Document Comparison
P2PE_Qualification_Requirements_v2.0.pdf
→
P2PE_Qualification_Requirements_v3_0.pdf
83% similar
34 → 37
Pages
11472 → 12799
Words
62
Content Changes
Content Changes
62 content changes. 50 administrative changes (dates, page numbers) hidden.
Added
p. 5
P2PE Report on Validation (P-ROV) A "P2PE Report on Validation" completed by a P2PE Assessor Company and (except with respect to Merchant Managed P2PE Solutions) submitted directly to PCI SSC for review and Acceptance (defined in the P2PE Program Guide).
Added
p. 7
Secure Software Assessment Assessment of payment software to validate that software’s compliance with the Secure Software Standard for SSF purposes.
Secure Software Assessor An individual who is employed by an SSF Assessor Company and satisfies and continues to satisfy all SSF Requirements applicable to individuals who are qualified by PCI SSC to conduct Secure Software Assessments.
Secure Software Standard The then-current version of (or successor document to) the Payment Card Industry (PCI) Secure Software Requirements and Assessment Procedures as from time to time amended and made available on the Website.
Software Security Framework (SSF) The PCI Software Security Framework, as managed and operated by PCI SSC.
SSF Assessor Company Refer to definition in SSF Qualification Requirements.
SSF Qualification Requirements The then-current version of the Payment Card Industry (PCI) Software Security Framework Qualification Requirements for Assessors (or successor document), as from time to time amended and made available on the Website.
Secure Software Assessor An individual who is employed by an SSF Assessor Company and satisfies and continues to satisfy all SSF Requirements applicable to individuals who are qualified by PCI SSC to conduct Secure Software Assessments.
Secure Software Standard The then-current version of (or successor document to) the Payment Card Industry (PCI) Secure Software Requirements and Assessment Procedures as from time to time amended and made available on the Website.
Software Security Framework (SSF) The PCI Software Security Framework, as managed and operated by PCI SSC.
SSF Assessor Company Refer to definition in SSF Qualification Requirements.
SSF Qualification Requirements The then-current version of the Payment Card Industry (PCI) Software Security Framework Qualification Requirements for Assessors (or successor document), as from time to time amended and made available on the Website.
Added
p. 9
• PA-QSA (P2PE) Company: In order to be and remain qualified as a PA-QSA (P2PE) Company, and accordingly, in order to validate compliance of P2PE Applications with the P2PE Standard and otherwise participate as a PA-QSA (P2PE) Company in the P2PE Assessor Program, the assessor company must:
• Payment Card Industry Data Security Standard Security (PCI DSS) Requirements and Security Assessment Procedures
• PA-QSA Qualification Requirements
• Payment Card Industry Data Security Standard Security (PCI DSS) Requirements and Security Assessment Procedures
• PA-QSA Qualification Requirements
Added
p. 15
• a QSA (P2PE) Company
• a PA-QSA (P2PE) Company and (i) a SSF Assessor Company, or (ii) *for purposes of satisfying this requirement until October 28, 2022 only, a PA-QSA Company (as defined in the PA-QSA Qualification Requirements).
Note: Only PA-QSA (P2PE) Companies may conduct P2PE Application Assessments.
(i) all SSF Qualification Requirements, or (ii) *for purposes of satisfying this requirement until October 28, 2022 only, all PA-QSA Requirements (including the laboratory requirements attested to and set forth in Appendix B of the PA-QSA Qualification Requirements); and
• Comply with all of the terms and provisions of the following, and with all other applicable policies and requirements of the applicable PCI SSC program or initiative, as mandated or imposed by PCI SSC from time to time, including but not limited to all requirements in connection with PCI SSC's quality assurance initiatives, remediation, and revocation:
(i) the SSF Qualification Requirements and the SSF Assessor Company …
• a PA-QSA (P2PE) Company and (i) a SSF Assessor Company, or (ii) *for purposes of satisfying this requirement until October 28, 2022 only, a PA-QSA Company (as defined in the PA-QSA Qualification Requirements).
Note: Only PA-QSA (P2PE) Companies may conduct P2PE Application Assessments.
