Associate QSA (AQSA) Qualification
The Associate QSA (AQSA) Program prepares you to support and learn from Qualified Security Assessors (QSAs) as they perform assessments of merchants and service providers who must comply with the PCI Data Security Standard (PCI DSS).
AQSA candidates follow the same training path as QSAs, and the course focuses on the 12 high-level control objectives and corresponding sub-requirements that are required for PCI DSS compliance.
Split into two parts, the course consists of an online component and a two-day instructor-led session covering the processes involved in payment card processing, PCI DSS requirements and testing procedures, how to conduct PCI DSS assessments, validate compliance and generate reports. Upon successful completion of the training and exam, trainees are equipped to assist in conducting PCI DSS assessments and preparing appropriate compliance reports with the oversight of a QSA mentor at their QSA Company.
- View Training Schedule
- AQSA Program FAQ
- More About QSA on the Blog
- Request More Information
How to Prepare
Qualified Security Assessor (QSA) training is a two-part program. The first is a seven-hour prerequisite course and exam on PCI Fundamentals. It’s followed by an in-depth, two-day instructor-led course and exam.
PCI Fundamentals assures that all candidates attending the QSA training course have the same baseline understanding. The PCI Fundamentals course must be completed within thirty days of initial access and a minimum of one week prior to the start of an on-site training class. This prerequisite course covers:
- Understanding the Payment Card Industry Security Standards Council and its role
- Defining the processes involved in card processing
- PCI roles and responsibilities
- Understanding cardholder data
- Defining network segmentation
- PCI DSS assessments
Candidates who successfully complete the prerequisite PCI Fundamentals course may move on to the QSA qualification course. This course builds on the knowledge gained in PCI Fundamentals and delves into the actual PCI DSS requirements, testing procedures, compliance reports and more. The Qualified Security Assessor course covers:
- Payment card industry overview
- Terminology, transaction data flow
- Relationships between various organizations in the process
- Payment card brand validation and reporting requirements
- PCI Data Security Standard (DSS)
- Overview of each requirement and testing procedures
- PCI Hardware and Communications Infrastructure
- Overview of compliance issues and mitigation strategies
- Compensating controls
- PCI Reporting
The instructor-led course also includes case studies providing a simulation of assessment scenarios that may help you in solving common problems you may experience when assessing a client’s payment environment.
Right for You?
You are an experienced security professional who currently works full-time for a validated QSA company, but does not meet the industry certification requirement to apply for full QSA status. The AQSA program provides an opportunity for security professionals to learn on the job under a formal mentorship program driven by active QSA professionals.
Please contact your organization’s QSA Primary Contact to enroll in the AQSA program.
27-28 Feb 2023
29 Mar 2023Closed
22-23 May 2023
Remote classes are a combination of eLearning and a live webinar.
Become an AQSA when you take this class and become qualified.
New AQSA training (In person or eLearning)
Requalification AQSA training
Requalification AQSA training (Japanese Language)
Please note: Unless otherwise specified the training and exam will be delivered in English. Price does not include any applicable VAT/HST/GST which will appear on your invoice. * Not including VAT.
Price does not include any applicable VAT/HST/GST which will appear on your invoice.
* Not including VAT.
Your organization must be an QSA company to register candidates for AQSA training.
How to Prepare for the Exam
Prior to beginning the PCI Fundamentals training, you should familiarize yourself with these publications on the PCI website:
- PCI Glossary
- PCI DSS
- PCI DSS Self-Assessment Questionnaire (SAQ)
- Attestation of Compliance (AOC)
- ROC Reporting for PCI DSS
- PCI SSC Frequently Asked Questions (FAQs)
- PCI Approved Scanning Vendors Program Guide
The PCI Fundamentals online course must be completed prior to the start of your training class.
Exam Information – PCI Fundamentals
The online prerequisite course concludes with a 60 question multiple-choice exam. Once the candidate has completed the PCI Fundamentals training and exam, the Primary Contact will be notified of either a passing or failing grade. If the candidate failed the exam, he or she will be allowed one additional attempt to take and pass without being charged an additional fee.*
*If the candidate receives a failing grade for the PCI Fundamentals course after the second attempt, his or her seat at the instructor-led session will be forfeited. If he or she wishes to try again, the candidate will be required to pay the full course fee for a second time and receive a passing grade in the PCI Fundamentals course to be allowed to attend the two-day instructor-led session. There will be no exceptions made and by paying the invoice, you agree to these terms.
