PCI Security Standards Council®

Associate QSA (AQSA) Qualification

The Associate QSA (AQSA) Program prepares you to support and learn from Qualified Security Assessors (QSAs) as they perform assessments of merchants and service providers who must comply with the PCI Data Security Standard (PCI DSS).

AQSA candidates follow the same training path as QSAs, and the course focuses on the 12 high-level control objectives and corresponding sub-requirements that are required for PCI DSS compliance.

Become Qualified

Split into two parts, the course consists of an online component and a two-day instructor-led session covering the processes involved in payment card processing, PCI DSS requirements and testing procedures, how to conduct PCI DSS assessments, validate compliance and generate reports. Upon successful completion of the training and exam, trainees are equipped to assist in conducting PCI DSS assessments and preparing appropriate compliance reports with the oversight of a QSA mentor at their QSA Company.

READ ASSOCIATE QSA PROGRAM FAQ

Right for you if…

You are an experienced security professional who currently works full-time for a validated QSA company, but does not meet the industry certification requirement to apply for full QSA status. The AQSA program provides an opportunity for security professionals to learn on the job under a formal mentorship program driven by active QSA professionals.

Please contact your organization’s QSA Primary Contact to enroll in the AQSA program.

Course Details

Course Description

Qualified Security Assessor (QSA) training is a two-part program. The first is a seven-hour prerequisite course and exam on PCI Fundamentals. It’s followed by an in-depth, two-day instructor-led course and exam.

PCI Fundamentals assures that all candidates attending the QSA training course have the same baseline understanding.  The PCI Fundamentals course must be completed within thirty days of initial access and a minimum of one week prior to the start of an on-site training class.  This prerequisite course  covers:

  • Understanding the Payment Card Industry Security Standards Council and its role
  • Defining the processes involved in card processing
  • PCI roles and responsibilities
  • Understanding cardholder data
  • Defining network segmentation
  • PCI DSS assessments

Candidates who successfully complete the prerequisite PCI Fundamentals course may move on to the QSA qualification course. This course builds on the knowledge gained in PCI Fundamentals and delves into the actual PCI DSS requirements, testing procedures, compliance reports and more. The Qualified Security Assessor course covers:

  • Payment card industry overview
    • Terminology, transaction data flow
    • Relationships between various organizations in the process
  • Payment card brand validation and reporting requirements
  • PCI Data Security Standard (DSS)
    • Overview of each requirement and testing procedures
  • PCI Hardware and Communications Infrastructure
  • Overview of compliance issues and mitigation strategies
  • Compensating controls
  • PCI Reporting

The instructor-led course also includes case studies providing a simulation of assessment scenarios that may help you in solving common problems you may experience when assessing a client’s payment environment.

How to Prepare

Prior to beginning the PCI Fundamentals training, you should familiarize yourself with these publications on the PCI website:

  • PCI Glossary
  • PCI DSS
  • PCI DSS Self-Assessment Questionnaire (SAQ)
  • Attestation of Compliance (AOC)
  • ROC Reporting for PCI DSS
  • PCI SSC Frequently Asked Questions (FAQs)
Training and Exam

PCI Fundamentals

The online prerequisite course concludes with a 50 question multiple-choice exam. Once the candidate has completed the PCI Fundamentals training and exam, the Primary Contact will be notified of either a passing or failing grade. If the candidate failed the exam, he or she will be allowed one additional attempt to take and pass without being charged an additional fee.*

*If the candidate receives a failing grade for the PCI Fundamentals course after the second attempt, his or her seat at the instructor-led session will be forfeited. If he or she wishes to try again, the candidate will be required to pay the full course fee for a second time and receive a passing grade in the PCI Fundamentals course to be allowed to attend the two-day instructor-led session. There will be no exceptions made and by paying the invoice, you agree to these terms.

Instructor-Led QSA Qualification Course

This two-day classroom instruction provides:

  • In-person engagement and collaboration as well as networking opportunities
  • Ability to focus on curriculum in classroom setting
  • Learn directly from an expert PCI SSC trainer with hands-on experience assessing merchants and/or service providers

Attendance during the entire two day course is mandatory. Missing more than 30 minutes of the class will automatically result in forfeiture of the PCI SSC QSA exam and removal from the class.

Taking the exam - The certification exam is given immediately following the instructor-led course. The only document you will be allowed to reference during the testing is a translation dictionary, if needed. No electronic devices may be used during the exam. This is a closed book exam. The exam consists of 75 multiple choice questions and you will have 90 minutes to complete it.

The Primary Contact at the QSA Company will be notified of results within two weeks after the candidate attends the instructor-led PCI QSA training and exam. Employees who fail may retake the training and exam, upon payment of a re-test fee. For each attendee that passes the exam, the QSA Company will receive a certificate that validates the employee for the next 12 months.

Note: Hiring or employing a QSA does not assume the Company has met all of the PCI SSC validation requirements.