(i) all SSF Qualification Requirements, or (ii) *for purposes of satisfying this requirement until October 28, 2022 only, all PA-QSA Requirements (including the laboratory requirements attested to and set forth in Appendix B of the PA-QSA Qualification Requirements); and
• Comply with all of the terms and provisions of the following, and with all other applicable policies and requirements of the applicable PCI SSC program or initiative, as mandated or imposed by PCI SSC from time to time, including but not limited to all requirements in connection with PCI SSC's quality assurance initiatives, remediation, and revocation:
(i) the SSF Qualification Requirements and the SSF Assessor Company …
Added
p. 16
*Note: The PA-DSS Program will terminate as of October 28, 2022. As a result, satisfaction of requirements identified in Section 3.1.2 with an asterisk can be used to satisfy the requirements of this Section only until October 28, 2022. After October 28, 2022, satisfaction of the requirements identified above with an asterisk will no longer be sufficient for qualification as a PA-QSA (P2PE) Company.
• Performing the applicable P2PE Assessments
• Strictly following the P2PE Standard
• Producing all final P-ROVs 3.2.1 P2PE Assessor Employee Requirements Each P2PE Assessor Employee performing or managing P2PE Assessments must:
• Have completed at least two PCI DSS Assessments as a QSA Employee
• Possess experience with and substantial knowledge in each of the following:
• Cryptographic techniques including cryptographic algorithms, key management, and key
• Knowledge of industry standards for cryptographic techniques and key management, including but not limited to ISO 11568 and 13491, ANSI X9.24 and X9.97, and NIST …
• Performing the applicable P2PE Assessments
• Strictly following the P2PE Standard
• Producing all final P-ROVs 3.2.1 P2PE Assessor Employee Requirements Each P2PE Assessor Employee performing or managing P2PE Assessments must:
• Have completed at least two PCI DSS Assessments as a QSA Employee
• Possess experience with and substantial knowledge in each of the following:
• Cryptographic techniques including cryptographic algorithms, key management, and key
• Knowledge of industry standards for cryptographic techniques and key management, including but not limited to ISO 11568 and 13491, ANSI X9.24 and X9.97, and NIST …
Added
p. 17
• Physical security techniques for high-security areas
• Relevant PTS Security Requirements (e.g., SRED, SCR, OP)
• POI integration software development, deployment and updates
• PCI PTS authentication requirements for accessing account data or sensitive services Possess experience with and substantial knowledge of at least three of the following:
• Modern, secure, embedded systems hardware and software architectures
• PCI PTS quality and security management requirements related to POI software development
• POI software authenticity and integrity verification techniques and self-tests
• Attack methodologies through exploitation of logical vulnerabilities
• Application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes
• Each PA-QSA(P2PE) Employee must be qualified by PCI SSC as, and in Good Standing (or in compliance with remediation) as:
• Relevant PTS Security Requirements (e.g., SRED, SCR, OP)
• POI integration software development, deployment and updates
• PCI PTS authentication requirements for accessing account data or sensitive services Possess experience with and substantial knowledge of at least three of the following:
• Modern, secure, embedded systems hardware and software architectures
• PCI PTS quality and security management requirements related to POI software development
• POI software authenticity and integrity verification techniques and self-tests
• Attack methodologies through exploitation of logical vulnerabilities
• Application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes
• Each PA-QSA(P2PE) Employee must be qualified by PCI SSC as, and in Good Standing (or in compliance with remediation) as:
Added
p. 18
• Have completed at least the following:
• Possess experience with and substantial knowledge in each of the following:
• Modern, secure, embedded systems hardware and software architectures
• PCI PTS quality and security management requirements related to POI software development
• POI software authenticity and integrity verification techniques and self-tests
• Application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes
• a QSA (P2PE) Employee. and (i) a Secure Software Assessor, or (ii) *for purposes of satisfying this requirement until October 28, 2022 only, a PA-QSA Employee (as defined in the PA-QSA Qualification Requirements).
(i) two Secure Software Assessments as a Secure Software Assessor, or (ii) either (a) two PA-DSS Assessments as a PA-QSA Employee, or (b) one PA-DSS Assessment as a PA-QSA Employee and one Secure Software Assessment performed as a Secure Software Assessor.
• Each PA-QSA (P2PE) Employee (or applicant) must:
(i) …
• Possess experience with and substantial knowledge in each of the following:
• Modern, secure, embedded systems hardware and software architectures
• PCI PTS quality and security management requirements related to POI software development
• POI software authenticity and integrity verification techniques and self-tests
• Application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes
• a QSA (P2PE) Employee. and (i) a Secure Software Assessor, or (ii) *for purposes of satisfying this requirement until October 28, 2022 only, a PA-QSA Employee (as defined in the PA-QSA Qualification Requirements).
(i) two Secure Software Assessments as a Secure Software Assessor, or (ii) either (a) two PA-DSS Assessments as a PA-QSA Employee, or (b) one PA-DSS Assessment as a PA-QSA Employee and one Secure Software Assessment performed as a Secure Software Assessor.
