
After spending over 35 years in IT, with a significant portion devoted to security, I find myself with more credentials now than when I first started this journey. One of my most valuable achievements remains my certification as a Payment Card Industry Security Standards Council (PCI SSC) Qualified Security Assessor (QSA). Becoming a QSA and maintaining the certification continue to be substantial undertakings requiring dedication and expertise.
The PCI SSC develops and maintains the Data Security Standard (PCI DSS), which establishes requirements for protecting cardholder data. With the transition to PCI DSS v4.0 now well underway, the importance of qualified assessors has only increased.
As stated in the current PCI SSC Qualification Requirements document, "When implemented properly, PCI DSS requirements provide a well-aimed defense for merchants and service providers against data exposure and compromise. Assessment of merchants and service providers for compliance with PCI DSS requirements remains critically important in today's environment and is key to the success of the PCI DSS." These assessments are carried out by QSAs. For professionals evaluating compliance with PCI DSS, becoming a QSA serves as the entry point to many other specialized certifications maintained by the PCI SSC, including the PCI Forensics Investigator (PFI) and Qualified Security Assessor for Point-to-Point Encryption (QSA P2PE).
Steps to qualifying as a certified QSA in 2025
To qualify as a QSA today, you need to have at least the following qualifications:
- Pass background checks as required by the PCI SSC
- Possess sufficient information security knowledge and experience to conduct technically complex security assessments
- Have a minimum of one year of experience in each of these information security disciplines (experience may be acquired concurrently):
- Application security
- Information systems security
- Network security
- Have a minimum of one year of experience in each of these audit/assessment disciplines (experience may be acquired concurrently):
- IT security auditing
- Information security risk assessment or risk management
- Possess at least one of the following accredited, industry-recognized professional certifications from each list:
List A – Information Security
- (ISC)² Certified Information System Security Professional (CISSP)
- ISACA Certified Information Security Manager (CISM)
- Certified ISO 27001 Lead Implementer
List B – Audit
- ISACA Certified Information Systems Auditor (CISA)
- GIAC Systems and Network Auditor (GSNA)
- Certified ISO 27001, Lead Auditor, Internal Auditor
- IRCA ISMS Auditor or higher (e.g., Auditor/Lead Auditor, Principal Auditor)
- IIA Certified Internal Auditor (CIA)
Additionally, QSAs must:
- Possess knowledge about the current PCI DSS (v4.0) and all applicable documents on the PCI SSC Website
- Attend annual QSA Employee training provided by PCI SSC and legitimately pass all examinations
- Adhere to the PCI SSC Code of Professional Responsibility
Managing Multiple Certification Requirements
There are several independent certifications required as prerequisites to becoming a QSA, each with their own certification requirements and Continuing Professional Education (CPE) obligations. Managing a minimum of three certifications and their CPE requirements can be challenging but essential to maintaining your QSA status.
Consider the ISACA Certified Information Security Manager (CISM) from List A above. This certification requires a minimum of five years of professional information systems auditing, control, or security work experience. You'll need to invest significant study time to pass a 150-question, four-hour exam. Beyond that, 120 CPEs are required over the three-year certification cycle. Similar requirements exist for most qualifying certifications, including the QSA certification itself.
As a QSA, you'll need to track and report up to 360 CPEs across three certifications if there are no overlaps between your CPE activities. However, many professionals also maintain additional certifications that may have minimal overlap with QSA-required credentials. In my case, I value my PMP (Project Management Institute Project Management Professional) certification, which is invaluable for managing compliance programs but comes with its own CPE requirements.
QSA Training in the Post-Pandemic Era
The QSA qualification process now offers more flexible training options following the pandemic. While the pre-qualifying exam remains online, the previously mandatory in-person training component now has virtual alternatives in many regions. However, SecureTrust continues to support our QSAs in attending in-person sessions when available, sending team members from across the Asia-Pacific region to courses in various global locations to expedite their qualification process.
The Value of Practical Experience in the PCI DSS 4.0 Era
With PCI DSS 4.0 now implemented, the value of experienced QSAs has increased significantly. The new standard's emphasis on customized approaches and outcomes-based requirements demands assessors who not only understand how to evaluate controls but have practical experience implementing them.
As a personal hiring requirement, I look for security professionals who have both assessed and built security controls. After all, how can you effectively assess what you haven't built or implemented yourself? This level of expertise is particularly valuable in the PCI DSS 4.0 environment, where consultants must be able to evaluate custom implementations and recommend remediation solutions based on real-world experience.
Conclusion
For organizations seeking QSA services, understanding the rigorous qualifications these professionals must maintain provides confidence in their expertise—similar to knowing your doctor's or mechanic's credentials and experience level.
Becoming a QSA requires genuine passion for cybersecurity. The multiple lengthy exams, ongoing education requirements, and need for practical experience create a demanding but rewarding career path. Having a team of such dedicated professionals makes my role both challenging and deeply satisfying.
Click here to contact us for all your SMB Compliance, Merchant Risk Management, and Compliance Technology needs.
Director of Asia Pacific Global Compliance & Risk Services Consulting
SecureTrust