Become an Associate QSA (AQSA)


The PCI Security Standards Council’s new Associate QSA (AQSA) program provides QSA Companies a path for bringing in new cybersecurity professionals and developing them into full QSAs under the guidance of an experienced mentor.

The Process of Becoming an Associate QSA

Step 1 – Application

The Primary Contact is responsible for submitting applications for Associate QSA candidates to join the AQSA program via the PCI SSC online portal. As part of the application, each QSA Company is responsible for submitting a copy of their Mentor Manual with their first Associate QSA application. They are also responsible for submitting a resume, desired training course and relevant experience/skills in Information Security or IT-related field with each Associate QSA application.

Note: A QSA Company is eligible to take part in the Associate QSA Program if it is in Good Standing (as defined in the QSA Agreement) as a QSA Company and has been active as a QSA Company for at least two years.

The Primary Contact should review the QSA Program Guide and the Qualification Requirements for Qualified Security Assessors (QSA) to ensure the candidate has the required qualifications for the Associate QSA program.

The Council will review these materials and will communicate with the QSA company to address any issues or lack of information. When the materials are complete and the Associate QSA application is approved, the Associate QSA candidate will be added to the requested training course.

Step 2 – Enrollment

Once the candidate has been enrolled in QSA training, they will receive access to the online PCI Fundamentals course and exam. Upon passing PCI Fundamentals, the candidate will receive confirmation of their seat at instructor-led training and exam. The company will be notified within two weeks of completion of the course, whether the candidate passed or failed the exam. For more information regarding QSA training, please click here.

Upon passing the exam, the newly certified Associate QSA will receive a certificate and added to the Council’s Website listing of certified personnel.

Note: An Associate QSA who has passed the training and exam will not receive their certificate until PCI Security Standards Council has received payment for their training invoice.

To provide reasonable assurance that security assessment activities carried out by the AQSA meet baseline standards of quality and professionalism, the PCI Security Standards Council encourages the payment brands and other impacted entities to complete the online Feedback Form for the QSA Company. If an Associate QSA is judged to be deficient in its assessment efforts, or if the QSA Company is determined to have committed conduct that constitutes a “Violation” of applicable AQSA Program requirements, the Council will engage in dialog to drive quality improvement. If improvement is not deemed sufficient, the result could be disqualification for the Associate QSA and removal from the Website list and/or PCI SSC may revoke a QSA Company’s eligibility to participate in the AQSA Program.

Step 3 - Transition from AQSA to QSA

Once the candidate has met the full QSA qualification requirements, the Primary Contact may choose to submit a Transition Request: Associate QSA to QSA. This request can be found in the QSA/AQSA Employee Application section in the portal.

Note: The transition from Associate QSA to QSA will not involve re-training or re-taking the QSA exam.

Once the Transition Request is submitted through the portal, the Council will review the request. After it is confirmed that the candidate meets the requirements of the QSA program and the Transition Request is approved, an invoice for the AQSA Admin Fee will be generated. When the fee has been paid, the candidate will be assigned full QSA status. For a list of QSA Program Fees, please click here.