Internal Security Assessor (ISA) Program


Large merchants, acquiring banks and processors may want to consider the PCI SSC Internal Security Assessor (ISA) Program as a means to build their internal PCI Security Standards expertise and strengthen their approach to payment data security, as well as increasing their efficiency in compliance with data security standards. The ISA Program provides an opportunity for eligible internal security audit professionals of qualifying organizations to receive PCI DSS training and certification that will improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls.

There is a multi-step procedure for participation in the ISA Program. First, the interested organization must become qualified as an ISA Sponsor Company; then, the individual employees of the organization must receive training on how to validate and maintain ongoing PCI compliance within their organizations. When these steps are successfully completed, acceptance into the ISA program will be confirmed. Annual re-qualification of employees is required.

The Process of Becoming an ISA

Step 1 – Review

Refer to the ISA Qualification Requirements for complete program description and requirements and to confirm that both you and your organization are well suited for the program.

Step 2 – Apply

Complete online application form through PCI SSC’s secure portal. Application requirements include:

    • Submit ISA registration form 
    • Complete company application (Primary Contact will gain access to the online application only after the ISA registration form has been approved by PCI SSC).
    • Enroll professionals in ISA training (Primary Contact will have the ability to enroll professionals in ISA training through the portal only after the ISA Company application has been approved).
    • Submit payment (training invoice will be emailed to Primary Contact within 2-3 business days of ISA training request approval). For more information about the training fees, please see the ISA Training Pricing page.

Step 3 - Train

Once the PCI Fundamentals training and exam have been passed successfully, the primary contact will receive the location details for the instructor-led class or login credentials for the eLearning class. This will not be released until online PCI Fundamentals training has been taken and the exam passed.

Step 4 - Enrollment

Once the application has been approved by the PCI Security Standards Council, and its designated ISA employees have attended and passed the ISA training, the ISA Sponsor Company will receive confirmation of acceptance into the program, and the ISA employees will each receive a Certificate of Qualification. The ISA employees will be added to the Council’s database of certified ISA personnel, and the company may now perform its own security audits until the time comes to complete the annual Requalification training to maintain the certification.