PCI Security Standards Council®

Payment Application Qualified Security Assessor (PA-QSA)™ Qualification

The Payment Application Qualified Security Assessor curriculum teaches you to perform assessments of third-party developed payment applications to ensure compliance with the Payment Application Data Security Standard (PA-DSS). With this training course, you will become an expert on the requirements for PA-DSS compliance and help ensure the consistent, proper application of security measures and controls for payment applications.

Upon completion of the course, you’ll be able to:

Become Qualified

Right for you if…

You are a current QSA who is employed by a QSA company performing assessments of third-party payment applications for compliance with PA-DSS. Typical job titles include: Managing Director of Compliance Services, Practice Lead Security Assessor, Senior Security Consultant, Information Security Analyst, and Information Security Auditor.

Course Details

Course Description

The Payment Application Qualified Security Assessor (PA-QSA) covers the PA-DSS requirements, sub-requirements, and associated testing procedures in depth.

  • PCI Industry Overview
    In depth coverage of the payment card industry, the terminology used to describe its key aspects, the flow of data through the various payment card mechanisms and the relationships between the various actors in the process
  • PCI Thresholds and Brand Specific Requirements
    Detailed coverage of the classifications and compliance requirements for merchants, service providers and vendors and the various specific requirements imposed by the various card brands
  • PCI Data Security Standard (DSS)
    In-depth training on every aspect of the current DSS including requirements, reasoning and what constitutes compliance with the requirement
  • PCI Code Review and Analysis
    In-depth training on executing code reviews and locating non PCI compliant constructs and procedures in applications that implement payment card processing systems
  • PCI Hardware and Communications Infrastructure
    In-depth training on the current state of typical devices and connectivity used by organizations to accept payment cards, and communicate with the verification and payment facilities
  • PCI Reporting
    In depth training on constructing and filing the necessary compliance reports and techniques for communicating results to those being audited

How to Prepare

Prior to attending a PA-QSA training session it is strongly recommended you familiarize yourself with the following publications available in the document library:

  • Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures
  • Payment Card Industry (PCI) Payment Application Data Security Standard – Requirements and Security Assessment Procedures
  • Payment Card Industry (PCI) Data Security Standard and Payment Application Data Security Standard Glossary of Terms, Abbreviations, and Acronyms
  • PA-QSA Qualification Requirements
  • Program Guide
  • ROV Reporting Template
  • Attestation of Validation
  • PA-DSS and Mobile Applications FAQs
  • Which Applications are Eligible for PA-DSS Validation
Training and Exam


This two-day classroom instruction provides:

  • In-person engagement and collaboration as well as networking opportunities
  • Ability to focus on curriculum in classroom setting
  • Learn directly from an expert PCI SSC trainer with hands-on experience assessing merchants and/or service providers

Attendance during the entire two day course is mandatory. Missing more than 30 minutes of the class will automatically result in forfeiture of the PCI SSC QSA exam and removal from the class.

Taking the exam - The certification exam is given immediately following the instructor-led course. The only document you will be allowed to reference during the testing is a translation dictionary, if needed. No electronic devices may be used during the exam. This is a closed book exam. The exam consists of 75 multiple choice questions and you will have 90 minutes to complete it.

The Primary Contact at the PA-QSA Company will be notified of results within two weeks after the candidate attends the instructor-led PCI PA-QSA training and exam. Employees who fail may retake the training and exam, upon payment of a re-test fee. For each attendee that passes the exam, the PA-QSA Company will receive a certificate that validates the employee for the next 12 months.

Note:  Hiring or employing a PA-QSA does not assume the Company has met all of the PCI SSC validation requirements.


In order to attend PA-QSA training your company must already be a validated PA-QSA Company and you must be a full time employee. Please see the QSA Validation Requirements - PA-QSA Supplement for more details.

All candidates must apply to the PA-QSA program and be approved by the PCI Council to participate in a training class. All training inquiries and assignments must be submitted through your company's assigned Primary Contact. Other requirements include:

  • Must be a QSA
  • Must have completed two PCI DSS assessments
  • Must have substantial application security knowledge and experience conducting application and code reviews, and/or demonstrated competence in cryptographic techniques

In order to maintain the high standards set for this certification, all PA-QSA employees must re-certify every 12 months in order to continue as a Payment Application Qualified Security Assessor for their PA-QSA company. Please note that annual PA-QSA requalification training will be held in an eLearning format only. All PA-QSA Program training attendees will be required to sign and accept the terms of the PCI SSC PA-QSA Employee Certification form at the time they begin the online training.

All training inquiries and assignments must be submitted through the PA-QSA company's primary contact. PCI SSC requires all training attendees to be full time employees of the PA-QSA company that they were initially hired by.

All requests for requalification must be submitted at least two weeks prior to the certificate expiration date. Please specify which two week session your employee(s) would like to be registered for or they will automatically be registered for the two week session prior to their expiration date. Attempting to recertify two weeks past the PA-QSA's annual expiration date will require the PA-QSA to attend New PA-QSA training.

Continuing Professional Education (CPE) Hours

PA-QSA candidate is required to submit proof of information systems assessment training within the last 12 months to support professional certifications of a minimum 20 Continuing Professional Education (CPE) hours per year and 120 Continuing Professional Education (CPE) hours over a rolling three year period.

  • Training provided by PCI SSC will count towards the annual CPE hours.
  • NEW PA-QSA 2015 is granted 11 CPE hours.
  • Requal PA-QSA 2015 Training is granted 7 CPE hours; prior to 2015 it is 5 CPE hours.
  • These must be included in the CPE report sent to the PCI SSC. They will not be added automatically.
  • Community Meetings  2011-2012 are worth 4 CPE hours; 2013- to present are worth 12 hours.
  • Click here for information on activities that qualify for CPE hours.
  • Refer to the Maintenance Guide for further information on activities that qualify.

For CPE hours please submit the following information and CPE hours using the CPE form (click here to download form) to coordinator@pcisecuritystandards.org:

  • Name
  • Title or Name of Program/Course
  • Date(s)
  • CPE Hours Earned (Click here for information on how to calculate CPE hours)

Any requalification training request sent without the PA-QSA’s CPE hours for the past 12 months will not be processed.

Request More Information

Upcoming Courses

No instructor-led classes are available for the balance of 2016. Please check back in late November for the 2017 schedule.

2016 PCI SSC PA-QSA Course Schedule

Annual PA-QSA requalification training fee is $1095 USD per Assessor

Please note: Unless otherwise specified, all fees are in US Dollars. All course fees are NON-TRANSFERABLE and NON-REFUNDABLE. An invoice will be issued upon completion of registration and will include instructions to pay by check, credit card or wire transfer.
Payment is required prior to beginning the course. Course conducted in English. Examination delivered in English.