Blogs

How to Become a PCI Internal Security Assessor (ISA)

author
Johan Hagdahl
Published
September 2, 2025

​Becoming an Internal Security Assessor (ISA)

​Have you ever thought of becoming a Payment Card Industry Internal Security Assessor (PCI ISA)? It's a question many clients have asked me over the years. The PCI ISA program is designed to educate members of your staff to take on expanded duties related to your PCI compliance. The Payment Card Industry Security Standards Council (PCI SSC) maintains the PCI Professional (PCIP) program that provides an understanding of the PCI DSS and how to operate in the PCI ecosystem. Compared to a PCIP, becoming an ISA takes things up a few notches by taking the ISA training and exam, which is on par with the requirements for QSAs.

​Having an ISA on your staff will improve the quality and reliability of your PCI program, particularly as organizations navigate the significant changes introduced in PCI DSS 4.0, and the current version 4.0.1. An ISA will enhance the consistency of your assessments by serving as your in-house PCI resource who can answer questions, specify policy, and help maintain and prepare your organization for their annual PCI compliance activities.

​Is an ISA Right for Your Organization?

​Small organizations may not benefit from an ISA due to the cost of sponsorship, training, and taking required exams. For a Qualified Security Assessor (QSA) like myself, the ISA must periodically recertify, which involves taking annual training courses and exams.

​The similarities between QSA and ISA do not stop there. As a QSA, I am required to work for a QSA Company, or QSAC, in my case SecureTrust. The QSAC sponsors my annual training, testing, and maintains the necessary insurances. In the initial steps, the company the potential ISA works for must become a sponsoring organization which serves the same role as the QSAC. The sponsoring company submits an attestation signed by an appropriate senior-level member to the PCI SSC. The agreement specifies specific terms, including detailing that the sponsoring company is backing the ISA candidate. It's important to note that the ISA and the sponsoring company are interlocked; as such, the ISA can only perform assessment activities for that sponsoring company, and if the ISA leaves, the PCI SSC will immediately revoke the ISA qualification.

​The ISA Training Process

​The ISA training program consists of two parts:

  1. ​A prerequisite PCI Fundamentals course and exam.
  2. The main ISA qualification course and exam, available in both instructor-led and online eLearning formats.

​This comprehensive training ensures ISAs are well-equipped to handle the complexities of PCI DSS 4.0.1 compliance, including the introduction of the Customized Approach, which provides organizations greater flexibility in meeting security objectives.

​Qualification Requirements

​Any full-time employee can become an ISA, but the PCI SSC has specific qualification requirements. The ISA must complete the training and pass the examination. They must read and agree to the PCI SSC Code of Professional Responsibility just like QSAs do, and must accept the ISA Attestation.

​The PCI SSC recommends certain experience due to the highly technical nature of the role. While these are the same qualifications that QSAs are required to hold, for an ISA they are recommended. Here's what the PCI SSC looks for in potential ISAs:

  • Sufficient information security knowledge and experience to conduct technically complex security assessments
  • ​Emphasis on internal information systems and security audit work as a Sponsor Company employee
  • ​Strong understanding of payment processes, related systems, and PCI DSS
  • ​Annual information systems audit training to support applicable continuing professional education requirements (for example, 20 hours of such training annually and 120 hours over the immediately preceding rolling three-year period)
  • ​Additional qualifications including:
    • ​University or undergraduate degree
    • ​Five years of applicable work experience
    • One year of experience performing information security audits similar to QSA Assessments, three separate such audits, or other equivalent as determined by the Sponsor Company
    • Demonstrated expertise in at least three relevant areas including network security, application security and consultancy, and system integration
    • ​Industry-recognized professional certifications (one from each list is recommended, but not required):  
      • ​List A - Information Security
        • Certified Information System Security Professional (CISSP)
        • Certified Information Security Manager (CISM)
      • List B - Audit
        • ​Certified Information Systems Auditor (CISA)
        • ​GIAC Systems and Network Auditor (GSNA)
        • ​Certified ISO 27001, Lead Auditor, Internal Auditor
        • ​International Register of Certificated Auditors (IRCA)
        • ​Information Security Management System (ISMS) Auditor

​Benefits in Today's PCI Landscape

​Having an ISA on your staff can be a real boost to your PCI compliance posture, especially with the complexities in some of the requirements introduced with PCI DSS 4.0.1. An ISA can help your organization navigate both the traditional Defined Approach and the new Customized Approach for meeting requirements.

​A team member who can bridge the gap between the internal organization and the external PCI assessor is invaluable. In the PCI ecosystem, the most fundamental understanding is the scope of the environment. It sets the playing field for the assessment and focuses resources where they are best applied to protect payment card data.

​Having an ISA on board may shorten assessment timeframes. By understanding the scope of your environment, including the people and processes behind activities that drive compliance, the ISA can work directly with the QSA to streamline assessment activities to achieve a compliant assessment. An ISA is well equipped to maintain compliance for your organization throughout the year, which is crucial to avoid remediation due to gaps identified by the QSA during the annual assessment.

​Upon successful certification, ISAs receive a digital badge that can be displayed to represent their skills and accomplishments, providing a trusted, verifiable credential in the payment security industry.​

Click here to contact us for all your SMB Compliance, Merchant Risk Management, and Compliance Technology needs.

author
Johan Hagdahl

Director, EMEA Compliance Delivery

SecureTrust

More Blogs

Stay up-to-date on the latest happenings in Cybersecurity and PCI Compliance.
View All Blogs
September 3, 2025
What is an SAQ (Self-Assessment Questionnaire)?
September 4, 2025
What Does PCI Stand For? A Beginner’s Guide to Payment Security
February 19, 2020
Clarifying Quarterly External Scans