thePCI Portal

Becoming an Internal Security Assessor

My experiences and observations around becoming an Internal Security Assessor. 

Hi, my name is Marlen, and I’ve been working with a QSA handling PCI Compliance on behalf of my employer, a level 2 merchant retailer of Wine, Beer, Spirits, and as of late, Cannabis (a legal product in our jurisdiction).  We are now taking the step to internalize our PCI Compliance assessment via the ISA (Internal Security Assessor) program.  Effectively, an internal resource (me) becomes our “QSA” and completes our ROC, steers the organization through compliance.  Note: our organization is eligible for the ISA program because we are a level 2 merchant, and because we have been PCI compliant for a few laps around the sun.

The application process:

The application process to become an ISA involved providing a current business license, evidence of our street address, merchant ID information and past ROC/AOC documents.  Makes good sense, as an organization that is not in good standing from a PCI perspective is probably not a good candidate to internalize their own PCI Compliance efforts…  Its very likely they still need guidance, assistance or advice to achieve compliance.  With these documents posted, our request to become an ISA was accepted.

Pay the piper:

A day or so later, an invoice for the ISA fee and training showed up.  Pay the invoice, and I received a series of emails enrolling me in PCI Fundamentals training (mandatory), followed by PCI ISA training.  I completed the PCI Fundamentals training, wrote the fundamentals exam, and then was provided access to the ISA training.  The fundamentals training was a day, and the exam was delivered via a multiple choice exam that I completed while at work.

PCI Fundamentals training:

The fundamentals training was all material that I had been exposed to previously.  In my first year of PCI Compliance, I joined <QSAC> and <Acquirer> for a fundamentals training course.  This course was a re-hash of that, with a few small touches relating to DSS 3.2.  The training was delivered as a series of slides with some accompanying dialogue.

PCI Fundamentals Exam:

The fundamentals exam was very straight forward, and took about 30 minutes.  The questions were sensible, clear, and if you were conscious for the training material, should not have been much of a challenge.  Easy pass on the first attempt.  I did not notice what the pass rate was, nor did I receive a specific score, only a passing grade.

PCI ISA training:

The ISA training material was similar to the fundamentals, but went a fair bit deeper.  The recommendation was to allocate 2 days to the training, which I did.  Gauging where I was in the training towards the end of day 1 was a bit vague.  On day 2, it turned out that I was further ahead than I thought, and completed the training by noon.  I really hustled on day 1.  The most valuable part of ISA training, I thought, was the scenarios.  As is the case in life, sometimes no amount of scenarios and training can prepare you for what you will have to deal with.  The scenarios were an interesting way to put the material and your thought processes to the test.  The scenarios proved to be quite tricky, no doubt reflective of real-world stuff.


I spent around 2 weeks mulling over when to do the exam.  I opened the study material a couple times to re-affirm some of the information in my head.  Scheduled the exam at a local exam station, and went to write it.  The exam is 75 questions, many of which were very straight forward, a few tricky ones, again very representative of the study material, and the deeper material provided in the ISA training.  I was allocated 90 minutes, but only needed about 60 minutes.  Again, no indicator what the pass mark was, nor what my score was, just a passing grade.  Yay, I’m an ISA now!

PCIP – Opt in:

A day after the exam, a few more emails showed up – the ISA certificate, etc.  Some more material is in the mail, I’m told.  I was also offered an opt-in option for the PCIP designation as well.  I requested that, and was provided with another invoice (pay the piper, you know…).  Seems a bit of a cash grab, but its another revenue stream, I suppose.

I recognize that if I leave my employer, I’m no longer an ISA as that certification sticks with me while I’m still with the same organization.  That certification becomes null and void and not transferrable to another individual if I get hit by the lottery bus.

Anyways, with that completed, I can begin scheduling our internal PCI Compliance assessment for this year.  Back to the grind stone…

Ad below this line:

Leave a Reply