Exam Information – Instructor-led QSA Qualification Course
This two-day classroom instruction provides:
- In-person engagement and collaboration as well as networking opportunities
- Ability to focus on curriculum in classroom setting
- Learn directly from an expert PCI SSC trainer with hands-on experience assessing merchants and/or service providers
Attendance during the entire two day course is mandatory. Missing more than 30 minutes of the class will automatically result in forfeiture of the PCI SSC QSA exam and removal from the class.
Taking the exam – The certification exam is given immediately following the instructor-led course. The only document you will be allowed to reference during the testing is a translation dictionary, if needed. No electronic devices may be used during the exam. This is a closed book exam. The exam consists of 75 multiple choice questions and you will have 90 minutes to complete it.
The Primary Contact at the QSA Company will be notified of results within two weeks after the candidate attends the instructor-led PCI QSA training and exam. Employees who do not meet the minimum passing score set by the PCI SSC may retake New QSA training and exam, upon registration and payment of a new invoice. For each attendee that passes the exam, the QSA Company will receive a certificate that validates the employee for the next 12 months. There will be no exceptions made and by paying the invoice, you agree to these terms.
Note: Hiring or employing a QSA does not assume the Company has met all of the PCI SSC validation requirements.
In order to attend a QSA training class, your company must already be a validated QSA Company and you must be a full time employee. Please see theQualification Requirements for Qualified Security Assessors (QSAs) v3.0for more details
In order to register, work with your organization’s QSA Primary Contact to submit an AQSA application through thePCI Portal.Required information will include:
- Legal name of candidate
- Location and Date of desired QSA training
- Candidate’s company email address, country of residence, and native language
- AQSA candidate’s resume must be able to show possession of a university or college diploma OR possess a minimum of two years’ experience in an Information Security or IT-related field.
- All QSA program training attendees must accept and sign thePCI SSC Code of Professional Responsibilityand submit at the training session.
An invoice will be issued to the QSA primary contact upon completion of registration and will include payment instructions.
In order to maintain the high standards set for this qualification, all Assessor employees must requalify every 12 months in order to continue as an Associate Qualified Security Assessor. All QSA Program training attendees will be required to sign and accept the terms of thePCI SSC Code of Professional Responsibilityat the time they begin the online training.
Assessors must complete registration for requalification training (and be approved, where applicable) prior to their qualification expiration date. An Assessor who is not registered prior to that expiration date must re-enroll as a new candidate. A two-week grace period is provided beyond the expiration date in order to complete requalification training after the Assessor is successfully registered. However candidates are not qualified by PCI SSC during this time and will not be requalified until the requalification exam is successfully completed. The grace period only applies if the candidate has been enrolled for requalification by their expiration date and cannot be used for registration after the QSA expiration date. For further details regarding Requalification please review section 6.1.1 of theQualified Security Assessors Program Guide.
Continuing Professional Education (CPE) Hours
Before registering for requalification training, AQSA candidates are required to submit proof of information systems assessment training within the past 12 months to support professional certifications of a minimum 20 Continuing Professional Education (CPE) hours per year and 120 CPE hours over a rolling three year period. Training provided by PCI SSC will count towards the annual CPE hours. See the CPE Maintenance Guide for additional information on eligible activities.
Each AQSA candidate should enter their CPEs in the PCI Portal. Once completed, the QSA primary contact will be notified and must log into the portal to provide their approval. Once the CPE submission is approved, the candidate will then be automatically enrolled in requalification training, and a training invoice will be issued to the primary contact.
Candidate CPEs must be approved and their training registration must be complete prior to their certificate’s expiry date. Candidates must complete the training and exam no later than the end of their grace period (14 days after their expiration date). If a candidate does not complete requalification, their training fee and AQSA status are forfeit.
Note: Payment of the training invoice must be received before the candidate can access the requalification exam.
