The Process of Becoming a QSA

The Process of Becoming a QSA

Step 1 - Application
The security company must first submit the required documentation, including certifications, business license, insurance certificates and the registration fee, which is credited against the initial enrollment fee if the firm becomes qualified. Please see the Qualification Requirements for Qualified Security Assessors (QSA) v. 2.1. Submit your attestation to the requirements to:

PCI Security Standards Council - QSA Program
401 Edgewater Place, Suite 600
Wakefield, MA 01880

The Council will review these materials, and will communicate with the security company to address any issues or lack of information. When the materials are complete, the prospective Qualified Security Assessor Company (QSAC) will be invited to schedule training for its employees.

Step 2 - Training
All individuals who will be involved in assessing security for the company's clients must undergo and pass the Council's QSA training course and receive official certification. Individual fees apply. A Council representative will schedule training for the prospective QSA's employees, and the company will be notified whether they pass or fail the test at the end of the course. For more information regarding QSA training, please click here.

Step 3 - Enrollment
When the enrollment fee balance has been received by the PCI Security Standards Council, the security company will receive a Letter of Acceptance from the Council, and each of its employees who has passed the training course will receive a Certificate of Qualification. The new QSA firm will be listed on the Council Web site, the employees will be added to the Council's database of certified personnel, and the company may now perform audits for its clients.

To ensure that security audits are carried out at the highest levels of quality and professionalism, the PCI Security Standards Council encourages the payment brands and other entities to submit audit Quality Feedback Forms, which will be evaluated by the Council's Technical Working Group. If a QSA is judged to be deficient in its audit efforts, the Council will engage in dialog to recommend measures for improvement. If improvement is not deemed sufficient, the result could be disqualification for the QSA and removal from the Website list.