Become a P2PE Assessor
The PCI Security Standards Council operates an in-depth program for security companies seeking to become Point-to-Point Encryption Qualified Security Assessors (QSA (P2PE)/PA-QSA (P2PE)), and to be re-certified each year. The five founding members of the Council recognize the P2PE Assessors certified by the PCI Security Standards Council as being qualified to assess compliance to the PCI P2PE standard.
Because the quality of PCI P2PE application and solution validation assessments can have a tremendous impact on the consistent and proper application of security measures and controls, the PCI Security Standards Council’s P2PE qualification requirements are exacting and detailed, involving both the security companies and their individual employees. The time elapsed from application submission to a new P2PE being listed on the PCI Security Standards Council Web site is estimated at three months.
The high-level qualification requirements are as follows. Prospective P2PE companies must:
- Apply as a firm, as well as, individual employees for qualification in the program;
- Provide documentation for both adhering to the P2PE Qualification Requirements;
- Qualify individual employees, through training and testing, to perform the assessments; and
- Execute an agreement with the PCI Security Standards Council governing performance.
The Process of Becoming a P2PE Assessor
Step 1 – Application
The security company must first submit the required documentation for both company and individual employees and the registration fee, which is credited against the initial enrollment fee if the firm becomes qualified. Please see the P2PE Qualification Requirements. All application materials must be submitted electronically via PCI SSC’s secure portal. Applicants should submit their request for access to this secure portal and application forms by sending an e-mail to firstname.lastname@example.org, attention “Program Manager.” Please note that mail and e-mail application submissions will not be accepted.
The Council will review these materials, and will communicate with the security company to address any issues or lack of information. When the materials are complete, the prospective P2PE Assessor Company (P2PE-QSAC) will be invited to schedule training for its employees.
Step 2 – Training
All individuals who will be involved in assessing security for the company’s clients must undergo and pass the Council’s P2PE training course and receive official certification. Individual fees apply. A Council representative will schedule training for the prospective QSA (P2PE)/PA-QSA (P2PE) employees, and the company will be notified whether they pass or fail the test at the end of the course. For more information regarding P2PE training, please click here.
Step 3 - Enrollment
When the enrollment fee balance has been received by the PCI Security Standards Council, the security company will receive a Letter of Acceptance from the Council, and each of its employees who has passed the training course will receive a Certificate of Qualification. The new P2PE firm will be listed on the Council Web site, the employees will be added to the Council’s database of certified personnel, and the company may now perform audits for its clients.
To ensure that security audits are carried out at the highest levels of quality and professionalism, the PCI Security Standards Council encourages the payment brands and other entities to submit audit Quality Feedback Forms, which will be evaluated by the Council’s Technical Working Group. If a P2PE Assessor Company and/or Individual is judged to be deficient in its audit efforts, the Council will engage in dialog to recommend measures for improvement. If improvement is not deemed sufficient, the result could be disqualification for the P2PE Assessor Company and/or Individual and removal from the Website list.