PCI Security Standards Council®

Payment Application Qualified Security Assessor (PA-QSA)™ Qualification

The Payment Application Qualified Security Assessor curriculum teaches you to perform assessments of third-party developed payment applications to ensure compliance with the Payment Application Data Security Standard (PA-DSS). With this training course, you will become an expert on the requirements for PA-DSS compliance and help ensure the consistent, proper application of security measures and controls for payment applications.

Upon completion of the course, you’ll be able to:

• Perform a PA-DSS assessment
• Follow the PA-DSS Security Audit Procedures
• Produce a Report on Validation

Registration Process

In order to attend PA-QSA training your company must already be a validated PA-QSA Company and you must be a full time employee. Please see the PA-QSA Qualification Requirements for more details.

All candidates must apply to the PA-QSA program and be approved by the PCI Council to participate in a training class. All training inquiries and assignments must be submitted through your company's assigned Primary Contact. Other requirements include:
  • Must be a QSA
  • Must have completed two PCI DSS assessments
  • Must have substantial application security knowledge and experience conducting application and code reviews, and/or demonstrated competence in cryptographic techniques

Course Details

Training Overview

The Payment Application Qualified Security Assessor (PA-QSA) covers the PA-DSS requirements, sub-requirements, and associated testing procedures in depth.

  • PCI Industry Overview
    In depth coverage of the payment card industry, the terminology used to describe its key aspects, the flow of data through the various payment card mechanisms and the relationships between the various actors in the process
  • PCI Thresholds and Brand Specific Requirements
    Detailed coverage of the classifications and compliance requirements for merchants, service providers and vendors and the various specific requirements imposed by the various card brands
  • PCI Data Security Standard (DSS)
    In-depth training on every aspect of the current DSS including requirements, reasoning and what constitutes compliance with the requirement
  • PCI Code Review and Analysis
    In-depth training on executing code reviews and locating non PCI compliant constructs and procedures in applications that implement payment card processing systems
  • PCI Hardware and Communications Infrastructure
    In-depth training on the current state of typical devices and connectivity used by organizations to accept payment cards, and communicate with the verification and payment facilities
  • PCI Reporting
    In depth training on constructing and filing the necessary compliance reports and techniques for communicating results to those being audited
Training and Exam This self-paced, six-hour online course offers:
  • Flexible scheduling 24/7/365
  • Learn from your home or office
  • Reduced travel costs and time away from work

You will receive a link to access the eLearning course. You will have 90 days from the day you receive the link to complete the course and take the exam. You will also receive a separate email from Pearson VUE with credentials and complete instructions on how to schedule your exam.

Taking the exam - Upon completion of the eLearning curriculum, the student will take the qualification exam at one of over 4,000 Pearson VUE Testing Centers worldwide. The student will receive a voucher number to be redeemed in Pearson VUE's online registration system; testing location and time are selected by the student. The exam must be completed in one sitting and must be taken within 30 days of the candidate being given the information on how to schedule the exam.

The Primary Contact at the PA-QSA Company will be notified of results. Employees who fail may retake the training and exam, upon payment of a re-test fee. For each attendee that passes the exam, the PA-QSA Company will receive a certificate that validates the employee for the next 12 months.

Note:  Hiring or employing a PA-QSA does not assume the Company has met all of the PCI SSC validation requirements.

Testing Center Locations
How to Prepare

Prior to attending a PA-QSA training session it is strongly recommended you familiarize yourself with the following publications available in the document library:

  • Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures
  • Payment Card Industry (PCI) Payment Application Data Security Standard – Requirements and Security Assessment Procedures
  • Payment Card Industry (PCI) Data Security Standard and Payment Application Data Security Standard Glossary of Terms, Abbreviations, and Acronyms
  • PA-QSA Qualification Requirements
  • Program Guide
  • ROV Reporting Template
  • Attestation of Validation
  • PA-DSS and Mobile Applications FAQs
  • Which Applications are Eligible for PA-DSS Validation

eLearning Course

Course
Price
Course: New PA-QSA Professional
Price: $1375 USD
Annual PA-QSA requalification training fee is $1095 USD per Assessor

Please note: Unless otherwise specified, all fees are in US Dollars. All course fees are NON-TRANSFERABLE and NON-REFUNDABLE. An invoice will be issued upon completion of registration and will include instructions to pay by check, credit card or wire transfer.
Payment is required prior to beginning the course. Course conducted in English. Examination delivered in English.

Requalification Requirements

In order to maintain the high standards set for this certification, all PA-QSA employees must re-certify every 12 months in order to continue as a Payment Application Qualified Security Assessor for their PA-QSA company. Please note that annual PA-QSA requalification training will be held in an eLearning format only. All PA-QSA Program training attendees will be required to sign and accept the terms of the PCI SSC PA-QSA Employee Certification form at the time they begin the online training.

All training inquiries and assignments must be submitted through the PA-QSA company's primary contact. PCI SSC requires all training attendees to be full time employees of the PA-QSA company that they were initially hired by.

Registration must be completed by your expiration date. Any professional who is not registered in the requalification course prior to their expiry date, or who does not achieve a passing score on the exam by the end of the two week grace period, will be required to re-enroll as a new candidate.

Become Qualified

Right for you?

You are a current QSA who is employed by a QSA company performing assessments of third-party payment applications for compliance with PA-DSS. Typical job titles include: Managing Director of Compliance Services, Practice Lead Security Assessor, Senior Security Consultant, Information Security Analyst, and Information Security Auditor.
Request More Information

“I thought the instructor was excellent and his insights and experience greatly helped towards the overall understanding.”

 — Janet Edwards, K3DES, LLC

“It was very useful to see the QSA role from the perspective of the assessor rather than from the customer's viewpoint.”

 — Chris Leppard, Trustwave

“The way that the instructor was able to cover a vast amount of material in a relatively short time and make us remember it - without the training it would have taken weeks and weeks to get the same level of understanding.”

 — David Newman, TELUS Security Solutions

Our website uses both essential and non-essential cookies (further described in our Privacy Policy) to analyze use of our products and services. By clicking “ACCEPT” below, you are agreeing to our use of non-essential cookies to provide third parties with information about your usage and activities. If you click “DECLINE” below, we will continue to use essential cookies for the operation of the website.

AcceptDecline