Note: AQSA professionals are not considered active during their grace period, until/unless they successfully complete requalification exam.
It was very useful to see the QSA role from the perspective of the assessor rather than from the customer's viewpoint.
Chris Leppard, Trustwave
The way that the instructor was able to cover a vast amount of material in a relatively short time and make us remember it - without the training it would have taken weeks and weeks to get the same level of understanding.
David Newman, TELUS Security Solutions
The Associate QSA (AQSA) Program prepares you to support and learn from Qualified Security Assessors (QSAs) as they perform assessments of merchants and service providers who must comply with the PCI Data Security Standard (PCI DSS).How long does it take to become a PCI QSA? ›
The time elapsed from application submission to a new QSA being listed on the PCI Security Standards Council Web site is estimated at three months.How do I get QSA certified? ›
The PCI Council requires all training attendees to be full time employees of a Validated QSA company. The security professional will then need to complete the application process with the PCI Council and undergo and pass the Council's two-day QSA training course and an open-book exam and receive official certification.How many PCI QSA are there? ›
When you need a Qualified Security Assessor (QSA) for your annual PCI DSS assessment, you'll find plenty to choose from. As of this writing, the PCI Security Standards Council currently lists 385 QSA companies worldwide, and more than 180 PCI QSAs are doing business in the United States alone!Do you need a QSA? ›
Any company that accepts credit or debit card payments needs to either complete an annual Self-Assessment Questionnaire (SAQ) or be assessed by a QSA to remain compliant with the PCI DSS. Only Level 1 merchants, or those that have suffered a significant hack that compromised important data, are required to use a QSA.What is a QSA assessment? ›
A PCI DSS QSA Assessment (or Level 1 Assessment) is an on-site inspection and assessment of an organization's cardholder data environment (CDE) for compliance with PCI DSS. It concludes with the official documentation of proof, or the Report on Compliance (ROC), that the QSA will prepare at the end of the assessment.Is PCI QSA exam open book? ›
This is a closed book exam. The exam consists of 75 multiple choice questions. You will have 90 minutes to complete it. The Primary Contact at the Sponsor Company will be notified of results within two weeks after the ISA candidate attends the instructor-led PCI SSC ISA training and exam.How much does it cost to become a PCI QSA? ›
|Regional Requalification Fee (USA)||$13,200 USD|
|New QSA training (In person or eLearning)||$3,300 USD|
|Requalification QSA training||$2,000 USD|
Q 14 How long is the Associate QSA certification good for? A The certification is good for 12 months. At that time, Associate QSAs will need to recertify to maintain status as an Associate QSA and listing on the PCI SSC website.Why is QSA important? ›
A QSA Company will help organizations like you in the process of achieving compliance. They will guide you through the process and ensure the implementation of industry best practices and security controls for achieving compliance.
What is a Qualified Security Assessor (QSA)? A Qualified Security Assessor (QSA) is an individual who is certified with qualifications from the PCI Security Standards Council that can test and prove an organization's compliance with PCI DSS standards.How do I become a PCI expert? ›
- Identify your compliance 'level'
- Complete a self-assessment questionnaire (SAQ) or Complete an annual Report on Compliance (ROC)
- Complete a formal attestation of compliance (AOC)
- Complete a quarterly network scan by an Approved Scanning Vendor (ASV)
- Submit the documents.
Level 1: Merchants that process over 6 million card transactions annually. Level 2: Merchants that process 1 to 6 million transactions annually. Level 3: Merchants that process 20,000 to 1 million transactions annually. Level 4: Merchants that process fewer than 20,000 transactions annually.Which PCI Saq do I need? ›
Ultimately, you must choose the SAQ that's right for your processing environment, but generally speaking: SAQ A is for e-commerce/mail/telephone-order (card-not-present) merchants that have fully outsourced all cardholder data functions.What is a merchant level 4 business? ›
Merchant level 4
Merchant accepts/processes less than 20,000 Visa or MasterCard online transactions or up to 1 million transactions annually. Validation includes a SAQ (or Self-Assessment Questionnaire), quarterly network scan by an ASV (Approved Scanning Vendor), and an Attestation of Compliance Form.
