Qualified Security Assessor (QSA) Qualification

The Qualified Security Assessor course will teach you how to perform assessments of merchants and service providers who must comply with the PCI Data Security Standard. The course focuses on the 12 high level control objectives and corresponding sub-requirements that are required for compliance. 

Those who attend the training and pass the exam will be authorized to perform assessments and prepare appropriate compliance reports (such as Reports on Compliance (RoC)) required by payment card brands and acquiring banks.

Upon completion of the course, you’ll be able to define the processes involved in payment card processing, understand the PCI DSS requirements and testing procedures, conduct PCI DSS assessments, validate compliance, and generate reports.

Course Highlights

Qualified Security Assessor (QSA) training is a two-part program. The first is a five-hour prerequisite course and exam on PCI Fundamentals. It’s followed by an in-depth course and exam delivered virtually or in-person.

PCI Fundamentals assures that all candidates attending the QSA training course have the same baseline understanding.  The PCI Fundamentals course must be completed prior to the training class.

Candidates who successfully complete the prerequisite PCI Fundamentals course may move on to the QSA qualification course. This course builds on the knowledge gained in PCI Fundamentals and delves into the actual PCI DSS requirements, testing procedures, compliance reports and more. The Qualified Security Assessor course covers: 

  • Payment card industry overview.
    • Terminology, transaction data flow.
    • Relationships between various organizations in the process.
  • Payment card brand validation and reporting requirements.
  • PCI Data Security Standard (DSS).
    • Overview of each requirement and testing procedures.
  • PCI Hardware and Communications Infrastructure.
  • Overview of compliance issues and mitigation strategies.
  • Compensating controls.
  • PCI Reporting.

Right for You?

You are an experienced security professional who wishes to be certified as a QSA, and currently work full time for a validated QSA company. The QSA course requires prior certifications (CISSP, CISA or CISM – see registration page for full list). Typical job descriptions include:

  • Information Security Consultant.
  • Information Security Auditor.
  • Information Security Analyst.

Please contact your organization’s QSA Primary Contact to enroll in the QSA program.

Digital Badging

When you become a Qualified Security Assessor, display your digital badge and represent your skills and gives you a way to share your abilities online in a way that is simple, trusted and can be easily verified in real time.


  • 23 Jul 2024 Closed

    09:00-17:30 ET (13:00-21:30 UTC)

    Virtual Instructor-Led (vILT)

  • 5-6 Sep 2024

    09:00-17:30 (local time)

    Boston, MA

  • 18-19 Sep 2024

    19:00-03:30 ET (23:00-07:30 UTC) This class will be simultaneously translated into Japanese. Please note that for participants in Japan, this class begins at 8:00 JST on 19 September.

    Virtual Instructor-Led (vILT)

  • 1-2 Oct 2024

    09:00-17:30 (local time)

    Barcelona, ES*

  • 29 Oct 2024

    09:00-17:30 ET (13:00-21:30 UTC)

    Virtual Instructor-Led (vILT)

  • 12-13 Nov 2024

    09:00-17:30 (local time)

    Hanoi, VN

  • 3 Dec 2024

    09:00-17:30 ET (14:00-22:30 UTC)

    Virtual Instructor-Led (vILT)

Virtual Instructor-Led (vILT) classes are a combination of eLearning and a live webinar.

* Pricing for these classes does not include VAT, HST, etc.


Become an QSA when you take this class and become qualified.


Course Price

New QSA training (In person or eLearning)

$3,300 USD

Requalification QSA training

$2,000 USD

Requalification QSA training (Japanese Language)

$2,650 USD

Training class change fee

$185 USD

Please note: Unless otherwise specified the training and exam will be delivered in English.

Price does not include any applicable VAT/HST/GST which will appear on your invoice. 

* Not including VAT


Your organization must be an QSA company to register candidates for QSA training.

How to Prepare for the Exam

Prior to beginning the PCI Fundamentals training, you should familiarize yourself with these publications on the PCI website:

  • PCI Glossary
  • PCI DSS Self-Assessment Questionnaire (SAQ)
  • Attestation of Compliance (AOC)
  • ROC Reporting for PCI DSS
  • PCI SSC Frequently Asked Questions (FAQs)

The PCI Fundamentals online course must be completed prior to the start of your training class.

Training Formats and Exam Information

New Training Offerings:

All offerings will include a 5-hour online prerequisite Fundamentals course followed by a 60-question multiple-choice exam. Two attempts to pass Fundamentals will be allowed.