• Each PA-QSA (P2PE) Employee (or applicant) must:
(i) …
Added
p. 27
(a) “TDE” means “Token Data Environment”, as further described in the TSP Requirements.
(b) “TSP” means “Token Service Provider”, as further described in the TSP Requirements. A TSP is deemed to be a QSA Company client for purposes of the Agreement and a client and customer of QSA for purposes of the QSA Qualification Requirements and P2PE Qualification Requirements.
(c) "TSP Assessment” means an assessment of a TDE of a TSP in order to validate compliance with the TSP Requirements as part of the P2PE Assessor Program. A TSP Assessment is deemed to be a PCI SSC Assessment for purposes of the QSA Qualification Requirements and the Agreement, and a P2PE Assessment for purposes of Sections 3.1, 3.2 (introduction), 3.2.1, 4.1 and 4.3 of the P2PE Qualification Requirements.
(d) “TSP Requirements” means the then-current version of (or successor document to) the Payment Card Industry (PCI) Token Service Providers Additional Security Requirements and Assessment …
(b) “TSP” means “Token Service Provider”, as further described in the TSP Requirements. A TSP is deemed to be a QSA Company client for purposes of the Agreement and a client and customer of QSA for purposes of the QSA Qualification Requirements and P2PE Qualification Requirements.
(c) "TSP Assessment” means an assessment of a TDE of a TSP in order to validate compliance with the TSP Requirements as part of the P2PE Assessor Program. A TSP Assessment is deemed to be a PCI SSC Assessment for purposes of the QSA Qualification Requirements and the Agreement, and a P2PE Assessment for purposes of Sections 3.1, 3.2 (introduction), 3.2.1, 4.1 and 4.3 of the P2PE Qualification Requirements.
(d) “TSP Requirements” means the then-current version of (or successor document to) the Payment Card Industry (PCI) Token Service Providers Additional Security Requirements and Assessment …
Added
p. 28
3. QSA and PCI SSC each acknowledge and agree that, as of the Schedule Effective Date, PCI SSC does not intend to perform quality assurance reviews of TSP Assessments, “Accept” or require the submission of corresponding TSP Reports to PCI SSC, or “list” or otherwise designate TDEs that have been validated against the TSP Requirements on the Website. Accordingly, as of the Schedule Effective Date, the corresponding provisions of the Addendum, Agreement, QSA Qualification Requirements, P2PE Qualification Requirements, and P2PE Program Guide, as such provisions would otherwise relate to such TSP Assessment reviews, “Acceptance”, required submissions, “listings” or designations, generally are not intended to apply in connection with TSP Assessments. Notwithstanding the foregoing, however, PCI SSC hereby expressly reserves all rights with respect to the foregoing, including without limitation, the right to (a) perform such quality assurance reviews and, upon notice to QSA, require QSA to cooperate with and make …
Added
p. 32
• Oversight of quality assurance for all P2PE Assessments, including reviews of performed audit procedures, supporting documentation, and information documented in the P-ROV related to the appropriate selection of system components, sampling procedures, proper use of payment definitions, consistent findings, and documentation of results
• Overview of the P-ROV review processes, including roles and responsibilities
• Responsibilities for review of all P-ROVs for quality assurance purposes
• Responsibilities for approval of all P-ROVs prior to submission to PCI SSC
• Responsibilities for submitting P-ROVs to PCI SSC
• A requirement that all P2PE Assessor Employees must adhere to the P2PE Standard and all applicable P2PE Assessor Requirements
• Evidence-retention policy and procedures including physical, electronic, and procedural safeguards consistent with industry-accepted standards for the retention of sensitive and confidential information obtained during the course of P2PE Assessments (consistent with Sections 4.4 and 4.5 of QSA Qualification Requirements) Where a P2PE Assessment is undertaken for the purposes …
• Overview of the P-ROV review processes, including roles and responsibilities
• Responsibilities for review of all P-ROVs for quality assurance purposes
• Responsibilities for approval of all P-ROVs prior to submission to PCI SSC
• Responsibilities for submitting P-ROVs to PCI SSC
• A requirement that all P2PE Assessor Employees must adhere to the P2PE Standard and all applicable P2PE Assessor Requirements
• Evidence-retention policy and procedures including physical, electronic, and procedural safeguards consistent with industry-accepted standards for the retention of sensitive and confidential information obtained during the course of P2PE Assessments (consistent with Sections 4.4 and 4.5 of QSA Qualification Requirements) Where a P2PE Assessment is undertaken for the purposes …
Added
p. 37
• Can assess all P2PE Domains, excluding P2PE Domain 2.
