Training FAQ

Training-Related Questions

Yes, the Council brings training directly to your company anywhere in the world for company or merchant-specific training sessions. Please contact us at training@pcisecuritystandards.org for further information about scheduling and costs.

PCI Fundamentals is the required prerequisite course for Internal Security Assessor, Qualified Security Assessor, and Point-to-Point Encryption Assessor training classes. For Internal Security and Qualified Security Assessors, it is a seven-hour online course; for Point-to-Point Encryption it is a two-hour online course, and it must be completed at least one week prior to the instructor-led session for each course.

No, you must be registered and have paid for the Internal Security Assessor, Qualified Security Assessor, and Point-to-Point Encryption Assessor training course in order to take the corresponding PCI Fundamentals prerequisite course.

Your company’s primary contact will receive an invoice for the requested course within three business days after the PCI Council receives the request. If the course you requested is no longer available, your company’s primary contact will be contacted to request a different course.

You will receive your credentials for the PCI eLearning course within three business days after the Council processes your payment.

For instructor led courses, you should prepare by reviewing and familiarizing yourself with the associated PCI documents. For example, for the Qualified Security Assessor course we strongly recommend you are familiar with the following documents before attending:

  • PCI DSS
  • Glossary of Terms, Abbreviations, and Acronyms v3.1

All PCI documents are in the Document Library. Please refer to individual course descriptions for specifics on required or recommended reading for each course.

There are no prerequisites to take the eLearning course and examination. However, the candidate should possess a minimum of two years IT or IT-related experience and a base level of knowledge and awareness of information technology, network security and architecture, and payment industry participants.

Candidates for the PCI Professional course do not need to be IT specialists, but do need to have some familiarity with IT. We recommend two years’ experience in IT or IT-related positions so that candidates are familiar with IT terminology used in network security and architecture

Yes, PCI Professionals may enhance their knowledge and continue on to become ISA’s if they work for an organization that sponsors them for the Internal Security Assessor qualification. PCI Professional is the entry point for professionals to begin their PCI career. The required experience, professional background and privileges are preparatory to becoming an Internal Security Assessor. Conversely, because the training and knowledge base for an Internal Security Assessor exceeds that of a PCI Professional, an Internal Security Assessor may opt-in to the PCI Professional program by paying a fee and attesting to the Code of Professional Responsibility.

Companies must have processes in place to train their employees and keep them up-to-date, they must have an internal quality assurance program, and must have experience with installing the payment applications. Learn more about the Qualification Requirements.

Awareness training is more entry level than the PCI Professional course and is suitable for anyone, at any level in an organization who needs to know more about PCI. You will earn continuing education credits for the Awareness course, but there is no associated exam or qualification.

Company-Related Questions

Although your company may be compliant, it does not mean you are automatically a Participating Organization. To become a Participating Organization, your company needs to apply for entry into the program. In addition to receiving discounts on training courses, the program offers many other benefits.

The next step is for your company to apply to become an Internal Security Assessor Sponsor Company. There is no fee for the Sponsor Company application; there is a fee to send employees to training.

Learn More about Internal Security Assessor qualification requirements.

In order to have your company fully activated as a Sponsor Company, you must complete and submit an application. The review of its application may take up to four weeks.

Qualification Questions

The PCI Council has a strict grace period of 14 calendar days. If your certificate expired more than two weeks ago, you will be required to attend a new training session to reinstate your qualification. Please note: The PCI Council sends notifications to the primary contacts of each company on a monthly basis. These reminder emails include the names and expiration dates of those individuals whose certifications expire within the next sixty days. Regardless of the email reminders, it is the responsibility of the individual to request requalification training (through their company’s primary contact) each year.

Yes, if you are no longer an active Qualified Security Assessor, you are automatically no longer an active Payment Application Assessor.

If you attend Qualified Security Assessor training before your Payment Application Assessor certificate expires, your active Payment Application Assessor status can be reinstated as long as you are with an active company.

There can be several reasons a company would find themselves without active qualified staff: In some cases the employee(s) have missed their requalification date or in other cases the employee has left the firm. Based on the requirement to ensure a minimum number of trained staff on hand, once the company is no longer meeting this requirement, the Council will deactivate the company. No prior notice may be sent for this action. Once a company is de-activated in our records, the company will also be removed from public listing pages such as the Qualified Security Assessor provider listing.

If a company is able to send an employee to training and meet this requirement they would be reinstated to the website and given an active status. A fee will be charged to re-list a firm that has been previously removed.

Exam Questions

Yes, you must retake and pass the exam prior to the related following course (instructor-led for Qualified Security and Point-to-Point Encryption Assessors, instructor-led or eLearning for Internal Security Assessors). If you are registered for a specific course and fail to retake PCI Fundamentals before that course, your payment will be forfeited.

  • If you are attending an Internal Security Assessor class and you fail PCI Fundamentals, you have two additional chances to retake it and pass.
  • If you are attending a Qualified Security Assessor class and you fail PCI Fundamentals, you have one additional chance to retake it and pass.
  • If you are attending a Point-to-Point Encryption Assessor class and you fail PCI Fundamentals, you have one additional chance to retake it and pass.

Results will be sent to your company’s primary contact within two weeks of course completion. Often results are sent within a few days of course completion.

After you have taken the Internal Security Assessor eLearning class, you will register to take the exam at a local Pearson VUE testing center. Specific instructions will be given at the time your eLearning registration is confirmed.

Results from eLearning exams are sent within one week after completing a course.

No, the PCI Council does not offer Continuing Education hours for the time you are taking a test.

The Pearson VUE testing center is run the same for all certification tests; the representative will not be able to assist in translations once you have begun the test and you will not be given additional time for the exam.

Your testing fee will be forfeited if you cancel your test reservation with less than 24 hours’ notice or if you fail to show up. If you cancel at least 24 hours prior to your testing time, you will be able to reschedule without a fee.

No. A candidate at an instructor led course will take the exam as a part of the training course that they are attending.

If a student is a new ISA, new PCIP, or new QIR, he/she will be allowed to retake the exam at an additional cost. The retake will be administered through a Pearson VUE Testing Center. You will be allowed to retake only once. If you fail retaking the exam, you will need to pay for and take either the instructor led course or the eLearning course – and pass the subsequent exam.

The PCI SSC Assessor listing page for applicable programs is the authoritative listing for validating an Assessors current qualifications and certifications. These programs can be found by navigating to https://www.pcissc.org and clicking on the Assessors and Solutions drop down for participant validation.