We've already seen how a Payment Application Qualified Security Assessor (PA-QSA) performs a valuable function by checking software applications for any PA-DSS oversights before the product reaches the market. It's an important job, and anyone who carries out this kind of inspection should have a high degree of relevant expertise. For this reason, the PCI Security Standards Council (PCI SSC) requires those who wish to become a qualified PA-QSA to take a PCI SSC approved class to instruct them on all essential aspects of assessing payment applications. PA-QSA coursework is comprised of the following six categories:
- Overview of the payment card industry -- Students explore the world of payment processing, including current terminology, basic procedures, and the major players involved.
- PCI and card brand requirements -- Students learn how "PCI compliance" relates to various entities, such as vendors, merchants, and software providers. Students also learn the individual standards of the payment card brands (Visa, MasterCard, Discover, and American Express.)
- A detailed look at the PCI Data Security Standard -- Students are led through all aspects of the PCI DSS -- the rationale for its various regulations and how to comply with each individual requirement of the Standard.
- PCI code reviews -- Students are taught how to carry out code reviews in payment applications, enabling them to spot PCI DSS violations.
- PCI hardware review -- Students become familiar with the kinds of hardware and systems currently used in the industry, and the ways these devices perform essential verification and payment functions.
- PCI reports -- Students learn how to fill out and submit compliance reports in the aftermath of a completed assessment, as well as how to inform organizations of the results of a PA-QSA investigation.