Internal Security Assessor (ISA)™ Qualification

The Internal Security Assessor program teaches you how to perform internal assessments for your company and recommend solutions to remediate issues related to PCI DSS compliance. Assessors are sponsored by their companies, so when you receive this qualification you will be able to act as a liaison with external PCI auditors and manage interactions with a Qualified Security Assessor (QSA).

Course Highlights

Internal Security Assessor (ISA) training is a two-part program. The first is a five-hour prerequisite course and exam about PCI Fundamentals. It’s followed by an in-depth course (that can be taken via either instructor-led or online eLearning format) and exam.

Benefits of the course include:

  • Understand the PCI DSS and how it can help protect your customer data and your business
  • Define the processes involved in card processing and network segmentation
  • Help your organization build internal expertise and assess its compliance with PCI Standards
  • Enhance payment card data security and manage compliance costs

Candidates who successfully complete the prerequisite PCI Fundamentals course may move on to the ISA qualification course. This course builds on the knowledge gained in PCI Fundamentals and delves into the actual PCI DSS requirements, testing procedures, compliance reports and more. The Internal Security Assessor course covers:

  • What is PCI and what does it mean to companies that must meet compliance with the DSS?
    • Industry overview
    • Terminology
    • Transaction data flow
    • Relationships between various organizations in the process
  • How the credit card brands differ in their validation and reporting requirements
  • PCI Data Security Standard (DSS)
    • Overview of each requirement
    • Testing procedures
    • What constitutes compliance
  • PCI Hardware and Communications Infrastructure
  • PCI Reporting
  • Overview of compliance issues and mitigation strategies
  • Compensating controls
  • Creating policies
  • Modifying cardholder data environment

The instructor-led course includes case studies providing a simulation of assessment scenarios that may help you in solving common problems within your own payment environment. More information will be provided about the exam upon registration.

For those taking ISA training via eLearning, click here to locate a testing center near you.

Right for You?

You are an experienced internal auditor, or an internal security or risk assessment professional at a retailer, institution, acquiring bank or processor.

Digital Badging

When you become an Internal Security Assessor, display your digital badge and represent your skills and gives you a way to share your abilities online in a way that is simple, trusted and can be easily verified in real time.

Schedule

  • 3-4 Feb 2025

    09:00-17:30 (local time)

    Atlanta, GA

  • 5-6 Mar 2025

    09:00-17:30 (local time) This class will be conducted in Spanish

    Mexico City, MX: Hosted by 1stSecureIT (dba GM Sectec). For pricing and registration, please contact Romana Sturdikova at romana.sturdikova@gmsectec.com

  • 18-19 Mar 2025

    09:00-17:30 (local time) This class will be conducted in Spanish

    Madrid, Spain: Hosted by BOTECH FPI (dba Solver4). For pricing and registration, please contact Alberto Espana at aespana@botech.info

  • 24-25 Mar 2025

    09:00-17:30 (local time)

    Phoenix, AZ

  • 10 Apr 2025

    09:00-17:30 ET (13:00-21:30 UTC)

    Virtual Instructor-Led (vILT)

  • 19-20 May 2025

    09:00-17:30 (local time)

    Glasgow, UK*

  • 21-22 Jul 2025

    09:00-17:30 (local time)

    Denver, CO

  • 23-24 Jul 2025

    09:00-17:30 (local time) This class will be conducted in Spanish

    Medellin, CO: Hosted by 1stSecureIT (dba GM Sectec). For pricing and registration, please contact Romana Sturdikova at romana.sturdikova@gmsectec.com

  • 7 Aug 2025

    05:00-13:30 ET (09:00-17:30 UTC)

    Virtual Instructor-Led (vILT)

  • 12-13 Aug 2025

    09:00-17:30 (local time) This class will be conducted in Spanish

    Dominican Republic Hosted by BOTECH FPI (dba Solver4). For pricing and registration, please contact Alberto Espana at aespana@botech.info

  • 27-28 Aug 2025

    09:00-17:30 (local time) This class will be conducted in Spanish

    Santiago, CL: Hosted by 1stSecureIT (dba GM Sectec). For pricing and registration, please contact Romana Sturdikova at romana.sturdikova@gmsectec.com

  • 9-10 Sep 2025

    09:00-17:30 (local time)

    Fort Worth, TX

  • 15-16 Sep 2025

    19:00-03:00 ET (23:00-07:00 UTC) This class will be simultaneously translated into Japanese. Please note that for participants in Japan, this class begins at 8:00 JST on 16 September.

    Virtual Instructor-Led (vILT)

  • 7-8 Oct 2025

    09:00-17:30 (local time)

    Amsterdam, NL*

  • 30 Oct 2025

    09:00-17:30 ET (13:00-21:30 UTC)

    Virtual Instructor-Led (vILT)

  • 3-4 Nov 2025

    09:00-17:30 (local time)

    Seattle, WA

  • 18 Nov 2025

    10:00-18:30 ET (15:00-23:30 UTC) This class will be conducted in Spanish

    vILT Hosted by BOTECH FPI (dba Solver4). For pricing and registration, please contact Alberto Espana at aespana@botech.info

  • 4 Dec 2025

    05:00-13:30 ET (10:00-18:30 UTC)

    Virtual Instructor-Led (vILT)

vILT (Virtual Instructor led) classes are a combination of eLearning and a live webinar.

