Text size Increase Font-SizeDecrease Font-SizeReset Font-Size

Internal Security Assessor (ISA) ™

About the Course

The PCI SSC Internal Security Assessor (ISA) Program provides large merchants, acquiring banks, and processors the opportunity to build their internal PCI Security Standards expertise and strengthen their approach to payment data security, as well as increase their efficiency in compliance with the PCI Data Security Standards.

Employee Education is the Best Defense for Protecting your Organization’s Data Assets.

To address concerns about PCI compliance and card data security, the PCI Security Standards Council operates the Internal Security Assessor Program to assist firms seeking to educate their employees on PCI security and compliance regulations. The program trains, tests, and certifies organizations and individuals to assess and validate adherence to PCI Security Standards.

Who Should Attend:

ISA training is intended primarily for individuals who already possess significant relevant security audit and assessment experience (including but not limited to Network Security, Application Security and Consultancy, System Integration, and Auditing)

The Format:

The Council recognizes that students may prefer different learning environments and offers ISA training in two formats: Instructor-Led (ILT) and online eLearning. Same content. Same qualification. You decide what’s best for you.


Two-day classroom instruction provides:

  • In-person engagement and collaboration as well as networking opportunities
  • Ability to focus on curriculum with fewer distractions in classroom setting
  • Learn directly from an expert PCI SSC trainer with hands-on experience assessing merchants and/or service providers

Taking the exam - Upon completion of the instructor-led curriculum, the student will take the certification exam immediately following the course. 

Please note - Attendance during the entire two day PCI SSC ISA instructor-led training class is mandatory. Missing more than 30 minutes of the class will automatically result in forfeiture of the PCI SSC ISA exam and removal from the class.

Instructor-Led Training is also provided by PGTN Providers in certain regions.

Upon completion of the instructor-led curriculum, candidates attending a PGTN class will take the exam at an authorized Pearson VUE Testing Center.


This self-paced eLearning course offers:

  • Flexible scheduling 24/7/365
  • An environment conducive to learning from the comfort of your home or office
  • Reduction in travel costs and time away from work

Taking the exam - Upon completion of the eLearning curriculum, the student will take the qualification exam at one of over 4,000 Pearson VUE Testing Centers worldwide. The student will receive a voucher number to be redeemed in Pearson VUE’s online registration system, allowing him/her to select the location and time where he/she will take the exam at the PVTC. This provides individuals in any country an opportunity to train for and take the exam at their convenience and at a location close to home or work.

PCI Fundamentals Course:

The PCI Fundamentals Course is an online prerequisite course that is required to be completed prior to the start of either the Instructor-Led or eLearning ISA training. PCI Fundamentals is a seven hour online training course and exam and is included in the cost of the ISA training. Once the candidate is registered by the Primary Contact for the on-site instructor-led session (including PGTN Instructor-Led Training) or eLearning course, an invoice for the full amount of the course will be issued to the Primary Contact. Once the invoice has been paid, login credentials for the PCI Fundamentals prerequisite course will be emailed to the candidate with instructions on how to complete the course.

Once the candidate has completed the PCI Fundamentals training and exam, the Primary Contact will be notified of either a passing or failing grade. If the candidate failed the exam, he or she will be allowed two additional attempts to take and pass without being charged an additional fee. Depending on which format the candidate is registered for, the following will transpire:

Instructor-Led Training-

Once the candidate passes the exam, the candidate's seat will be confirmed for training and a confirmation email will be sent to the Primary Contact with complete location details. As an ISA candidate, your seat is not confirmed until your Primary Contact receives a confirmation email.

PCI Fundamentals must be successfully completed one week prior to the start of the on-site training.


Once the candidate passes the exam, the candidate will receive a link to the online training course.

The PCI Fundamentals course must be completed within thirty days of initial access.

Please note - If the candidate receives three failing grades for the PCI Fundamentals prerequisite course, his or her seat at the instructor-led session will be forfeited or, if taking the eLearning course, will not gain access to the online session. If he or she wishes to try again, the candidate will be required to pay the full course fee for a second time and receive a passing grade in the PCI Fundamentals course.There will be no exceptions made and by paying the invoice, you agree to these terms.

The instructor did an excellent job, I highly recommend him for all future trainings.Hannalore Murray, Market America

Loved the training. I learned a lot and made many notes on what I need to do for 2013 SAQ.Paul R Plutae, ACG Texas, LP

PCI isn't the most exciting or entertaining material. With the instructor's humor and real world experience, learning PCI and how to be an ISA was a good experience.Nolan, Liberty Mutual

Back to Top

The PCI Security Standards Council (the "Council") provides a variety of tools, questionnaires, guidance, FAQs, training resources and other materials and information to assist organizations seeking to achieve compliance with its standards (the "Standards"). Third party products and services are also available, but the Council does not endorse or recommend any such third party products or services, and advises all organizations seeking to achieve compliance to become familiar with the Standards and related requirements before purchasing third party products or services. Ultimately, all applicable requirements must be met in order to achieve compliance, regardless of whether or what third party products or services are used.