Text size Increase Font-SizeDecrease Font-SizeReset Font-Size

Internal Security Assessors

Large merchants, acquiring banks and processors may want to consider the PCI SSC Internal Security Assessor (ISA) Program as a means to build their internal PCI Security Standards expertise and strengthen their approach to payment data security, as well as increasing their efficiency in compliance with data security standards. The ISA Program provides an opportunity for eligible internal security assessment professionals of qualifying organizations to receive PCI DSS training and certification that will improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls.

There is a multi-step procedure for participation in the ISA Program, which is detailed below. Annual re-qualification of both company and employees is required.

The Process of Becoming an ISA

Step 1 - Review

Refer to the ISA Qualification Requirements for complete program description and requirements and to confirm that both you and your organization are well suited for the program.

Step 2 - Apply

Complete online application form through PCI SSC’s secure portal. Application requirements include:

    • Submit ISA registration form 
    • Complete company application (Primary Contact will gain access to the online application only after the ISA registration form has been approved by PCI SSC).
    • Enroll professionals in ISA training (Primary Contact will have the ability to enroll professionals in ISA training through the portal only after the ISA Company application has been approved).
    • Submit payment (training invoice will be emailed to Primary Contact within 2-3 business days of ISA training request approval). In the case that the Instructor-Led Training is hosted by a PGTN Provider the invoice shall be issued by the PGTN Provider. For more information about the training fees, please see the Training Schedule & Pricing page.

Step 3 - Train

Upon receipt of payment, the designated primary contact will receive instructions for the online prerequisite portion of the training. Once the PCI Fundamentals training and exam have been passed successfully, the primary contact will receive the location details for the instructor-led class or login credentials for the eLearning class. This will not be released until online PCI Fundamentals training has been taken and the exam passed.

Step 4 - Enrollment

Once the application has been approved by the PCI Security Standards Council, and its designated ISA employees have attended and passed the ISA training, the ISA Sponsor Company will receive confirmation of acceptance into the program, and the ISA employees will each receive a Certificate of Qualification. The ISA employees will be added to the Council's database of certified ISA personnel, and the company may now perform its own security audits until the time comes to complete the annual Requalification training to maintain the certification.


Back to Top

The PCI Security Standards Council (the "Council") provides a variety of tools, questionnaires, guidance, FAQs, training resources and other materials and information to assist organizations seeking to achieve compliance with its standards (the "Standards"). Third party products and services are also available, but the Council does not endorse or recommend any such third party products or services, and advises all organizations seeking to achieve compliance to become familiar with the Standards and related requirements before purchasing third party products or services. Ultimately, all applicable requirements must be met in order to achieve compliance, regardless of whether or what third party products or services are used.