Associate QSA (AQSA) Qualification

The Associate QSA (AQSA) Program prepares you to support and learn from Qualified Security Assessors (QSAs) as they perform assessments of merchants and service providers who must comply with the PCI Data Security Standard (PCI DSS).

AQSA candidates follow the same training path as QSAs, and the course focuses on the 12 high-level control objectives and corresponding sub-requirements that are required for PCI DSS compliance.

Training will cover the processes involved in payment card processing, PCI DSS requirements and testing procedures, how to conduct PCI DSS assessments, validate compliance and generate reports. Upon successful completion of the training and exam, trainees are equipped to assist in conducting PCI DSS assessments and preparing appropriate compliance reports with the oversight of a QSA mentor at their QSA Company.

Course Highlights

Qualified Security Assessor (QSA) training is a two-part program. The first is a five-hour prerequisite course and exam on PCI Fundamentals. It’s followed by an in-depth course and exam delivered virtually or in-person.

PCI Fundamentals assures that all candidates attending the QSA training course have the same baseline understanding.  The PCI Fundamentals course must be completed prior to the training class.

Candidates who successfully complete the prerequisite PCI Fundamentals course may move on to the QSA qualification course. This course builds on the knowledge gained in PCI Fundamentals and delves into the actual PCI DSS requirements, testing procedures, compliance reports and more. The Qualified Security Assessor course covers:

  • Payment card industry overview
    • Terminology, transaction data flow
    • Relationships between various organizations in the process
  • Payment card brand validation and reporting requirements
  • PCI Data Security Standard (DSS)
    • Overview of each requirement and testing procedures
  • PCI Hardware and Communications Infrastructure
  • Overview of compliance issues and mitigation strategies
  • Compensating controls
  • PCI Reporting

The instructor-led course also includes case studies providing a simulation of assessment scenarios that may help you in solving common problems you may experience when assessing a client’s payment environment.

Right for You?

You are an experienced security professional who currently works full-time for a validated QSA company, but does not meet the industry certification requirement to apply for full QSA status. The AQSA program provides an opportunity for security professionals to learn on the job under a formal mentorship program driven by active QSA professionals.

Please contact your organization’s QSA Primary Contact to enroll in the AQSA program.

Schedule

  • 5-6 Feb 2025

    09:00-17:30 (local time)

    Atlanta, GA

  • 26-27 Mar 2025

    09:00-17:30 (local time)

    Phoenix, AZ

  • 8 Apr 2025

    09:00-17:30 ET (13:00-21:30 UTC)

    Virtual Instructor-Led (vILT)

  • 21-22 May 2025

    09:00-17:30 (local time)

    Glasgow, UK*

  • 23-24 Jul 2025

    09:00-17:30 (local time)

    Denver, CO

  • 11-12 Sep 2025

    09:00-17:30 (local time)

    Fort Worth, TX

  • 15-16 Sep 2025

    19:00-03:00 ET (23:00-07:00 UTC) This class will be simultaneously translated into Japanese. Please note that for participants in Japan, this class begins at 8:00 JST on 16 September.

    Virtual Instructor-Led (vILT)

  • 9-10 Oct 2025

    09:00-17:30 (local time)

    Amsterdam, NL*

  • 27-28 Oct 2025

    21:00-05:30 ET (01:00-09:30 UTC) Geared for students in Asia Pacific time zone

    Virtual Instructor-Led (vILT)

  • 5-6 Nov 2025

    09:00-17:30 (local time)

    Seattle, WA

  • 3 Dec 2025

    05:00-13:30 ET (10:00-18:30 UTC)

    Virtual Instructor-Led (vILT)

Virtual Instructor Led (vILT) classes are a combination of eLearning and a live webinar. 

training-schedule-2.jpg

Become an AQSA when you take this class and become qualified.

Prices

Course Price

New AQSA training (In person or eLearning)

$3,300 USD

Requalification AQSA training

$2,000 USD

Requalification AQSA training (Japanese Language)

$2,650 USD

Training class change fee

$185 USD

Please note: Unless otherwise specified the training and exam will be delivered in English.

Price does not include any applicable VAT/HST/GST which will appear on your invoice.

* Not including VAT.

training-become-qsa-company.jpg

Your organization must be an QSA company to register candidates for AQSA training.

