidate’s grace period, or the candidate risks forfeiture of payment and QSA status.

Right for you?

You are an experienced security professional who wishes to be certified as a QSA, and currently work full time for a validated QSA company. The QSA course requires prior certifications (CISSP, CISA or CISM - see registration page for full list). Typical job descriptions include:
  • Information Security Consultant
  • Information Security Auditor
  • Information Security Analyst

Download Case Studies

View Amano McGann Case Study
View Reliant Case Study

Our website uses both essential and non-essential cookies to analyze use of our products and services. This agreement applies to non-essential cookies only. By accepting, you are agreeing to third parties receiving information about your usage and activities. If you choose to decline this agreement, we will continue to use essential cookies for the operation of the website. View Policy

Powered By OneLink