Whether it's an SAQ D or a RoC, you'll still need to comply with all PCI DSS requirements — which can include 300+ security controls, data encryption standards, formal policies, vulnerability scans, and an audit by a QSA.Do you need PCI? ›
Any business that transmits, stores, handles, or accepts credit card data — regardless of size or processing volume — must comply with the PCI DSS Standards. If you only process three credit card transactions a month, you must comply with PCI standards.What is the difference between AoC and RoC? ›
An RoC is an assessment that determines PCI compliance. An attestation of compliance (AoC) confirms that the RoC is accurate. An RoC must be completed prior to an AoC, which is seen as the last step in the compliance process. Both are required to prove compliance with the PCI standard.Which reports are reviewed by QSA as an overall compliance audit? ›
A PCI DSS Report on Compliance (ROC) is required by organisations with large transaction volumes. It must be conducted by a QSA who will issue a formal report to the Payment Card Industry Security Standards Council (PCI SSC) to attest that your organisation is in full compliance.What requirements does PCI DSS cover? ›
The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.
PCI DSS certification
PCI certification ensures the security of card data at your business through a set of requirements established by the PCI SSC. These include a number of commonly known best practices, such as: Installation of firewalls. Encryption of data transmissions.
The qualification exam is administered at a Pearson VUE Test Center. You will have 90 minutes to complete 75 multiple-choice questions. No electronic devices may be used during the closed-book exam.
The Payment Card Industry Professional (PCIP) is an individual certification in payment security information that provides you with the tools to help your organization build a secure payment environment.What is an approved scanning vendor? ›
An Approved Scanning Vendor is someone who determines whether an organisation meets PCI DSS external scanning requirements. ASVs perform an external vulnerability scan of an organisation's network or website from the outside looking inward, using similar methods to hackers, such as penetration testing.How long does it take to get a PCI certificate? ›
How long does a PCI certification take? A PCI certification or a credit card compliance certification process might get completed between a day or two weeks.How long does PCI certification last? ›
A PCI self-assessment must be conducted annually, and a quarterly scan must be performed by a Qualified Scanning Vendor. Smaller entities that process less than 20,000 payments. While these companies must remain PCI compliant at all times, they are not required to file reports.How much does an ASV scan cost? ›
|Price Per Year||$81.90 per year||$188 (per IP address)|
|Unlimited, On-Demand Scanning||Yes||Yes|
|Automated Scan Frequency Options||Daily, Weekly, Monthly, or Quarterly||Daily, Weekly, Monthly, or Quarterly|
The Qualified Security Assessor course will teach you how to perform assessments of merchants and service providers who must comply with the PCI Data Security Standard.How often are PCI audits required? ›
The PCI Data Security Standards (PCI DSS) require that all Level 1 businesses (with more than 6 million credit card transactions per year) undergo a yearly PCI audit conducted by a qualified auditor.How long must a Qir professional keep documented evidence of a qualified installation? ›
For a minimum of three (3) years, QIR Companies must secure and maintain documented evidence (whether in digital or hard copy format) substantiating all services, including but not limited to copies of any and all case logs, configuration and other installation results, work papers, notes and technical information ...