Removed
p. 4
Term Meaning P-ROV A "P2PE Report on Validation" completed by a P2PE Assessor Company and (except with respect to Merchant Managed P2PE Solutions) submitted directly to PCI SSC for review and Acceptance (defined in the P2PE Program Guide).
Modified
p. 4
P2PE Application Refer to definition in P2PE Glossary.
Term Meaning P2PE Application Refer to definition in P2PE Glossary.
Modified
p. 4
P2PE Application Assessment Assessment of a P2PE Application against the P2PE Domain 2 Testing Procedures in isolation of any point-to-point solution in order to validate compliance with such Testing Procedures in connection with the P2PE Assessor Program.
P2PE Application Assessment Assessment of a P2PE Application against applicable P2PE Requirements in order to validate compliance with the P2PE Standard as part of the P2PE Program.
Removed
p. 5
P2PE Component A P2PE service (such as encryption management, decryption management, or key injection) that is eligible for validation and Acceptance on a standalone basis as part of the P2PE Program and may be incorporated into and/or referenced as part of a P2PE Solution.
P2PE Domain 2 Testing Procedures All testing procedures for P2PE Domain 2 specified in the column labeled "Testing Procedures" in the P2PE Standard.
P2PE Domain 2 Requirements All items specified in the column labeled "Domain 2 Requirements" in the P2PE Standard.
P2PE Domain 2 Testing Procedures All testing procedures for P2PE Domain 2 specified in the column labeled "Testing Procedures" in the P2PE Standard.
P2PE Domain 2 Requirements All items specified in the column labeled "Domain 2 Requirements" in the P2PE Standard.
Modified
p. 6
(a) Is qualified by PCI SSC to provide services to P2PE Solution Providers, P2PE Component Providers, and/or P2PE Application Vendors in order to validate that such providers' or vendors' P2PE Solutions, P2PE Components, and/or P2PE Applications adhere to all aspects of the P2PE Standard, including but not limited to validation that payment applications, when incorporated into or used as part of a P2PE Solution, adhere to all P2PE Domain 2 requirements; and (b) Remains in Good Standing (defined in Section …
(a) Is qualified by PCI SSC to provide services to P2PE Solution Providers, P2PE Component Providers, and/or P2PE Application Vendors in order to validate that such providers' or vendors' P2PE Solutions, P2PE Components, and/or P2PE Applications adhere to all aspects of the P2PE Standard, including but not limited to validation that payment applications, when incorporated into or used as part of a P2PE Solution, adhere to all applicable P2PE requirements; and (b) Remains in Good Standing (defined in Section 1.2 …
Modified
p. 7
(a) Is qualified by PCI SSC to provide services to P2PE Solution Providers and/or P2PE Component Providers in order to validate that such providers' P2PE Solutions and/or P2PE Components adhere to all applicable aspects of the P2PE Standard, and (b) Remains in Good Standing (defined in Section 1.3 of the P2PE Qualification Requirements) or in remediation as a QSA (P2PE) Company.
(a) Is qualified by PCI SSC to provide services to P2PE Solution Providers and/or P2PE Component Providers in order to validate that such providers' P2PE Solutions and/or P2PE Components adhere to all applicable aspects of the P2PE Standard, and (b) Remains in Good Standing (defined in Section 1.2 of the P2PE Qualification Requirements) or in remediation as a QSA (P2PE) Company.
Modified
p. 8
• and for PA-QSA (P2PE) Companies, the PA-QSA (P2PE) Requirements and PA-QSA Requirements (as defined in the PA-QSA Qualification Requirements)
• and for PA-QSA (P2PE) Companies, the PA-QSA (P2PE) Requirements and PA-QSA Requirements (as defined in the PA-QSA Qualification Requirements) or SSF Requirements applicable to Secure Software Assessors
Modified
p. 8
• QSA (P2PE) Company: In order to be and remain qualified as a QSA (P2PE) Company, and accordingly, in order to validate compliance of P2PE Solutions and P2PE Components with the P2PE Standard and otherwise participate as a QSA (P2PE) Company in the P2PE Assessor Program, the assessor company must:
Modified
p. 9
(a) Be in QSA Company, PA-QSA Company and QSA (P2PE) Company Good Standing, (b) Comply with all requirements applicable to PA-QSA Companies in connection with the PA- QSA Program (including but not limited to payment of all applicable fees and satisfaction of all applicable staffing, training, and examination requirements), and (c) Not have had its PA-QSA (P2PE) Company qualification revoked, suspended or terminated.