  • Instructor-led training (ILT): In-person, instructor-led classroom training with an exam to follow.
  • Virtual Instructor-led training (vILT): Combination online training and instructor-led webinar with an exam offered via Pearson Vue within 30 days of webinar.
  • Please see Schedule tab for dates of ILT and vILT training

New Exam Specifics:

  • All exams are closed book.
  • Exam is 60 multiple choice questions with a 90-minute time limit.
  • Results of in person exams are delivered within 10 business days.
  • Results of Pearson Vue exams are delivered upon completion of the exam.
  • 75% or higher to pass the exam; the only information that can be released concerning exams is your grade.
  • If you fail the exam, your primary contact must register you for New QSA training again.

Registration Process

In order to attend a QSA training class, your company must already be a validated QSA Company and you must be a full time employee. Please see the Qualification Requirements for Qualified Security Assessors (QSAs) for more details.

To start the registration process, your Primary Contact must enroll you for QSA training via the online Portal. If you have any questions about the registration process, please contact QSA@pcisecuritystandards.org.

  • Name of candidate.
  • Location and Date of desired QSA training.
  • Candidate’s company email address, country of residence, and native language.
  • QSA candidate’s resume must be able to show:
    • Possess at least one of the following accredited, industry-recognized professional certifications from each list*:
    • List A – Information Security
      • – (ISC)2 Certified Information System Security Professional (CISSP)
      • – ISACA Certified Information Security Manager (CISM)
      • – Certified ISO 27001 Lead Implementer 1
      • (METI) Registered Information Security Specialist (RISS)
    • List B – Audit
      • – ISACA Certified Information Systems Auditor (CISA)
      • – GIAC Systems and Network Auditor (GSNA)
      • – Certified ISO 27001, Lead Auditor, Internal Auditor 1
      • – IRCA ISMS Auditor or higher—e.g., Auditor/Lead Auditor, Principal Auditor
      • – IIA Certified Internal Auditor (CIA)
    • Minimum of one year of experience in EACH of the following security disciplines:
      • Application security.
      • Information systems security.
      • Network security.
      • IT security auditing.
      • Information security risk assessment or risk management.
  • All QSA program training attendees must accept and sign the PCI SSC Code of Professional Responsibility and submit at the training session.
  • An invoice will be issued upon completion of registration and will include instructions to pay by check, credit card or wire transfer.
  • Training registration will close 14-days prior to the instructor-led training.
  • All QSA program training attendees must accept and sign the PCI SSC Code of Professional Responsibility and submit at the training session.
  • An invoice will be issued upon completion of registration and will include instructions to pay by check, credit card or wire transfer.

*For additional information on this requirement, please review section 3.2.1 of the QSA Qualification Requirements.

Requalification Requirements

In order to maintain the high standards set for this qualification, all QSA employees must re-qualify every 12 months in order to continue as a Qualified Security Assessor. All QSA Program training attendees will be required to sign and accept the terms of the PCI SSC Code of Professional Responsibility at the time they begin the online training.

All training inquiries and assignments must be submitted through the QSA Company’s Primary Contact. PCI SSC requires all training attendees to be full time employees of the QSA Company that is submitting them for requalification training.

Requalification specifics:

  • Approved assessors are allowed to register for requalification training as early as 90 days prior to their expiration date. Once registered, they will receive immediate access to the eLearning training.
  • Registration must be submitted no later than the candidate’s expiration date.
  • Exam access is given no earlier than four (4) weeks prior to expiration date AND invoice is paid.
  • An Assessor who is not registered for requalification training before midnight Eastern Time on their qualification expiration date, or who does not achieve a passing score on the exam by the end of their qualification period, will be required to re-enroll as a new candidate.

Requalification exam:

  • Non-proctored remote exam
  • 60 multiple choice questions with a 75-minute time limit.
  • 75% or higher to pass the exam; the only information that can be released concerning exams is the grade.
  • If you fail the exam, please have the primary contact email coordinator@pcisecuritystandars.org for the next steps.
  • For further details regarding Requalification please review section 6.1.1 of the Qualified Security Assessors Program Guide.


Please log into the PCI Portal to start the requalification process.

I thought the instructor was excellent and his insights and experience greatly helped towards the overall understanding.

It was very useful to see the QSA role from the perspective of the assessor rather than from the customer's viewpoint.

The way that the instructor was able to cover a vast amount of material in a relatively short time and make us remember it - without the training it would have taken weeks and weeks to get the same level of understanding.