Secure Software Assessor
The Secure Software Assessor course provides instruction on how to perform assessments of payment software in accordance with the Secure Software Requirements and Assessment Procedures (PCI Secure Software Standard). This training will provide you with an understanding of the requirements with corresponding assessment procedures and guidance for the development of secure payment software.
Upon completion of the course, you’ll be able to conduct Secure Software Assessments, assess and validate Payment Software for compliance with the PCI Secure Software Standard and prepare appropriate compliance reports (such as Secure Software Reports on Validation (ROV)).
Course Highlights
The PCI Secure Software Standard provides a set of security requirements as well as assessment procedures for performing PCI Secure Software Assessments.
The Secure Software Assessor training covers the PCI Secure Software Requirements and Assessment Procedures (PCI Secure Software Standard). Candidates will learn how to:
- Perform Secure Software Assessments.
- Verifying the work product addresses all Secure Software Assessment procedure steps and supports the validation status of the payment software.
- Strictly following the Secure Software Standard and PCI Secure Software Assessor Program Guide.
- Effectively use the PCI Secure Software ROV Reporting Template to produce Secure Software Reports on Validation (Secure Software ROVs).
- Learn how to complete the Secure Software ROV and Secure Software AOV (Attestation of Validation) documentation required for submission of completed assessments.
Benefits:
- Support your client’s ongoing security and compliance efforts through your knowledge of the Secure Software Standard.
- Gain recognition of your professional achievement with this industry credential.
- Expand your knowledge in securing payments with in-depth software security training
- Listing in a searchable directory on the PCI website.
- Earn Continuing Professional Education (CPE) credits.
Right for You?
If you possess substantial information security knowledge and experience to conduct technically complex security assessments along with the requisite years of experience in the following software development and security disciplines, consider the Secure Software Assessor qualification.
- Requirements Definition and Management
- Software/Systems Design
- Data Modelling and Design
- Programming/Software Development
- Software/Systems Testing
- Software security risk assessment
- Software security controls selection
- Secure software architecture
- Threat & vulnerability detection and management
- Software penetration testing
- Incident detection and response
Please contact your organization’s Secure Software Primary Contact to enroll in the Secure Software Assessor program.
Digital Badging
When you become a Secure Software Assessor, display your digital badge and represent your skills and gives you a way to share your abilities online in a way that is simple, trusted and can be easily verified in real time.
Schedule
-
20 Feb 2025
09:00-17:30 ET (14:00-22:30 UTC)
Virtual Instructor-Led (vILT)
-
15 May 2025
09:00-17:30 ET (13:00-21:30 UTC)
Virtual Instructor-Led (vILT)
-
21 Aug 2025
06:00-14:30 ET (10:00-18:30 UTC)
Virtual Instructor-Led (vILT)
-
11 Dec 2025
09:00-17:30 ET (14:00-22:30 UTC)
Virtual Instructor-Led (vILT)
Virtual Instructor-Led (vILT) classes are a combination of eLearning and a live webinar.
Prices
Course | Fee | As of 1 Jan 2025 |
New Secure Software Standard Training (In person or eLearning) |
$2,750 USD | $3,000 USD |
Requalification Secure Software Standard Training |
$1,650 USD | $1,800 USD |
Knowledge Training Non-PO * |
$1,500 USD | |
Knowledge Training PO * |
$1,200 USD | |
Training class change fee |
$185 USD |
Please note: Unless otherwise specified, all fees are in US Dollars.
* Knowledge training does not lead to assessor status.
This course is also offered as knowledge training for individuals who would like to increase their knowledge and do not necessarily need to achieve or are not eligible for qualification as an assessor
Training Formats/Exam Information
New Training Offerings:
This training includes a 5-hour online prerequisite Fundamentals course followed by a 25-question multiple-choice exam with a 60-minute time limit. Two attempts to pass Fundamentals will be allowed.
- Virtual Instructor-led training (vILT): Combination online training and instructor-led webinar with an exam offered via Pearson Vue within 30 days of webinar.
- Please see Schedule tab for dates of vILT trainings
New Exam Specifics:
- All exams are closed book.
- Exam is 60 multiple choice questions with a 90-minute time limit.
- Results of Pearson Vue exams are delivered upon completion of the exam.
- 75% or higher to pass the exam; the only information that can be released concerning exams is your grade.
- If you fail the exam, you must take the training and exam again and pay a new invoice.
How to Prepare for the Exam
Prior to taking the Secure SA training and exam, candidates must complete the prerequisite course and exam on PCI Fundamentals and should familiarize themselves with information regarding the Secure SA Standard, the Secure SA program and supporting documents. These materials may be found in the Document Library.
The PCI Fundamentals online course must be completed prior to the start of your training class.
Registration Process
Step 1 – Review
Refer to the Software Security Framework Qualification Requirements for Assessors for complete program description and requirements and to confirm that you are suited for the program.
Then complete the Software Security Assessor Company registration form online (see step 2).
Step 2 – Apply
-
Complete the online application form through PCI SSC’s secure portal. Application requirements include:
- Submit Software Security Assessor Company registration form.
- Complete company application (Primary Contact will gain access to the online application only after the Software Security Assessor Company registration form has been approved by PCI SSC).
- Enroll professionals in Secure Software Assessor training (Primary Contact will have the ability to enroll professionals in Secure Software Assessor training through the portal only after the Software Security Assessor Company application has been approved).
- Submit payment (training invoice will be emailed to Primary Contact within 2-3 business days of Secure Software Assessor training request approval). For more information about the training fees, please see the Software Security Framework Pricing page.
Step 3 - Train
Upon receipt of payment the primary contact will receive the location details for the instructor-led class or CBT details if applicable.
Step 4 - Enrollment
Once the application has been approved by the PCI Security Standards Council, and its designated Secure Software Assessor employees have completed the Secure Software Assessor training and passed the exam, the Secure Software Assessor Company will receive confirmation of acceptance into the program, and the Secure Software Assessor employees will each receive a Certificate of Qualification. The Secure Software Assessor employees will be added to the Council’s database of certified Secure Software Assessor personnel, and the company may now perform its own security assessments until the time comes to complete the annual Requalification training to maintain the certification.
Only those who have taken and passed the exam become Qualified Secure Software Assessors.
Requalification Requirements
In order to maintain the high standards set for this certification, all Secure Software assessors must pass a requalification exam every 12 months, sign and accept the terms of the PCI SSC Code of Responsibility in order to continue as an active Secure Software Assessor for their company.
Requalification specifics:
- Approved assessors are allowed to register for requalification training as early as 90 days prior to their expiration date. Once registered, they will receive immediate access to the eLearning training.
- Registration must be submitted no later than the candidate’s expiration date.
- Exam access is given no earlier than four (4) weeks prior to expiration date AND invoice is paid.
- An Assessor who is not registered for requalification training before midnight Eastern Time on their qualification expiration date, or who does not achieve a passing score on the exam by the end of their qualification period, will be required to re-enroll as a new candidate.
Requalification exam:
- Non-proctored remote exam
- 25 multiple choice questions with a 60-minute time limit.
- 75% or higher to pass the exam; the only information that can be released concerning exams is the grade.
- If you fail the exam, please have the primary contact email registration@pcisecuritystandards.org for the next steps.