(a) Be in Good Standing as (i) a QSA Company, (ii) a QSA (P2PE) Company, and (iii) a SSF Assessor Company (or, solely for purposes of satisfying this clause (iii) through October 28, 2022, as a PA-QSA Company), (b) Comply with all requirements applicable to PA-QSA Companies or SSF Assessor Companies, as applicable, (including but not limited to payment of all applicable fees and satisfaction of all applicable staffing, training, and examination requirements), and (c) Not have had its PA-QSA …
Modified
p. 9
Note: A PA-QSA (P2PE) Company that is in remediation as a QSA Company, PA-QSA Company, QSA (P2PE) Company or PA-QSA (P2PE) Company but otherwise satisfies all of the requirements specified in (a) through (c) above is permitted to perform P2PE Solution Assessments, P2PE Component Assessments, and P2PE Application Assessments and market itself as a PA-QSA (P2PE) Company, subject to the terms of the applicable remediation program.
Note: A PA-QSA (P2PE) Company that is in remediation as a QSA Company, PA-QSA Company, SSF Assessor Company, QSA (P2PE) Company or PA-QSA (P2PE) Company but otherwise satisfies all of the requirements specified in (a) through (c) above is permitted to perform P2PE Solution Assessments, P2PE Component Assessments, and P2PE Application Assessments and market itself as a PA-QSA (P2PE) Company, subject to the terms of the applicable remediation program.
Modified
p. 9
Note: In addition to the requirements set forth in the P2PE Qualification Requirements, ALL P2PE Assessor Companies must satisfy all requirements of the QSA Qualification Requirements, and for PA- QSA (P2PE) Companies, all requirements of the PA-QSA Qualification Requirements.
Note: In addition to the requirements set forth in the P2PE Qualification Requirements, ALL P2PE Assessor Companies must satisfy all requirements of the QSA Qualification Requirements, and for PA- QSA (P2PE) Companies, all requirements of the PA-QSA or SSF Qualification Requirements.
Modified
p. 10
• SSF Qualification Requirements 1.6 P2PE Assessor Company Application Process In addition to outlining the requirements that a P2PE Assessor Company and its P2PE Assessor Employees must meet to be recognized by PCI SSC to perform P2PE Assessments, this document describes the information that must be provided to PCI SSC as part of the P2PE Assessor Company and P2PE Assessor Employee application and qualification process. Each outlined requirement is followed by the information that must be submitted to document that …
Modified
p. 12
• Regional qualification fees (vary by country or region) • Annual regional re-qualification fees for subsequent years (also vary by country or region) • Annual P2PE Assessor Employee training fee for each P2PE Assessor Employee (or candidate).
Modified
p. 13
In order to participate in the P2PE Assessor Program, PCI SSC requires that all related agreements between PCI SSC and the applicant P2PE Assessor Company (including the P2PE Assessor Addendum) be signed by a duly authorized officer of the applicant P2PE Assessor Company, and submitted in unmodified form to PCI SSC via the Portal (see Section 1.6.2) with the completed P2PE Assessor Company application package.
In order to participate in the P2PE Assessor Program, PCI SSC requires that all related agreements between PCI SSC and the applicant P2PE Assessor Company (including the P2PE Assessor Addendum) be signed by a duly authorized officer of the applicant P2PE Assessor Company, and submitted in unmodified form to PCI SSC via the Portal (see Section 1.5.2) with the completed P2PE Assessor Company application package.
Modified
p. 14
• Each P2PE Assessor Company (or applicant) must fulfill all QSA Qualification Requirements, all QSA (P2PE) Company Requirements, and comply with all terms and provisions of the QSA Agreement, the P2PE Assessor Addendum, any other agreements executed with PCI SSC, and all other applicable policies and requirements of the P2PE Assessor Program, as mandated or imposed by PCI SSC from time to time, including but not limited to all requirements in connection with PCI SSC's quality assurance initiatives, remediation, and …
Modified
p. 14
• Each P2PE Assessor Company (or applicant) must have completed at least two PCI DSS Assessments as a QSA Company. Only PCI DSS Assessments performed by the applicant P2PE Assessor Company are eligible to meet this requirement.
Modified
p. 14
• Each P2PE Assessor Company must have at least one year of experience with direct responsibility for implementing, operating, and/or assessing cryptographic systems and/or key management functions. For example, implementing and managing key management functions, or performing lab evaluations of cryptographic systems against NIST, ANSI, or ISO standards.
