PCI Security Standards Council®

Training FAQ

Training-Related Questions

Can the PCI Council come to my company’s location and host a training session for just our employees?

Yes, the Council brings training directly to your company anywhere in the world for company or merchant-specific training sessions. Please contact us at training@pcisecuritystandards.org for further information about scheduling and costs.

How long is the PCI Fundamentals course? When does it have to be completed?

PCI Fundamentals is the required prerequisite course for Internal Security Assessor, Qualified Security Assessor, and Point-to-Point Encryption Assessor training classes. For Internal Security and Qualified Security Assessors, it is a seven-hour online course; for Point-to-Point Encryption it is a two-hour online course, and it must be completed at least one week prior to the instructor-led session for each course.

Am I allowed to take the PCI Fundamentals course without signing up for a specific class?

No, you must be registered and have paid for the Internal Security Assessor, Qualified Security Assessor, and Point-to-Point Encryption Assessor training course in order to take the corresponding PCI Fundamentals prerequisite course.

When do I find out if I've been accepted into a class?

Your company’s primary contact will receive an invoice for the requested course within three business days after the PCI Council receives the request. If the course you requested is no longer available, your company’s primary contact will be contacted to request a different course.

When do I get my log-in credentials for the online course I am taking?

You will receive your credentials for the PCI eLearning course within three business days after the Council processes your payment.

To be better prepared, what can I do in advance of the Instructor-led Training class?

For instructor led courses, you should prepare by reviewing and familiarizing yourself with the associated PCI documents. For example, for the Qualified Security Assessor course we strongly recommend you are familiar with the following documents before attending:

  • PCI DSS
  • Glossary of Terms, Abbreviations, and Acronyms v3.1

All PCI documents are in the Document Library. Please refer to individual course descriptions for specifics on required or recommended reading for each course.

What’s required for an individual to be trained as a PCI Professional?

There are no prerequisites to take the eLearning course and examination. However, the candidate should possess a minimum of two years IT or IT-related experience and a base level of knowledge and awareness of information technology, network security and architecture, and payment industry participants.

What is considered IT or IT-related experience?

Candidates for the PCI Professional course do not need to be IT specialists, but do need to have some familiarity with IT. We recommend two years’ experience in IT or IT-related positions so that candidates are familiar with IT terminology used in network security and architecture.

Can I be both a PCI Professional and an Internal Security Assessor?

Yes, PCI Professionals may enhance their knowledge and continue on to become ISA’s if they work for an organization that sponsors them for the Internal Security Assessor qualification. PCI Professional is the entry point for professionals to begin their PCI career. The required experience, professional background and privileges are preparatory to becoming an Internal Security Assessor. Conversely, because the training and knowledge base for an Internal Security Assessor exceeds that of a PCI Professional, an Internal Security Assessor may opt-in to the PCI Professional program by paying a fee and attesting to the Code of Professional Responsibility.

Does a company need to do anything to qualify as a “Qualified Integrators and Resellers” company?

Companies must have processes in place to train their employees and keep them up-to-date, they must have an internal quality assurance program, and must have experience with installing the payment applications. Learn more about the Qualification Requirements.

How does PCI Awareness training differ from PCI Professional qualification?

Awareness training is more entry level than the PCI Professional course and is suitable for anyone, at any level in an organization who needs to know more about PCI. You will earn continuing education credits for the Awareness course, but there is no associated exam or qualification.

Company-Related Questions

My company is PCI compliant. Does compliance mean I’m a Participating Organization and that I will receive a discount on training offered by the PCI Council?

Although your company may be compliant, it does not mean you are automatically a Participating Organization. To become a Participating Organization, your company needs to apply for entry into the program. In addition to receiving discounts on training courses, the program offers many other benefits.

I work for a Participating Organization. What steps do I take to get Internal Security Assessor training?

The next step is for your company to apply to become an Internal Security Assessor Sponsor Company. There is no fee for the Sponsor Company application; there is a fee to send employees to training.

Learn More about Internal Security Assessor qualification requirements.

How long does it take for my company to become a Sponsor Company?

In order to have your company fully activated as a Sponsor Company, you must complete and submit an application. The review of its application may take up to four weeks.

Qualification Questions

If my qualification expiration date has passed, can I re-qualify online?