How to Prepare for the Exam

Prior to beginning the PCI Fundamentals training, you should familiarize yourself with these publications on the PCI website:

  • PCI Glossary
  • PCI DSS
  • PCI DSS Self-Assessment Questionnaire (SAQ)
  • Attestation of Compliance (AOC)
  • ROC Reporting for PCI DSS
  • PCI SSC Frequently Asked Questions (FAQs)
  • PCI Approved Scanning Vendors Program Guide
training-pci-fundamentals.jpg

The PCI Fundamentals online course must be completed prior to the start of your training class.

Exam Information

New Training Offerings:

All offerings will include a 5-hour online prerequisite Fundamentals course followed by a 60-question multiple-choice exam. Two attempts to pass Fundamentals will be allowed.

  • Instructor-led training (ILT): In-person, instructor-led classroom training with an exam to follow.
  • Virtual Instructor-led training (vILT): Combination online training and instructor-led webinar with an exam offered via Pearson Vue within 30 days of webinar.
  • Please see Schedule tab for dates of ILT and vILT training

New Exam Specifics:

  • All exams are closed book.
  • Exam is 60 multiple choice questions with a 90-minute time limit.
  • Results of in person exams are delivered within 10 business days.
  • Results of Pearson Vue exams are delivered upon completion of the exam.
  • 75% or higher to pass the exam; the only information that can be released concerning exams is your grade.
  • If you fail the exam, your primary contact must register you for New QSA training again.

Registration Process

In order to attend a QSA training class, your company must already be a validated QSA Company and you must be a full time employee. Please see the Qualification Requirements for Qualified Security Assessors (QSAs) v3.0 for more details

In order to register, work with your organization’s QSA Primary Contact to submit an AQSA application through the PCI Portal. Required information will include:

  • Legal name of candidate
  • Location and Date of desired QSA training
  • Candidate’s company email address, country of residence, and native language
  • AQSA candidate’s resume must be able to show possession of a university or college diploma OR possess a minimum of two years’ experience in an Information Security or IT-related field.
  • All QSA program training attendees must accept and sign the PCI SSC Code of Professional Responsibility and submit at the training session.

An invoice will be issued to the QSA primary contact upon completion of registration and will include payment instructions.

Requalification Requirements

In order to maintain the high standards set for this qualification, all Assessor employees must requalify every 12 months in order to continue as an Associate Qualified Security Assessor. All QSA Program training attendees will be required to sign and accept the terms of the PCI SSC Code of Professional Responsibility at the time they begin the online training.

Assessors must complete registration for requalification training (and be approved, where applicable) prior to their qualification expiration date. An Assessor who is not registered prior to that expiration date must re-enroll as a new candidate. A two-week grace period is provided beyond the expiration date in order to complete requalification training after the Assessor is successfully registered. However candidates are not qualified by PCI SSC during this time and will not be requalified until the requalification exam is successfully completed. The grace period only applies if the candidate has been enrolled for requalification by their expiration date and cannot be used for registration after the QSA expiration date. For further details regarding Requalification please review section 6.1.1 of the Qualified Security Assessors Program Guide.

Continuing Professional Education (CPE) Hours

Before registering for requalification training, AQSA candidates are required to submit proof of information systems assessment training within the past 12 months to support professional certifications of a minimum 20 Continuing Professional Education (CPE) hours per year and 120 CPE hours over a rolling three year period. Training provided by PCI SSC will count towards the annual CPE hours. See the CPE Maintenance Guide for additional information on eligible activities.

Submitting CPEs

Each AQSA candidate should enter their CPEs in the PCI Portal. Once completed, the QSA primary contact will be notified and must log into the portal to provide their approval. Once the CPE submission is approved, the candidate will then be automatically enrolled in requalification training, and a training invoice will be issued to the primary contact.

Candidate CPEs must be approved and their training registration must be complete prior to their certificate’s expiry date. Candidates must complete the training and exam no later than the end of their grace period (14 days after their expiration date). If a candidate does not complete requalification, their training fee and AQSA status are forfeit.

Note: Payment of the training invoice must be received before the candidate can access the requalification exam.

Note: AQSA professionals are not considered active during their grace period, until/unless they successfully complete requalification exam.

It was very useful to see the QSA role from the perspective of the assessor rather than from the customer's viewpoint.

The way that the instructor was able to cover a vast amount of material in a relatively short time and make us remember it - without the training it would have taken weeks and weeks to get the same level of understanding.