Modified
p. 14
• Each P2PE Assessor Company (or applicant) must have demonstrated competence in cryptographic techniques, to include cryptographic algorithms, key management, and key lifecycle as determined in the sole discretion of PCI SSC. Competencies must include knowledge in all of the following areas:
Removed
p. 15
Fulfill all PA-QSA Requirements (including the laboratory requirements attested to and set forth in Appendix B of the PA-QSA Qualification Requirements) Comply with all terms and provisions of the PA-QSA Addendum and all other applicable policies and requirements of the PA-DSS Program, as mandated or imposed by PCI SSC from time to time, including but not limited to all requirements in connection with PCI SSC's quality assurance initiatives, remediation, and revocation Possess demonstrated competence and knowledge in surrogate PAN-generation techniques, such as format-preserving encryption and tokenization Have completed at least two PA-DSS Assessments as a PA-QSA Company. Only PA-DSS Assessments performed by the applicant P2PE Assessor Company are eligible to meet this requirement All of the above skill sets must be present and fully utilized on every P2PE Application Assessment.
Modified
p. 15
• Each P2PE Assessor Company performing or managing any P2PE Application Assessment must be qualified by PCI SSC as, and in Good Standing (or in compliance with remediation) as:
Modified
p. 15
• Each PA-QSA (P2PE) Company (or applicant) must:
Removed
p. 16
Cryptographic techniques including cryptographic algorithms, key management, and key Knowledge of industry standards for cryptographic techniques and key management, including but not limited to ISO 11568 and 13491, ANSI X9.24 and X9.97, and NIST 140-2 Level 3 Public key infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA) Hardware security modules (HSMs) operations, policies, and procedures POI key-injection systems and techniques including key-loading devices (KLDs) and key- management methods, such as Master/Session or DUKPT Physical security techniques for high-security areas Relevant PTS Security Requirements (e.g., SRED, SCR, OP) POI integration software development, deployment and updates PCI PTS authentication requirements for accessing account data or sensitive services Possess experience with and substantial knowledge of at least three of the following:
Modified
p. 16
• Be a QSA Employee and comply with all applicable QSA Requirements, including fulfillment of all requirements for QSA Employees specified in the QSA Qualification Requirements
Modified
p. 16 → 17
•of his or …
• Attend annual P2PE Assessor Employee training provided by PCI SSC, and legitimately pass
•of his or her own accord without any unauthorized assistance
•all examinations conducted as part of training. If a P2PE Assessor Employee fails to pass any exam in connection with such training, the P2PE Assessor Employee must no longer perform or participate in P2PE Assessments until successfully passing all required exams on a future attempt.
•of his or her own accord without any unauthorized assistance
•all examinations conducted as part of training. If a P2PE Assessor Employee fails to pass any exam in connection with such training, the P2PE Assessor Employee must no longer perform or participate in P2PE Assessments until successfully passing all required exams on a future attempt.
Removed
p. 17
Be a PA-QSA Employee and comply with all applicable PA-QSA Requirements, including fulfillment of all requirements for PA-QSA Employees specified in the PA-QSA Qualification Requirements Have performed at least two PA-DSS Assessments as a PA-QSA Employee Possess experience with and substantial knowledge in each of the following:
Modern, secure, embedded systems hardware and software architectures PCI PTS quality and security management requirements related to POI software development POI software authenticity and integrity verification techniques and self-tests Surrogate PAN-generation techniques, such as format-preserving encryption and tokenization Attack methodology through exploitation of logical vulnerabilities Application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes
Modern, secure, embedded systems hardware and software architectures PCI PTS quality and security management requirements related to POI software development POI software authenticity and integrity verification techniques and self-tests Surrogate PAN-generation techniques, such as format-preserving encryption and tokenization Attack methodology through exploitation of logical vulnerabilities Application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes
Modified
p. 17
• For new PA-QSA (P2PE) Employee candidates, there is an additional required training course and corresponding exam.
Modified
p. 17
• Be employees of the P2PE Assessor Company (meaning this work cannot be subcontracted to non-employees) unless PCI SSC has given prior written consent for each subcontracted worker In addition:
Modified
p. 17
• Approved subcontractors are not permitted to include a company logo other than that of the responsible P2PE Assessor Company or any reference to another company in the P-ROV or attestation documents while performing work on behalf of the P2PE Assessor Company.
Modified
p. 17
• If a P2PE Assessor Company is actively in process with a P2PE Assessment and loses its QSA (P2PE) Company or PA-QSA (P2PE) Company qualification or foundational QSA Company, PA- QSA Company or SSF Assessor Company qualification, it may be required to obtain the services of another QSA (P2PE) Company, PA-QSA (P2PE) Company or SSF Assessor Company (as applicable) to complete the P2PE Assessments and applicable PCI SSC review processes.
