Payment Application Qualified Security Assessor (PA-QSA)™ Qualification

The Payment Application Qualified Security Assessor curriculum teaches you to perform assessments of third-party developed payment applications to ensure compliance with the Payment Application Data Security Standard (PA-DSS). With this training course, you will become an expert on the requirements for PA-DSS compliance and help ensure the consistent, proper application of security measures and controls for payment applications.

Upon completion of the course, you’ll be able to:

  • Perform a PA-DSS assessment
  • Follow the PA-DSS Security Audit Procedures
  • Produce a Report on Validation

Course Highlights

The Payment Application Qualified Security Assessor (PA-QSA) covers the PA-DSS requirements, sub-requirements, and associated testing procedures in depth.
  • PCI Industry Overview: In depth coverage of the payment card industry, the terminology used to describe its key aspects, the flow of data through the various payment card mechanisms and the relationships between the various actors in the process
  • PCI Thresholds and Brand Specific Requirements: Detailed coverage of the classifications and compliance requirements for merchants, service providers and vendors and the various specific requirements imposed by the various card brands
  • PCI Data Security Standard (DSS): In-depth training on every aspect of the current DSS including requirements, reasoning and what constitutes compliance with the requirement
  • PCI Code Review and Analysis: In-depth training on executing code reviews and locating non PCI compliant constructs and procedures in applications that implement payment card processing systems
  • PCI Hardware and Communications Infrastructure: In-depth training on the current state of typical devices and connectivity used by organizations to accept payment cards, and communicate with the verification and payment facilities
  • PCI Reporting: In depth training on constructing and filing the necessary compliance reports and techniques for communicating results to those being audited

This class is available as a self-paced, six-hour online course. Click here to find a testing location near you.

Right for You?

You are a current QSA who is employed by a QSA company performing assessments of third-party payment applications for compliance with PA-DSS. Typical job titles include: Managing Director of Compliance Services, Practice Lead Security Assessor, Senior Security Consultant, Information Security Analyst, and Information Security Auditor.


Course Price
New PA-QSA Professional $1375 USD

Annual PA-QSA requalification training fee is $1095 USD per Assessor

Please note: Unless otherwise specified, all fees are in US Dollars. An invoice will be issued upon completion of registration and will include instructions to pay by check, credit card or wire transfer.

Payment is required prior to beginning the course. Course conducted in English. Examination delivered in English.

If you have a group to train, please consider our Corporate Group Training instructor-led option, where an expert PCI instructor comes to your facility (or any location you choose) to deliver the course. We offer volume discounts – the more you train, the more you save!

How to Prepare for the Exam

Prior to attending a PA-QSA training session it is strongly recommended you familiarize yourself with the following publications available in the document library:

  • Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures
  • Payment Card Industry (PCI) Payment Application Data Security Standard – Requirements and Security Assessment Procedures
  • Payment Card Industry (PCI) Data Security Standard and Payment Application Data Security Standard Glossary of Terms, Abbreviations, and Acronyms
  • PA-QSA Qualification Requirements
  • Program Guide
  • ROV Reporting Template
  • Attestation of Validation
  • PA-DSS and Mobile Applications FAQs
  • Which Applications are Eligible for PA-DSS Validation

In order to attend PA-QSA training your company must already be a validated PA-QSA Company and you must be a full time employee. 

Exam Information

This self-paced, six-hour online course offers:

  • Flexible scheduling 24/7/365
  • Learn from your home or office
  • Reduced travel costs and time away from work

You will receive a link to access the eLearning course. You will have 90 days from the day you receive the link to complete the course and take the exam. You will also receive a separate email from Pearson VUE with credentials and complete instructions on how to schedule your exam.

Taking the exam – Upon completion of the eLearning curriculum, the student will take the qualification exam at one of over 4,000 Pearson VUE Testing Centers worldwide. The student will receive a voucher number to be redeemed in Pearson VUE’s online registration system; testing location and time are selected by the student. The exam must be completed in one sitting and must be taken within 30 days of the candidate being given the information on how to schedule the exam.

The Primary Contact at the PA-QSA Company will be notified of results. Employees who fail may retake the training and exam, upon payment of a re-test fee. For each attendee that passes the exam, the PA-QSA Company will receive a certificate that validates the employee for the next 12 months.

Note:  Hiring or employing a PA-QSA does not assume the Company has met all of the PCI SSC validation requirements.

Registration Process

In order to attend PA-QSA training your company must already be a validated PA-QSA Company and you must be a full time employee. Please see the PA-QSA Qualification Requirements for more details.

All candidates must apply to the PA-QSA program and be approved by the PCI Council to participate in a training class. All training inquiries and assignments must be submitted through your company’s assigned Primary Contact. Other requirements include:

  1. Must be a QSA
  2. Must have completed two PCI DSS assessments
  3. Must have substantial application security knowledge and experience conducting application and code reviews, and/or demonstrated competence in cryptographic techniques



In order to maintain the high standards set for this certification, all PA-QSA employees must re-certify every 12 months in order to continue as a Payment Application Qualified Security Assessor for their PA-QSA company. Please note that annual PA-QSA requalification training will be held in an eLearning format only. All PA-QSA Program training attendees will be required to sign and accept the terms of the PCI SSC PA-QSA Employee Certification form at the time they begin the online training.

All training inquiries and assignments must be submitted through the PA-QSA company’s primary contact. PCI SSC requires all training attendees to be full time employees of the PA-QSA company that they were initially hired by.

Registration must be completed by your expiration date. Any professional who is not registered in the requalification course prior to their expiry date, or who does not achieve a passing score on the exam by the end of the two week grace period, will be required to re-enroll as a new candidate.

I thought the instructor was excellent and his insights and experience greatly helped towards the overall understanding.

It was very useful to see the QSA role from the perspective of the assessor rather than from the customer's viewpoint.

The way that the instructor was able to cover a vast amount of material in a relatively short time and make us remember it - without the training it would have taken weeks and weeks to get the same level of understanding.