Class Schedule

Upcoming Courses

The Council has two-day instructor-led classes in various locations worldwide. See schedule below.

2018 Classes for New AQSA/QSA Professionals

Date
Location
Time
Price
Date: 3-4 DEC
Location: Washington, D.C.
SOLD OUT
Time: 09:00-17:30
Price: $2750 USD
SOLD OUT

2019 Classes for New AQSA/QSA Assessor Professionals

Registration will open on 1 December. Sorry, no early birds.

Date
Location
Time
Price
Date: 23-24 JAN
Location: Austin, TX
Time: 09:00-17:30
Price: $2750 USD
Date: 25-26 JAN
Location: Austin, TX
Time: 09:00-17:30
Price: $2750 USD
Date: 13-14 FEB
Location: Barcelona, ES*
Time: 09:00-17:30
Price: $3550 USD*
Date: 11-12 MAR
Location: Delhi, India
Time: 09:00-17:30
Price: $2750 USD
Date: 18-19 MAR
Location: Miami, FL
Time: 09:00-17:30
Price: $2750 USD
Date: 8-9 APR
Location: Birmingham, UK*
Time: 09:00-17:30
Price: $3550 USD*
Date: 10-11 APR
Location: Tokyo, JP*
Class conducted in English with simultaneous translation via headset in Japanese
Time: 09:00-17:30
Price: $3550 USD*
Date: 16-17 MAY
Location: Denver, CO
Time: 09:00-17:30
Price: $2750 USD
Date: 13-14 JUN
Location: London, UK*
Time: 09:00-17:30
Price: $3550 USD*
Date: 10-11 JUL
Location: Nashville, TN
Time: 09:00-17:30
Price: $2750 USD
Date: 29-30 JUL
Location: Edinburgh, UK*
Time: 09:00-17:30
Price: $3550 USD*
Date: 12-13 SEP
Location: Vancouver, CA*
Time: 09:00-17:30
Price: $2750 USD*
Date: 15-16 OCT
Location: Dublin, IE*
Time: 09:00-17:30
Price: $3550 USD*
Date: 14-15 NOV
Location: Melbourne, AU*
Time: 09:00-17:30
Price: $2750 USD*
Date: 13-14 NOV
Location: Baltimore, MD
Time: 09:00-17:30
Price: $2750 USD
Please note: All fees are NON-REFUNDABLE and NON-TRANSFERABLE. Unless otherwise specified the training and exam will be delivered in English.

* price does not include any applicable VAT/HST/GST which will appear on your invoice.

Registration

In order to attend a QSA training class, your company must already be a validated QSA Company and you must be a full time employee. Please see the Qualification Requirements for Qualified Security Assessors (QSAs) v3.0 for more details

In order to register, work with your organization’s QSA Primary Contact to submit an AQSA application through the PCI Portal. Required information will include:

  • Legal name of candidate
  • Location and Date of desired QSA training
  • Candidate's company email address, country of residence, and native language
  • AQSA candidate's resume must be able to show possession of a university or college diploma OR possess a minimum of two years’ experience in an Information Security or IT-related field.
  • All QSA program training attendees must accept and sign the PCI SSC Code of Professional Responsibility and submit at the training session.
  • An invoice will be issued to the QSA primary contact upon completion of registration and will include payment instructions.

Requalification

In order to maintain the high standards set for this qualification, all Assessor employees must requalify every 12 months in order to continue as an Associate Qualified Security Assessor. All QSA Program training attendees will be required to sign and accept the terms of the PCI SSC Code of Professional Responsibility at the time they begin the online training.

Continuing Professional Education (CPE) Hours

Before registering for requalification training, AQSA candidates are required to submit proof of information systems assessment training within the past 12 months to support professional certifications of a minimum 20 Continuing Professional Education (CPE) hours per year and 120 CPE hours over a rolling three year period. Training provided by PCI SSC will count towards the annual CPE hours. See the CPE Maintenance Guide for additional information on eligible activities.

Submission of CPEs

Each AQSA candidate should enter their CPEs in the PCI Portal. Once completed, the QSA primary contact will be notified and must log into the portal to provide their approval. Once the CPE submission is approved, the candidate will then be automatically enrolled in requalification training, and a training invoice will be issued to the primary contact.

Candidate CPEs must be approved and their training registration must be complete prior to their certificate’s expiry date. Candidates must complete the training and exam no later than the end of their grace period (14 days after their expiration date). If a candidate does not complete requalification, their training fee and AQSA status are forfeit.

Note: Payment of the training invoice must be received before the candidate can access the requalification exam.

Note: AQSA professionals are not considered active during their grace period, until/unless they successfully complete requalification exam.

Request More Information

Our website uses both essential and non-essential cookies to analyze use of our products and services. This agreement applies to non-essential cookies only. By accepting, you are agreeing to third parties receiving information about your usage and activities. If you choose to decline this agreement, we will continue to use essential cookies for the operation of the website. View Policy