Training & Qualifications for PCI DSS

PCI Compliance has become a big business in its own right, and a training ecosystem has sprung up around it.

Commercial Training

PCI Security Standards Council

The PCI Security Standards Council (SSC) offers multiple training options. However, most of these are aimed at employees of companies currently operating in the PCI compliant space.

In particular, it’s important to understand that for many of these, the pair of the company and the individual employees are certified together. If you, the employee, move to another company, then the certification may not move with you.

If you’re working at a QSA Company, you should already have lots of support in acquiring and maintaining the necessary certifications from your organization. Some general information about the requirements to become a QSA, and their ongoing training requirements is available in our QSA information article.

PCI Professional

At the time of writing, the only “fully portable” qualification offered by the PCI SSC to individuals is the PCI Professional (PCIP) qualification. This is an entry-level certification but it is solely the individual who is certified – you don’t need to be sponsored by an eligible company in order to have this certification. Discounts are given for PCIP certification if you work for a member organization, but this is the only difference between a member of the PCI community, and applying as a member of the public.

The PCIP program is intended for people who want to demonstrate that

Further details on the PCI PCIP program are available at the PCI SSC site:

PCI Internal Security Assessor

The other cert offered by the PCI SSC to employees of non-QSA firms is the Internal Security Assessor (ISA) qualification. This is aimed squarely at employees of higher level merchants and service providers. If you are a level 3 or 4 merchant, you can elect to do a Self Assessment Questionnaire (SAQ) as your annual PCI review; if you are a level 1 merchant, you are required to have an on-site assessment that results in a ROC and AOC.

But for level 2 merchants, while you have the option to complete an SAQ, there is a complication. Some card brands require that if you elect to do the SAQ rather than on-site assessment route, the internal auditor completing the SAQ must hold the PCI ISA qualification. If you work for such an organization, this may be worth investigating. Particularly so if you already have an internal audit department, with members of staff familiar enough with the PCI landscape to pass the PCI ISA exam.

Further details on the PCI ISA program are available at the PCI SSC site:

Free Training


Cybrary provide an online training community focussed on IT certifications. In addition to delivering their training materials, the site has discussion forums for students. Currently, they offer two courses which cover PCI DSS:

Of these, the 6 hour course is free for everyone. It consists of training videos which you watch, and there are ungraded quizzes at the end of each video so you can track what you understood.

The MicroCourse includes both training videos which provide an overview of the material, and graded assessments to guage your understanding of the material. It’s not free, but if you’re not already a Cybrary member you may be eligible to do the MicroCourse through a free trial. If you are a member, then check if it’s available in your subscription.

James Madison University

Looking for an example of merchant PCI security awareness training? The good folks at James Madison University (JMU) have made their annual PCI DSS awareness presentation available to the public. If you’re looking to learn the very basics of PCI DSS, or need inspiration for your own awareness program, this is a good place to start.

The JMU material is very much focused on training staff at a merchant who are responsible for securely handling card transactions. That’s no bad thing, as it may be the most common use case for personnel dealing with payment cards. Because of this, they have individual pages outlining the security features of American Express, Discover, MasterCard, and Visa cards. That is 4 of the 5 original founding members of the PCI SSC, and it’s fair to assume JMU don’t have many dealings with JCB, so that’s an understandable omission.

Also note that this is slightly dated as it’s aimed at PCI DSS version 3.0 rather than the current 3.2.1. However, at the level of understanding that this material targets, there are essentially no differences between these two.