PCI Security Standards Council®

Internal Security Assessor (ISA) Program


Large merchants, acquiring banks and processors may want to consider the PCI SSC Internal Security Assessor (ISA) Program as a means to build their internal PCI Security Standards expertise and strengthen their approach to payment data security, as well as increasing their efficiency in compliance with data security standards. The ISA Program provides an opportunity for eligible internal security audit professionals of qualifying organizations to receive PCI DSS training and certification that will improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls.

There is a multi-step procedure for participation in the ISA Program. First, the interested organization must become qualified as an ISA Sponsor Company; then, the individual employees of the organization must receive training on how to validate and maintain ongoing PCI compliance within their organizations. When these steps are successfully completed, acceptance into the ISA program will be confirmed. Annual re-qualification of employees is required.

The Process of Becoming an ISA

Step 1 - Review

Refer to the ISA Qualification Requirements for complete program description and requirements and to confirm that both you and your organization are well suited for the program.

Step 2 - Apply

Complete online application form through PCI SSC’s secure portal. Application requirements include:

Step 3 - Train

Upon receipt of payment, the designated primary contact will receive instructions for the online prerequisite portion of the training. Once the PCI Fundamentals training and exam have been passed successfully, the primary contact will receive the location details for the instructor-led class or login credentials for the eLearning class. This will not be released until online PCI Fundamentals training has been taken and the exam passed.

Step 4 - Enrollment

Once the application has been approved by the PCI Security Standards Council, and its designated ISA employees have attended and passed the ISA training, the ISA Sponsor Company will receive confirmation of acceptance into the program, and the ISA employees will each receive a Certificate of Qualification. The ISA employees will be added to the Council's database of certified ISA personnel, and the company may now perform its own security audits until the time comes to complete the annual Requalification training to maintain the certification.