The Payment Application Qualified Security Assessor curriculum teaches you to perform assessments of third-party developed payment applications to ensure compliance with the Payment Application Data Security Standard (PA-DSS). With this training course, you will become an expert on the requirements for PA-DSS compliance and help ensure the consistent, proper application of security measures and controls for payment applications.
Upon completion of the course, you’ll be able to:
You are a current QSA who is employed by a QSA company performing assessments of third-party payment applications for compliance with PA-DSS. Typical job titles include: Managing Director of Compliance Services, Practice Lead Security Assessor, Senior Security Consultant, Information Security Analyst, and Information Security Auditor.
“I thought the instructor was excellent and his insights and experience greatly helped towards the overall understanding.”
“It was very useful to see the QSA role from the perspective of the assessor rather than from the customer's viewpoint.”
“The way that the instructor was able to cover a vast amount of material in a relatively short time and make us remember it - without the training it would have taken weeks and weeks to get the same level of understanding.”
The Payment Application Qualified Security Assessor (PA-QSA) covers the PA-DSS requirements, sub-requirements, and associated testing procedures in depth.
Prior to attending a PA-QSA training session it is strongly recommended you familiarize yourself with the following publications available in the document library:
This two-day classroom instruction provides:
Attendance during the entire two day course is mandatory. Missing more than 30 minutes of the class will automatically result in forfeiture of the PCI SSC QSA exam and removal from the class.
Taking the exam - The certification exam is given immediately following the instructor-led course. The only document you will be allowed to reference during the testing is a translation dictionary, if needed. No electronic devices may be used during the exam. This is a closed book exam. The exam consists of 75 multiple choice questions and you will have 90 minutes to complete it.
The Primary Contact at the PA-QSA Company will be notified of results within two weeks after the candidate attends the instructor-led PCI PA-QSA training and exam. Employees who fail may retake the training and exam, upon payment of a re-test fee. For each attendee that passes the exam, the PA-QSA Company will receive a certificate that validates the employee for the next 12 months.
Note: Hiring or employing a PA-QSA does not assume the Company has met all of the PCI SSC validation requirements.
In order to attend PA-QSA training your company must already be a validated PA-QSA Company and you must be a full time employee. Please see the QSA Validation Requirements - PA-QSA Supplement for more details.
All candidates must apply to the PA-QSA program and be approved by the PCI Council to participate in a training class. All training inquiries and assignments must be submitted through your company's assigned Primary Contact. Other requirements include:
In order to maintain the high standards set for this certification, all PA-QSA employees must re-certify every 12 months in order to continue as a Payment Application Qualified Security Assessor for their PA-QSA company. Please note that annual PA-QSA requalification training will be held in an eLearning format only. All PA-QSA Program training attendees will be required to sign and accept the terms of the PCI SSC PA-QSA Employee Certification form at the time they begin the online training.
All training inquiries and assignments must be submitted through the PA-QSA company's primary contact. PCI SSC requires all training attendees to be full time employees of the PA-QSA company that they were initially hired by.
All requests for requalification must be submitted at least two weeks prior to the certificate expiration date. Please specify which two week session your employee(s) would like to be registered for or they will automatically be registered for the two week session prior to their expiration date. Attempting to recertify two weeks past the PA-QSA's annual expiration date will require the PA-QSA to attend New PA-QSA training.
PA-QSA candidate is required to submit proof of information systems assessment training within the last 12 months to support professional certifications of a minimum 20 Continuing Professional Education (CPE) hours per year and 120 Continuing Professional Education (CPE) hours over a rolling three year period.
Any requalification training request sent without the PA-QSA’s CPE hours for the past 12 months will not be processed.
The Council has scheduled two-day instructor-led classes in various locations worldwide. See schedule below.