PCI Security Standards Council®

Qualified Security Assessor (QSA)™ Qualification

The Qualified Security Assessor course will teach you how to perform assessments of merchants and service providers who must comply with the PCI Data Security Standard. The course focuses on the 12 high level control objectives and corresponding sub-requirements that are required for compliance. Split into two parts, the course consists of an online component and a two-day instructor-led session.

Become Qualified

Those who attend the training and pass the exam will be authorized to perform assessments and prepare appropriate compliance reports (such as Reports on Compliance (RoC)) required by payment card brands and acquiring banks.

Upon completion of the course, you’ll be able to define the processes involved in payment card processing, understand the PCI DSS requirements and testing procedures, conduct PCI DSS assessments, validate compliance, and generate reports.

Right for you if…

You are an experienced security professional who wishes to be certified as a QSA, and currently work full time for a validated QSA company. The QSA course requires prior certifications (CISSP, CISA or CISM - see registration page for full list). Typical job descriptions include: Information Security Consultant, Auditor, or Analyst.

Upcoming Courses

The Council has two-day instructor-led classes in various locations worldwide. See schedule below.

2016 PCI SSC QSA Course Schedule and Fees

Date
Time
Location
Fee
Date: 10-11 Feb
Time: 09:00-17:30
Location: Orlando, FL Sold Out
Fee: $2500 USD Sold Out
Date: 12-13 Feb
Time: 09:00-17:30
Location: Orlando, FL Sold Out
Fee: $2500 USD Sold Out
Date: 2-3 March
Time: 09:00-17:30
Location:San Diego, CA
Fee: $2500 USD
Date: 16-17 Mar
Time: 09:00-17:30
Location: Bali, Indonesia
Fee: $2500 USD
Date: 3-4 April
Time: 09:00-17:30
Location: Dubai, UAE
Fee: $3300 USD*
Date: 6-7 April
Time: 09:00-17:30
Location: Dallas, TX
Fee: $2500 USD
Date: 19-20 April
Time: 09:00-17:30
Location: London, England
Fee: $3300 USD*
Date: 18-19 May
Time: 09:00-17:30
Location: Denver, CO
Fee: $2500 USD
Date: 8-9 June
Time: 09:00-17:30
Location: Prague, Czech Republic
Fee: $3300 USD*
Date: 27-28 June
Time: 09:00-17:30
Location: Boston, MA
Fee: $2500 USD
Date: 20-21 July
Time: 09:00-17:30
Location: Toronto, Canada
Fee: $2500 USD*
Date: 3-4 Aug
Time: 09:00-17:30
Location: Chicago, IL
Fee: $2500 USD
Date: 7-8 Sep
Time: 09:00-17:30
Location: Zurich, Switzerland
Fee: $3300 USD*
Date: 18-19 Sep
Time: 09:00-17:30
Location: Las Vegas, NV
Fee: $2500 USD
Date: 13-14 Oct
Time: 09:00-17:30
Location: Edinburgh, Scotland
Fee: $3300 USD*
Date: 12-13 Nov
Time: 09:00-17:30
Location: Singapore
Fee: $2500 USD*
Annual QSA requalification training fee is $1,500 USD per Assessor

Please note: Unless otherwise specified, all fees are in US Dollars. All course fees are NON-TRANSFERABLE and NON-REFUNDABLE. An invoice will be issued upon completion of registration and will include instructions to pay by check, credit card or wire transfer.
Payment is required prior to beginning the course. Course conducted in English. Examination delivered in English.

Course Details

Course Description

Qualified Security Assessor (QSA) training is a two-part program. The first is a seven-hour prerequisite course and exam on PCI Fundamentals. It’s followed by an in-depth, two-day instructor-led course and exam.

PCI Fundamentals assures that all candidates attending the QSA training course have the same baseline understanding.  The PCI Fundamentals course must be completed within thirty days of initial access and a minimum of one week prior to the start of an on-site training class.  This prerequisite course  covers:

  • Understanding the Payment Card Industry Security Standards Council and its role
  • Defining the processes involved in card processing
  • PCI roles and responsibilities
  • Understanding cardholder data
  • Defining network segmentation
  • PCI DSS assessments

Candidates who successfully complete the prerequisite PCI Fundamentals course may move on to the QSA qualification course. This course builds on the knowledge gained in PCI Fundamentals and delves into the actual PCI DSS requirements, testing procedures, compliance reports and more. The Qualified Security Assessor course covers:

  • Payment card industry overview
    • Terminology, transaction data flow
    • Relationships between various organizations in the process
  • Payment card brand validation and reporting requirements
  • PCI Data Security Standard (DSS)
    • Overview of each requirement and testing procedures
  • PCI Hardware and Communications Infrastructure
  • Overview of compliance issues and mitigation strategies
  • Compensating controls
  • PCI Reporting

The instructor-led course also includes case studies providing a simulation of assessment scenarios that may help you in solving common problems you may experience when assessing a client’s payment environment.

How to Prepare

Prior to beginning the PCI Fundamentals training, you should familiarize yourself with these publications on the PCI website:

  • Glosario de PCI
  • PCI DSS
  • PCI DSS Self-Assessment Questionnaire (SAQ)
  • Attestation of Compliance (AOC)
  • ROC Reporting for PCI DSS
  • PCI SSC Frequently Asked Questions (FAQs)
Training and Exam

PCI Fundamentals

After the candidate’s resume has been approved, he or she will be registered for the on-site instructor-led session that the Primary Contact requested. An invoice for the full amount of the course will be issued to the Primary Contact and once it has been paid, login credentials for the online prerequisite course PCI Fundamentals will be emailed to the candidate with instructions on how to complete the course.