Modified
p. 18 → 19
• Secondary contact person responsible for oversight of quality assurance of P2PE Assessments
Modified
p. 18 → 19
• Each P2PE Assessment must follow the procedures documented in the P2PE Program Guide.
Modified
p. 18 → 19
• The P2PE Assessor Company must provide a QSA Feedback Form (available on the Website) to each P2PE Assessment client at the beginning of each P2PE Assessment.
Modified
p. 19 → 20
• PCI SSC has issued a corresponding P2PE Attestation of Validation for such P2PE Assessment signed by PCI SSC, to the P2PE Assessor Company, the corresponding P2PE Solution Provider, P2PE Component Provider, or P2PE Application Vendor (as applicable); and
Modified
p. 23 → 24
(iii) "P2PE Services" means P2PE Assessments and any and all other services provided by QSA to its customers or PCI SSC in connection with this Addendum, the P2PE Qualification Requirements, or participation in the P2PE Assessor Program.
(iii) "P2PE Services" means P2PE Assessments and any and all other services provided by QSA to its customers or PCI SSC in connection with this Addendum, the P2PE Qualification Requirements, or participation in the P2PE Assessor Program, other than TSP Services (as defined in and subject to the provisions of Schedule 1 hereto).
Modified
p. 24 → 25
(b) QSA agrees to monitor the Website at least weekly for changes to the P2PE Qualification Requirements and the P2PE Standard. QSA will incorporate all such changes into all P2PE Assessments initiated on or after the effective date of such changes. QSA acknowledges that any P-ROV regarding a P2PE Assessment that is not conducted in accordance with the P2PE Qualification Requirements and P2PE Standard as in effect at the initiation date of such P2PE Assessment may be rejected.
(b) QSA agrees to monitor the Website at least weekly for changes to the Program Requirements and PCI SSC Standards that are relevant to each PCI SSC Assessment and PCI SSC Program in which QSA participates. QSA will incorporate all such changes into all such PCI SSC Assessments initiated on or after the effective date of such changes. QSA acknowledges that any P-ROV or other report regarding any PCI SSC Assessment that is not conducted in accordance with the relevant …
Removed
p. 25
Section A.6 of the Agreement, all PCI SSC and third-party property and Confidential Information obtained in connection with this Addendum and the performance of P2PE Services; (viii) QSA shall, within fifteen (15) days of PCI SSC's written request, in a manner acceptable to PCI SSC, notify those of its P2PE Customers with which QSA is then engaged to perform P2PE Assessments or other P2PE Services of such expiration or termination; and (ix) notwithstanding anything to the contrary in this Addendum, the Agreement or elsewhere, PCI SSC may notify any of its Members and any acquirers, QSA P2PE Customers, or others of such expiration or termination and the reason(s) therefore. The provisions of this Section A.4.2 shall survive the expiration or termination of this Addendum for any or no reason.
Modified
p. 25 → 26
A.5 General Terms While this Addendum is in effect, the terms and conditions set forth herein shall be deemed incorporated into and a part of the Agreement. This Addendum may be signed in two or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. Except as expressly modified by this Addendum or hereafter by the parties in writing, the Agreement, as modified and in effect immediately prior …
A.5 General Terms While this Addendum is in effect, the terms and conditions set forth herein and in Schedule 1 hereto (which Schedule 1 is hereby incorporated into and made a part of this Addendum) shall be deemed incorporated into and a part of the Agreement. This Addendum may be signed in two or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. Except as expressly modified …
Modified
p. 26 → 29
Describe the company's knowledge and expertise of cryptographic techniques and the Company's role ((e.g., implementation, developer, management, etc.). For example, the types of cryptography, such as hashing, symmetric, asymmetric; the algorithms, such as Diffie-Hellman, elliptic curve, DES, Blowfish, MD5; key management implementations or assessments including descriptions of how keys are stored, access privileges, expected incident response when/if keys were compromised; and lifecycle management (rotation, destruction, revocation).
3.1.1.B Knowledge of cryptographic techniques including cryptographic algorithms, key management, and key lifecycle: Describe the company's knowledge and expertise of cryptographic techniques and the Company's role ((e.g., implementation, developer, management, etc.). For example, the types of cryptography, such as hashing, symmetric, asymmetric; the algorithms, such as Diffie-Hellman, elliptic curve, DES, Blowfish, MD5; key management implementations or assessments including descriptions of how keys are stored, access privileges, expected incident response when/if keys were compromised; and lifecycle management (rotation, destruction, revocation).