PA DSS applies to software vendors and businesses that develop payment applications that store, process, or transmit cardholder data. The standard is required when payment applications are sold, distributed, and/or licensed to third parties.What is Level 1 PCI compliance? ›
Stated, PCI DSS Level 1 is a set of requirements designed to ensure the highest level of security for businesses that store, transmit, or process credit card data. The highest compliance level, PCI DSS Level 1, identifies any merchant who processes more than 6 million Visa transactions per year.What does PCI SCC stand for? ›
Payment Card Industry (PCI) Security Standards Council Glossary, Abbreviations and Acronyms.What is PCI SSC approved scanning vendor? ›
An ASV (approved scanning vendor) is an organisation that is approved by the PCI SSC (Payment Card Industry Security Standards Council) to carry out vulnerability scanning. These are automated tests that scan target networks and systems for cyber security vulnerabilities.How do I become a PCI ASV? ›
A prospective ASV must first review the Approved Scanning Vendors (ASVs) Program Guide and then register for the testing process and provide administrative information and technical details by submitting an attestation of compliance adhering to the Qualification Requirements for Approved Scanning Vendors (ASVs) v3.Why is PCI certification important? ›
It protects residents' card data and reduces the risk of a data breach. It helps prepare agencies to detect and prevent both physical and network based attacks. It boosts residents' confidence with using card payments for agency fees. It offers a security standard for agencies to follow.How long is the PCI ISA training? ›
The two-part ISA training is comprised of a five-hour online pre-requisite course (PCI Fundamentals), followed by an exam.What happens if you fail PCI compliance? ›
Non-compliance can lead to many different consequences such as monthly penalties, data breaches, legal action, damaged reputation, and even revenue loss. PCI Non-Compliance can result in penalties ranging from $5,000 to $100,000 per month by the Credit Card Companies (Visa, MasterCard, Discover, AMEX).Can I do my own PCI compliance? ›
To become PCI compliant, a business typically must do three things: Meet the requirements set out by the Payment Card Industry Security Standards Council. Complete an assessment that shows how secure a business's systems and practices are. Most small businesses can perform a self-assessment.What is an acceptable level of compliance? ›
Acceptable compliance means the demonstration of an agency or licensee to adequately meet all licensing standards considered by the Division to be essential, and to sufficiently meet all other standards in these regulations, with or without a corrective action plan, as determined by the Division's Quality Assurance ...
Each part of an SAQ is worth 1 point, meaning there are 9 points total. Most of the time, students who earn a 5 on their AP exam score at least a 7 out of 9 in the SAQ section since it makes up 20% of the overall score.How do I complete a SAQ? ›
First, determine the applicable SAQ for your environment. Confirm that your environment's scope is appropriately defined and meets the eligibility criteria for the SAQ you are using. Assess your environment for compliance with applicable PCI DSS requirements for SAQ A. Fill out all required SAQ A form sections.Who can fill out a PCI SAQ? ›
According to the Payment Card Industry's (PCI) Data Security Standards (DSS), businesses that process fewer than 6 million transactions annually must fill out and submit their yearly Self-Assessment Questionnaire (SAQ). With the right knowledge, anyone can learn how to fill out PCI compliance questionnaires.Is selling merchant services hard? ›
That's because any business looking to process credit cards, debit cards, or other forms of electronic payment needs to partner with a merchant services provider. That means selling merchant services should be easy, right? Not so much. Merchant services sales are just as tough as any other sales type.How many levels are there for merchant? ›
The PCI DSS (Payment Card Industry Data Security Standard) merchant levels are rankings of merchant transactions per year broken down into four levels.What is Level 4 processing? ›
Level 4 applies to merchants that process fewer than 20,000 Visa or Mastercard e-commerce transactions per year or up to 1 million total Visa or Mastercard credit card transactions and that have not suffered a data breach or attack that compromised card or cardholder data.What does PCI QSA stand for? ›
Qualified Security Assessor (QSA) is a designation conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of a Qualified Security Assessor (QSA) ...What is PCI PA QSA? ›
PA-DSS Program The Payment Application Data Security Standard Program managed and operated by PCI SSC. PA-QSA Acronym for "Payment Application – Qualified Security Assessor" Company, a company then qualified by PCI SSC to perform PA-DSS Assessments.How much does IT cost to become a PCI QSA? ›
|Regional Requalification Fee (USA)||$13,200 USD|
|New QSA training (In person or eLearning)||$3,300 USD|
|Requalification QSA training||$2,000 USD|
- Limit the cardholder data you store and retain only essential cardholder data.
- After authorization, do not store sensitive authentication data. ...
- Ensure the security of your POS vendor. ...
- Isolate and consolidate essential cardholder information.
A PCI audit examines the security of your organization's credit-card processing system from beginning to end. During this process, a Qualified Security Assessor (QSA) or your own Internal Security Assessor will determine the effectiveness of your organization's information security controls.What is a PCI compliance certificate? ›
PCI certification ensures the security of card data at your business through a set of requirements established by the PCI SSC. These include a number of commonly known best practices, such as: Installation of firewalls. Encryption of data transmissions. Use of anti-virus software.