The PCI Council has a strict grace period of 14 calendar days. If your certificate expired more than two weeks ago, you will be required to attend a new training session to reinstate your qualification. Please note: The PCI Council sends notifications to the primary contacts of each company on a monthly basis. These reminder emails include the names and expiration dates of those individuals whose certifications expire within the next sixty days. Regardless of the email reminders, it is the responsibility of the individual to request requalification training (through their company’s primary contact) each year.

If I miss my Qualified Security Assessor re-qualification date, does it affect my Payment Application Assessor status?

Yes, if you are no longer an active Qualified Security Assessor, you are automatically no longer an active Payment Application Assessor.

If you attend Qualified Security Assessor training before your Payment Application Assessor certificate expires, your active Payment Application Assessor status can be reinstated as long as you are with an active company.

What happens to my company if I miss re-qualification and we don’t have any other trained Assessors or Approved Scanning Vendors?

There can be several reasons a company would find themselves without active qualified staff: In some cases the employee(s) have missed their requalification date or in other cases the employee has left the firm. Based on the requirement to ensure a minimum number of trained staff on hand, once the company is no longer meeting this requirement, the Council will deactivate the company. No prior notice may be sent for this action. Once a company is de-activated in our records, the company will also be removed from public listing pages such as the Qualified Security Assessor provider listing.

If a company is able to send an employee to training and meet this requirement they would be reinstated to the website and given an active status. A fee will be charged to re-list a firm that has been previously removed.

Exam Questions

If I fail the PCI Fundamentals exam, can I retake it?

Yes, you must retake and pass the exam prior to the related following course (instructor-led for Qualified Security and Point-to-Point Encryption Assessors, instructor-led or eLearning for Internal Security Assessors). If you are registered for a specific course and fail to retake PCI Fundamentals before that course, your payment will be forfeited.

  • If you are attending an Internal Security Assessor class and you fail PCI Fundamentals, you have two additional chances to retake it and pass.
  • If you are attending a Qualified Security Assessor class and you fail PCI Fundamentals, you have one additional chance to retake it and pass.
  • If you are attending a Point-to-Point Encryption Assessor class and you fail PCI Fundamentals, you have one additional chance to retake it and pass.

How long before I know the results of the Instructor-led Training exam?

Results will be sent to your company’s primary contact within two weeks of course completion. Often results are sent within a few days of course completion.

If I take the eLearning class for Internal Security Assessor, how do I take the test?

After you have taken the Internal Security Assessor eLearning class, you will register to take the exam at a local Pearson VUE testing center. Specific instructions will be given at the time your eLearning registration is confirmed.

When will I know the results of an online course exam?

Results from eLearning exams are sent within one week after completing a course.

Do I get additional Continuing Education hours for the time I spend at Pearson VUE?

No, the PCI Council does not offer Continuing Education hours for the time you are taking a test.

English is a second language to me. Will there be someone to assist me if I am not able to understand a question on the exam?

The Pearson VUE testing center is run the same for all certification tests; the representative will not be able to assist in translations once you have begun the test and you will not be given additional time for the exam.

I had a personal issue on the day I was supposed to take the test at the Pearson VUE testing center. Will I be able to take the exam at a later date?

Your testing fee will be forfeited if you cancel your test reservation with less than 24 hours’ notice or if you fail to show up. If you cancel at least 24 hours prior to your testing time, you will be able to reschedule without a fee.

Can a candidate take the instructor led Internal Security Assessor class but choose to take
the exam at a later time at a Pearson VUE testing center?

No. A candidate at an instructor led course will take the exam as a part of the training course that they are attending.

What happens if I fail the eLearning exam?

If a student is a new ISA, new PCIP, or new QIR, he/she will be allowed to retake the exam at an additional cost. The retake will be administered through a Pearson VUE Testing Center. You will be allowed to retake only once. If you fail retaking the exam, you will need to pay for and take either the instructor led course or the eLearning course – and pass the subsequent exam.

Our website uses both essential and non-essential cookies (further described in our Privacy Policy) to analyze use of our products and services. By clicking “ACCEPT” below, you are agreeing to our use of non-essential cookies to provide third parties with information about your usage and activities. If you click “DECLINE” below, we will continue to use essential cookies for the operation of the website.