Are you referring to becoming a QSA? If so, here is my answer garnered from a recent <a href=”http://blog.elementps.com/element_payment_solutions/2009/12/pci-compliance-interview.html”>interview with CoalFire President Rick Dakin</a>:
What does it take to become a certified QSA?
A QSA must work for a QSA company. The requirements for QSA companies include registration (with fees), $2 million of professional liability insurance, and compliance to the rules published by the PCI Security Standards Council (PCI SSC). All QSA companies are subject to review by the council.
Once a QSA company is established, an individual QSA must first obtain a security industry certification like a CISSP or CISA certification, 3 or more years of industry experience and hands-on PCI experience supporting another certified QSA. All QSA participants must then pass a background check and complete formal PCI training and certification testing.
At Coalfire, we estimate that each individual QSA costs us $7,500 per year to maintain industry certification, registration fees and insurance in addition to 50+ hours per year in training or off-site testing. In short, it is a significant commitment by both the QSA and the QSA company to provide certified services in the industry.
Merchants and software developers are often confused by the various levels of advice available to them. Some companies do not complete the rigorous QSA training, testing, certification or peer reviews that guide our processes and methods to determine compliance to PCI standards. Accordingly, the advice provided by a certified QSA may differ from advice provided by an industry observer who is not subject to the QSA process.