Text size Increase Font-SizeDecrease Font-SizeReset Font-Size

Internal Security Assessor (ISA) Program


Large merchants, acquiring banks and processors may want to consider the PCI SSC Internal Security Assessor (ISA) Program as a means to build their internal PCI Security Standards expertise and strengthen their approach to payment data security, as well as increasing their efficiency in compliance with data security standards. The ISA Program provides an opportunity for eligible internal security audit professionals of qualifying organizations to receive PCI DSS training and certification that will improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls.

There is a multi-step procedure for participation in the ISA Program. First, the interested organization must become qualified as an ISA Sponsor Company; then, the individual employees of the organization must receive training on how to validate and maintain ongoing PCI compliance within their organizations. When these steps are successfully completed, acceptance into the ISA program will be confirmed. Annual re-qualification of both company and employees is required.

The Process of Becoming an ISA

Step 1 - Application

An organization wishing to send an employee to ISA training must first submit the required application attesting to facts about the organization and must agree to the terms of the ISA Program, in order to be considered an ISA Sponsor Company. Please see the Internal Security Assessor Program - ISA Qualification Requirements 1.2.

Submit your application and requirements to:

PCI Security Standards Council - ISA Program
401 Edgewater Place, Suite 600
Wakefield, MA 01880

The Council will review these materials and will communicate with the sponsor company to address any issues or missing information. When the materials are complete, the prospective ISA Sponsor Company will be invited to schedule training for its employees.

Step 2 - Training

All individuals who will be involved in assessing security for the Sponsor Company must undergo and pass the Council's ISA training course and receive official certification. Individual fees apply. A Council representative will schedule training for the prospective attendees, and the company will be notified whether they pass or fail the test at the end of the course. For more information regarding ISA training, please click here.

Step 3 - Enrollment

Once the Sponsor Attestation has been received and reviewed by the PCI Security Standards Council, and its designated ISA employees have attended and passed the ISA training, the ISA Sponsor Company will receive confirmation of acceptance into the program, and the ISA employees will each receive a Certificate of Qualification. The ISA employees will be added to the Council's database of certified ISA personnel, and the company may now perform its own security audits.

Back to Top

The PCI Security Standards Council (the "Council") provides a variety of tools, questionnaires, guidance, FAQs, training resources and other materials and information to assist organizations seeking to achieve compliance with its standards (the "Standards"). Third party products and services are also available, but the Council does not endorse or recommend any such third party products or services, and advises all organizations seeking to achieve compliance to become familiar with the Standards and related requirements before purchasing third party products or services. Ultimately, all applicable requirements must be met in order to achieve compliance, regardless of whether or what third party products or services are used.