Modified
p. 27 → 30
Total time: Years Months Knowledge of Public Key Infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA):
Total time: Years Months Knowledge of Public Key Infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA): Describe the Company's expertise with digital certificates. For example, obtaining, generating, and deploying digital certificates, methods to protect or store digital certificates, certificate revocation, etc.
Modified
p. 27 → 30
Total time: Years Months Knowledge of relevant PTS Security Requirements (e.g., SRED, SCR, OP):
Total time: Years Months Knowledge of relevant PTS Security Requirements (e.g., SRED, SCR, OP): Describe the Company's expertise with SRED, SCR, and/or OP including the type(s) of devices configured to or tested against the Standard.
Modified
p. 28 → 31
Total time: Years Months Knowledge of PCI PTS quality and security management requirements related to POI software development:
Total time: Years Months Knowledge of PCI PTS quality and security management requirements related to POI software development: Describe the Company's knowledge or expertise with POI software development quality assurance measures. For example, managing security during POI software development.
Modified
p. 28 → 31
Total time: Years Months Knowledge of attack methodologies through exploitation of logical vulnerabilities:
Total time: Years Months Knowledge of attack methodologies through exploitation of logical vulnerabilities: Describe the Company's expertise with various attack methods and vulnerability exploitation.
Modified
p. 29 → 32
P2PE Assessor Addendum signed: Yes No 3.1.2 Additional Deliverables for PA-QSA (P2PE) Companies 3.1.2.A Description of clients and dates for two previous PCI PA-DSS Assessments performed by the Company in its capacity as a PA-QSA Company. Note: PA-DSS Assessments performed by a current PA-QSA Employee for another PA-QSA Company will not be considered toward this requirement.
P2PE Assessor Addendum signed: Yes No 3.1.2 Additional Deliverables for PA-QSA (P2PE) Companies 3.1.2.A Description of clients and dates for two previous PCI PA-DSS Assessments or Secure Software Assessments (or one of each) performed by the Company in its capacity as a PA-QSA Company or SSF Assessor Company. Note: Assessments performed by a current Assessor Employee for another Assessor Company will not be considered toward this requirement.
Modified
p. 29 → 32
Surrogate PAN generation techniques, such as format-preserving encryption and tokenization:
Surrogate PAN generation techniques, such as format-preserving encryption and tokenization: Describe any knowledge or expertise the Company has with surrogate PANs generation techniques, including the Company's role and specifics about the techniques implemented or reviewed.
Modified
p. 32 → 35
Total time: Years Months Knowledge of Hardware Security Modules (HSMs) operations, policies, and procedures:
Total time: Years Months Knowledge of Hardware Security Modules (HSMs) operations, policies, and procedures: Describe the Candidate's experience with HSMs. For example, HSM configuration, deployment, use, and developing related policies and procedures.
Modified
p. 32 → 35
POI integration software development, deployment, and updates: Describe the Candidate's software development experience. For example, language(s) used, software deployment, POI integration, platforms, databases, and operating systems with which the Candidate has experience, etc.
Modified
p. 33 → 36
Knowledge of modern, secure embedded systems hardware and software architectures:
Knowledge of modern, secure embedded systems hardware and software architectures: Describe the Candidate's knowledge and experience with secure embedded systems architectures. For example, operating systems configured, functionality of software written or installed, hardware implemented, etc.
Modified
p. 33 → 36
Total time: Years Months Knowledge of POI software authenticity and integrity verification techniques and self-tests:
Total time: Years Months Knowledge of POI software authenticity and integrity verification techniques and self-tests: Describe the Candidate's knowledge and experience with tools and techniques to validate the authenticity of POI software. For example, how POI software integrity is verified and how self-testing of a device is observed.
Modified
p. 33 → 36
Total time: Years Months Knowledge of application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes:
Total time: Years Months Knowledge of application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes: Describe the Candidate's knowledge and experience with application-layer penetration testing. For example, tools and methods employed to exploit vulnerabilities and use of arbitrary code during testing.
Modified
p. 34 → 37
• Can assess all P2PE Domains.
Modified
p. 34 → 37
Domain QSA (P2PE) PA-QSA (P2PE) Domain 1 Yes Yes Domain 2 No Yes Domain 3 Yes Yes Domain 4 Yes Yes Domain 5 Yes Yes Domain 6 Yes Yes
Domain QSA (P2PE) PA-QSA (P2PE) Domain 1 Yes Yes Domain 2 No Yes Domain 3 Yes Yes Domain 4 Yes Yes Domain 5 Yes Yes