* Pricing for these classes does not include VAT, HST, etc.

Rectangle-Copy.webp

Become an ISA when you take this class and become qualified.

Prices

Course Price As of 1 Jan 2025

New ISA Training Non-PO (In person or eLearning)

$3,720 USD $4,000 USD

New ISA Training (In person or eLearning) Principal/Associate PO

$1,890 USD $2,000 USD

Requalification ISA Training Non-PO

$1,440 USD $1,600 USD

Requalification ISA Training PO

$1,260 USD $1,350 USD

New ISA Exam Retake fee via Pearson VUE

$185 USD $200 USD

Training class change fee

$185 USD $185 USD

Please note: Unless otherwise specified the training and exam will be delivered in English.

Price does not include any applicable VAT/HST/GST which will appear on your invoice.

* Not including VAT

**Become a Participating Organization and SAVE up to 40% on ISA training fees. To learn about becoming a Participating Organization please click here.

training-corp-group-training-3.jpg
If you have a group to train, please consider our Corporate Group Training instructor-led option, where an expert PCI instructor comes to your facility (or any location you choose) to deliver the course. We offer volume discounts – the more you train, the more you save!

Training Formats and Exam Information

New Training Offerings:

All offerings will include a 5-hour online prerequisite Fundamentals course followed by a 60-question multiple-choice exam. Three attempts to pass Fundamentals will be allowed.

  • Instructor-led training (ILT): In-person, instructor-led classroom training with an exam to follow.
  • Virtual Instructor-led training (vILT): Combination online training and instructor-led webinar with an exam offered via Pearson Vue within 30 days of webinar.
  • eLearning: Self-paced computer-based training (CBT). You will have 90 days from the receipt of payment to complete all components of the training and the exam. The exam will be delivered via Pearson Vue.
  • Please see Schedule tab for dates of ILT and vILT trainings

New Exam Specifics:

  • All exams are closed book.
  • Exam is 60 multiple choice questions with a 90-minute time limit.
  • Results of in person exams are delivered within 10 business days.
  • Results of Pearson Vue exams are delivered upon completion of the exam.
  • 75% or higher to pass the exam; the only information that can be released concerning exams is your grade.
  • If you fail the exam, you are allowed one retake (within 30 days of failure notice) for a fee.

Registration Process

Registrants must have significant relevant security audit and assessment experience (including but not limited to Network Security, Application Security and Consultancy, System Integration, and Auditing).  A minimum of five years experience is recommended.

Complete and Submit an Application

ISA training candidates must be sponsored by their employer.

If your company is already an ISA sponsor, please request that your Primary Contact submit a training registration on your behalf through the ISA Portal.

If your company is not already an ISA sponsor, please refer to the ISA Qualification Requirements for a complete program description and requirements, and to confirm that both you and your organization are well suited for the program. Then follow the steps below:

  1. Submit ISA registration form
  2. Complete company application (Primary Contact will gain access to the online application on  the PCI SSC secure portal only after the ISA registration form has been approved).
  3. Enroll professionals in ISA training (Primary Contact will have the ability to enroll professionals in ISA training through the portal only after the ISA Company application has been approved).

Submit payment (training invoice will be emailed to Primary Contact within 2-3 business days of ISA training request approval). For more information about the training fees, please see the ISA Training Pricing page.

How to Prepare for the Exam

Prior to beginning the PCI Fundamentals training, you should familiarize yourself with these publications on the PCI website:

training-pci-fundamentals.jpg

The PCI Fundamentals online course must be completed prior to the start of your training class.

Requalification

Requalification Requirements

In order to maintain the high standards set for this certification, all ISA employees must re-certify every 12 months in order to continue as an Internal Security Assessor for their Sponsor Company. All ISA Program training attendees will be required to sign and accept the terms of the PCI SSC ISA Employee Certification form at the time they begin the online training.

Requalification specifics:

  • Approved assessors are allowed to register for requalification training as early as 90 days prior to their expiration date. Once registered, they will receive immediate access to the eLearning training.
  • Registration must be submitted no later than the candidate’s expiration date.
  • Exam access is given no earlier than four (4) weeks prior to expiration date AND invoice is paid.
  • An Assessor who is not registered for requalification training before midnight Eastern Time on their qualification expiration date, or who does not achieve a passing score on the exam by the end of their qualification period, will be required to re-enroll as a new candidate.


Requalification exam:

  • Non-proctored remote exam
  • 50 multiple choice questions with a 75-minute time limit.
  • 75% or higher to pass the exam; the only information that can be released concerning exams is the grade.
  • If you fail the exam, please have the primary contact email administration@pcisecuritystandards.org for the next steps.

 

PCI isn't the most exciting or entertaining material. With the instructor's humor and real world experience, learning PCI and how to be an ISA was a good experience.

Loved the training. I learned a lot and made many notes on what I need to do for 2013 SAQ.

The instructor did an excellent job, I highly recommend him for all future trainings.