Blogs

How to Get PCI QSA Certification

author
Brian Odian
Published
August 19, 2025

​After spending over 35 years in IT, with a significant portion devoted to security, I find myself with more credentials now than when I first started this journey. One of my most valuable achievements remains my certification as a Payment Card Industry Security Standards Council (PCI SSC) Qualified Security Assessor (QSA). Becoming a QSA and maintaining the certification continue to be substantial undertakings requiring dedication and expertise.

​The PCI SSC develops and maintains the Data Security Standard (PCI DSS), which establishes requirements for protecting cardholder data. With the transition to PCI DSS v4.0 now well underway, the importance of qualified assessors has only increased.

​As stated in the current PCI SSC Qualification Requirements document, "When implemented properly, PCI DSS requirements provide a well-aimed defense for merchants and service providers against data exposure and compromise. Assessment of merchants and service providers for compliance with PCI DSS requirements remains critically important in today's environment and is key to the success of the PCI DSS." These assessments are carried out by QSAs. For professionals evaluating compliance with PCI DSS, becoming a QSA serves as the entry point to many other specialized certifications maintained by the PCI SSC, including the PCI Forensics Investigator (PFI) and Qualified Security Assessor for Point-to-Point Encryption (QSA P2PE).

​Steps to qualifying as a certified QSA in 2025

​To qualify as a QSA today, you need to have at least the following qualifications:

  • Pass background checks as required by the PCI SSC
  • Possess sufficient information security knowledge and experience to conduct technically complex security assessments
  • Have a minimum of one year of experience in each of these information security disciplines (experience may be acquired concurrently):  
    • ​Application security
    • ​Information systems security
    • Network security
  • Have a minimum of one year of experience in each of these audit/assessment disciplines (experience may be acquired concurrently):  
    • ​IT security auditing
    • ​Information security risk assessment or risk management
  • Possess at least one of the following accredited, industry-recognized professional certifications from each list:

List A – Information Security

  • ​(ISC)² Certified Information System Security Professional (CISSP)
  • ​ISACA Certified Information Security Manager (CISM)
  • ​Certified ISO 27001 Lead Implementer

​List B – Audit

  • ​ISACA Certified Information Systems Auditor (CISA)
  • ​GIAC Systems and Network Auditor (GSNA)
  • Certified ISO 27001, Lead Auditor, Internal Auditor
  • ​IRCA ISMS Auditor or higher (e.g., Auditor/Lead Auditor, Principal Auditor)
  • IIA Certified Internal Auditor (CIA)

​Additionally, QSAs must:

  • ​Possess knowledge about the current PCI DSS (v4.0) and all applicable documents on the PCI SSC Website
  • ​Attend annual QSA Employee training provided by PCI SSC and legitimately pass all examinations
  • ​Adhere to the PCI SSC Code of Professional Responsibility

​Managing Multiple Certification Requirements

​There are several independent certifications required as prerequisites to becoming a QSA, each with their own certification requirements and Continuing Professional Education (CPE) obligations. Managing a minimum of three certifications and their CPE requirements can be challenging but essential to maintaining your QSA status.

​Consider the ISACA Certified Information Security Manager (CISM) from List A above. This certification requires a minimum of five years of professional information systems auditing, control, or security work experience. You'll need to invest significant study time to pass a 150-question, four-hour exam. Beyond that, 120 CPEs are required over the three-year certification cycle. Similar requirements exist for most qualifying certifications, including the QSA certification itself.

​As a QSA, you'll need to track and report up to 360 CPEs across three certifications if there are no overlaps between your CPE activities. However, many professionals also maintain additional certifications that may have minimal overlap with QSA-required credentials. In my case, I value my PMP (Project Management Institute Project Management Professional) certification, which is invaluable for managing compliance programs but comes with its own CPE requirements.

​QSA Training in the Post-Pandemic Era

​The QSA qualification process now offers more flexible training options following the pandemic. While the pre-qualifying exam remains online, the previously mandatory in-person training component now has virtual alternatives in many regions. However, SecureTrust continues to support our QSAs in attending in-person sessions when available, sending team members from across the Asia-Pacific region to courses in various global locations to expedite their qualification process.

​The Value of Practical Experience in the PCI DSS 4.0 Era

​With PCI DSS 4.0 now implemented, the value of experienced QSAs has increased significantly. The new standard's emphasis on customized approaches and outcomes-based requirements demands assessors who not only understand how to evaluate controls but have practical experience implementing them.

​As a personal hiring requirement, I look for security professionals who have both assessed and built security controls. After all, how can you effectively assess what you haven't built or implemented yourself? This level of expertise is particularly valuable in the PCI DSS 4.0 environment, where consultants must be able to evaluate custom implementations and recommend remediation solutions based on real-world experience.

​Conclusion

​For organizations seeking QSA services, understanding the rigorous qualifications these professionals must maintain provides confidence in their expertise—similar to knowing your doctor's or mechanic's credentials and experience level.

​Becoming a QSA requires genuine passion for cybersecurity. The multiple lengthy exams, ongoing education requirements, and need for practical experience create a demanding but rewarding career path. Having a team of such dedicated professionals makes my role both challenging and deeply satisfying.

Click here to contact us for all your SMB Compliance, Merchant Risk Management, and Compliance Technology needs.

author

Director of Asia Pacific Global Compliance & Risk Services Consulting

SecureTrust

More Blogs

Stay up-to-date on the latest happenings in Cybersecurity and PCI Compliance.
View All Blogs
September 3, 2025
What is an SAQ (Self-Assessment Questionnaire)?
September 4, 2025
What Does PCI Stand For? A Beginner’s Guide to Payment Security
February 19, 2020
Clarifying Quarterly External Scans