The online prerequisite course concludes with a 50 question multiple-choice exam. Once the candidate has completed the PCI Fundamentals training and exam, the Primary Contact will be notified of either a passing or failing grade. If the candidate failed the exam, he or she will be allowed one additional attempt to take and pass without being charged an additional fee.*

Once the candidate passes the exam, the candidate's seat will be confirmed for training and a confirmation email will be sent to the Primary Contact with complete location details. As a QSA candidate, your seat is not confirmed until your Primary Contact receives a confirmation email.

*If the candidate receives a failing grade for the PCI Fundamentals course after the second attempt, his or her seat at the instructor-led session will be forfeited. If he or she wishes to try again, the candidate will be required to pay the full course fee for a second time and receive a passing grade in the PCI Fundamentals course to be allowed to attend the two-day instructor-led session. There will be no exceptions made and by paying the invoice, you agree to these terms.

Instructor-Led QSA Qualification Course

This two-day classroom instruction provides:

  • In-person engagement and collaboration as well as networking opportunities
  • Ability to focus on curriculum in classroom setting
  • Learn directly from an expert PCI SSC trainer with hands-on experience assessing merchants and/or service providers

Attendance during the entire two day course is mandatory. Missing more than 30 minutes of the class will automatically result in forfeiture of the PCI SSC QSA exam and removal from the class.

Taking the exam - The certification exam is given immediately following the instructor-led course. The only document you will be allowed to reference during the testing is a translation dictionary, if needed. No electronic devices may be used during the exam. This is a closed book exam. The exam consists of 75 multiple choice questions and you will have 90 minutes to complete it.

The Primary Contact at the QSA Company will be notified of results within two weeks after the candidate attends the instructor-led PCI QSA training and exam. Employees who fail may retake the training and exam, upon payment of a re-test fee. For each attendee that passes the exam, the QSA Company will receive a certificate that validates the employee for the next 12 months.

Note: Hiring or employing a QSA does not assume the Company has met all of the PCI SSC validation requirements.

Registration

In order to attend a QSA  training class, your company must already be a validated QSA Company and you must be a full time employee. Please see the Qualification Requirements for Qualified Security Assessors (QSAs) v2.1. for more details.

Email the following information along with a completed Appendix D for each QSA candidate (located in the Qualification Requirements for Qualified Security Assessors (QSAs) v2.1) to coordinator@pcisecuritystandards.org.

  • Name of candidate
  • Location and Date of desired QSA training
  • Candidate's company email address, country of residence, and native language
  • QSA candidate's resume must be able to show:
    • One or more professional certification*
    • Minimum of one year of experience in EACH of the following security disciplines:
      • Application security
      • Information systems security
      • Network security
      • IT security auditing
      • Information security risk assessment or risk management
    • *Acceptable certifications include:
      • Certified Information System Security Professional (CISSP)
      • Certified Information Security Manager (CISM)
      • Certified Information Systems Auditor (CISA)
      • GIAC Systems and Network Auditor (GSNA)
      • Certified ISO 27001, Lead Auditor, Internal Auditor
      • International Register of Certificated Auditors (IRCA)
      • Information Security Management System (ISMS) Auditor
      • Certified Internal Auditor (CIA)
  • All QSA program training attendees must accept and sign the PCI SSC QSA Employee Certification form and submit at the training session.
  • An invoice will be issued upon completion of registration and will include instructions to pay by check, credit card or wire transfer.
  • Training confirmation and location details will not be sent until payment is received. The exact location of each new QSA training session is sent to the Primary Contact only, and is sent approximately 30 days prior to the session being held, if the training invoice has been paid.
Learn More

Note: The requirement to possess at least one industry-recognized certification is effective as of 1 January 2016 for new QSA  Employees. For QSA Employees qualified and added to the search tool prior to 1 January 2016, this requirement is effective 1 July 2016 (for example, upon annual requalification after 30 June 2016).

Requalification

In order to maintain the high standards set for this qualification, all QSA employees must re-qualify every 12 months in order to continue as a Qualified Security Assessor. All QSA Program training attendees will be required to sign and accept the terms of the PCI SSC QSA Employee Certification form at the time they begin the online training.

All training inquiries and assignments must be submitted through the QSA Company's primary contact. PCI SSC requires all training attendees to be full time employees of the QSA Company that is submitting them for requalification training.

Please submit an email with the name of the employee and required documentation outlined below:

*Note: Payment of the training invoice must be received before login information will be sent to the candidate.

Continuing Professional Education (CPE) Hours

QSA candidates are required to submit proof of information systems assessment training within the last 12 months to support professional certifications of a minimum 20 Continuing Professional Education (CPE) hours per year and 120 CPE hours over a rolling three year period.

  • Training provided by PCI SSC will count towards the annual CPE hours.
  • New QSA 2016 Training 16 CPE hours.
  • Requal QSA Training taken in 2015 and beyond is granted 8 CPE hours; prior to 2015 it is granted 5 CPE hours.
  • These must be included in the CPE submission sent to the PCI SSC. They will not be added automatically.

Submission of CPEs

Each QSA candidate should access the Assessor Portal, to enter the past 12 months of CPEs. Once completed the CPE submission will be forwarded to the QSA Primary contact for final approval and online class date determination.

  • To see a complete list of all CPE options and the hours allotted, please click here. Once approval of the CPE submission is granted in the Assessor Portal by the QSA Primary contact, PCI SSC will issue the training invoice to the primary contact for payment.
  • Payment of the training invoice must be received before access to training materials is provided to the candidate.

Requalification training and test must be completed prior to expiry of the qualification. Tests not taken or completed risk forfeiture of payment and QSA status for the employee.

Powered By OneLink