Text size Increase Font-SizeDecrease Font-SizeReset Font-Size

Qualified Security Assessor (QSA) ™

About the Course

The New QSA course consists of two parts: an on-line course including a fifty question multiple choice exam and a two-day instructor-led session ending with a seventy-five question multiple choice exam.

To register a candidate for a New QSA training course, the primary contact of the QSA Company must first submit a resume to the Training Coordinator for review with a request for registration in a specific on-site training session. After the resume has been approved, the candidate will be registered for the on-site instructor-led session that the Primary Contact requested. An invoice for the full amount of the course will be issued to the Primary Contact and once it has been paid, login credentials for the online prerequisite course PCI Fundamentals will be emailed to the candidate with instructions on how to complete the course. The PCI Fundamentals Course is a seven hour online training course and exam that is required to be successfully completed one week prior to the start of the on-site instructor-led QSA session.

Once the candidate has completed the PCI Fundamentals training course and exam, the Primary Contact will be notified of either a passing or failing grade. If the candidate failed the exam, he or she will be allowed one additional attempt to take the exam and pass without being charged an additional fee. If the candidate passed the exam, the candidate’s seat will be confirmed and a confirmation email will be sent to the Primary Contact with complete location details. As a QSA candidate, your seat is not confirmed until your Primary Contact receives a confirmation email.

If the candidate receives a failing grade for the PCI Fundamentals course, his or her seat at the instructor-led session will be forfeited. If he or she wishes to try again, the candidate will be required to pay the full course fee for a second time and receive a passing grade in the PCI Fundamentals course to be allowed to attend the two-day instructor-led session. There will be no exceptions made and by paying the invoice, you agree to these terms.


At this time PCI SSC does not offer QSA certifications to individuals who do not work for validated QSA Companies. You must be a full time employee of a QSA Company in order to attend QSA Training and be certified as a QSA. Please refer to the PCI Awareness Training page for an optional training opportunity that may meet your needs.

In order to attend any of the above trainings your company must already be a validated QSA Company. Please see the Qualification Requirements for Qualified Security Assessors (QSAs) v2.0. for more details.

If you are preparing to attend PCI QSA requalification training, please be aware of the required documentation that your primary contact will need to submit on your behalf.

NEW QSA training documentation requirements:

  • All training inquiries and assignments must be submitted through the QSA company's primary contact.
  • PCI SSC requires all training attendees to be full time employees of a Validated QSA company.
  • Required Documentation: QSA candidate's resume must show the following1:
    • Candidate possesses at least one of the following industry-recognized professional certifications:
      • Certified Information System Security Professional (CISSP)
      • Certified Information Security Manager (CISM)
      • Certified Information Systems Auditor (CISA)
      • GIAC Systems and Network Auditor (GSNA)
      • Certified ISO 27001, Lead Auditor, Internal Auditor
      • International Register of Certificated Auditors (IRCA)
      • Information Security Management System (ISMS) Auditor
      • Certified Internal Auditor (CIA)
    • Candidate possesses a minimum of one year of experience in each of the following information security disciplines:
      • Application security
      • Information systems security
      • Network security
      • IT security auditing
      • Information security risk assessment or risk management
    • Successful completion of PCI Fundamentals one week prior to the start of on-site training.
  • All QSA Program training attendees must accept and sign the PCI SSC Individual Security Assessor Attestation  and submit at the training session.
  • The only document that attendees will be allowed to reference during the test is a translation dictionary if needed.

1 Prior to January 1, 2016 candidates are only required to provide either 1.) CISSP, CISA, or CISM Certificate OR 2.) Five years of IT Security experience in a resume format.

I thought the instructor was excellent and his insights and experience greatly helped towards the overall understanding.Janet Edwards, K3DES, LLC

It was very useful to see the QSA role from the perspective of the assessor rather than from the customer's viewpoint.Chris Leppard, Trustwave

The way that the instructor was able to cover a vast amount of material in a relatively short time and make us remember it - without the training it would have taken weeks and weeks to get the same level of understanding.David Newman, TELUS Security Solutions

Back to Top

The PCI Security Standards Council (the "Council") provides a variety of tools, questionnaires, guidance, FAQs, training resources and other materials and information to assist organizations seeking to achieve compliance with its standards (the "Standards"). Third party products and services are also available, but the Council does not endorse or recommend any such third party products or services, and advises all organizations seeking to achieve compliance to become familiar with the Standards and related requirements before purchasing third party products or services. Ultimately, all applicable requirements must be met in order to achieve compliance, regardless of whether or what third party products or services are used.