Document Diff - PCI Watch

Added p. 2

• Added QSA Employee application (Appendix D).

• Clarified “in process” certifications.

Added p. 3

• Updated document names and terminology for PCI DSS v4.0.

• Removed future date for requirement for QA staff to have PCI credential.

• Added best practice for QSA Company to have a documented sampling methodology.

• Clarified wording throughout section 4 (Quality Assurance).

• Corrected minor errata.

• Removed requirement for PCI DSS v4.x Items Noted for Improvement (INFI - Instructions and Worksheet.

• Updated application submission process in Section 1.6.

Added p. 7

PCI DSS Report on Compliance Template (“ROC Template”) Provides detail on how to document the findings of a PCI DSS Assessment and includes the mandatory template for use in completing a Report on Compliance.

QSA Company An independent security organization qualified by PCI SSC to validate an entity’s adherence to PCI DSS requirements.

Added p. 9

• Payment Card Industry (PCI) Data Security Standard Requirements and Testing Procedures (“PCI DSS”)

Added p. 12

 Application or network security controls  Intrusion detection/prevention systems  Database or other storage solutions  Encryption solutions  Security audit log solutions  File integrity monitoring solutions  Anti-malware solutions  Vulnerability scanning services or solutions

Added p. 16

List A

• Information Security  (ISC)2 Certified Information System Security Professional (CISSP)  ISACA Certified Information Security Manager (CISM)  Certified ISO 27001 Lead Implementer 1 1 ISO27001 certifications will be accepted as meeting the requirement only when certifications are issued by an accredited certification body (for example, ANSI-ASQ National Accreditation Board (ANAB) and United Kingdom Accreditation Service (UKAS)). Certified ISO 27001 courses should be accredited to the ISO/IEC 17024 standard. It is the responsibility of the QSA Company/candidate to ensure that the certifying body is accredited, and to provide evidence of accreditation to PCI SSC. (continued on next page)

Note: QSA Employees are only authorized to perform PCI DSS Assessments using versions of PCI DSS for which they have successfully completed training.

List B

• Audit  ISACA Certified Information Systems Auditor (CISA)  GIAC Systems and Network Auditor (GSNA)  Certified ISO 27001, Lead Auditor, Internal Auditor 1  IRCA ISMS …

Added p. 21

• Onboarding requirements for Assessor-Employee skill sets and experience, which are documented in Résumés, Curriculum Vitae, and/or other documents collected during the hiring process.

• An ongoing process of training and evaluation of Assessor-Employees, which includes monitoring and documenting Assessor-Employee knowledge, skill, and experience to ensure their skill sets stay current and relevant for PCI DSS Assessments.

Added p. 22

• As best practice, it is recommended that QSA Companies have a documented sampling methodology.

• Formal assignment of an employee responsible for ensuring the continued accuracy of the Workpaper Retention Policy and that each Assessor-Employee (a) complies with the Workpaper Retention Policy and (b) signs an appropriate confidentiality agreement with the QSA Company (as contemplated by Section 4.4 above).

Added p. 30

• Failure to submit the QSA Annual QA Questionnaire to PCI SSC in the Portal.

Note: When reading Sections 5 or 6 of this document in connection with any PCI SSC Program (other than the QSA Program) for which qualification as a QSA Company or QSA Employee is required, unless otherwise expressly provided in the applicable documentation for such other program, references to terms specific to the QSA Program⎯e.g., QSA Company, QSA Employee, QSA Requirement, and PCI DSS Assessment⎯should be read to include the corresponding terms of such other PCI SSC Program. For example, for purposes of the 3DS Core Program, the term “QSA Employee” as it appears in this Section 6 should be read to include the term 3DS Assessor-Employee as well.

Added p. 37

(b) All right, title, and interest in and to the Intellectual Property Rights in all materials generated by or on behalf of PCI SSC with respect to QSA are and at all times shall remain the property of PCI SSC. Subject to the provisions of Section A.6, QSA may use and disclose such materials solely for the purposes expressly permitted by this Agreement. QSA shall not revise, abridge, modify, or alter any such materials.

Added p. 52

Section 2 − QSA Company Business Requirements The Company acknowledges the minimum business requirements and related information that must be provided to PCI SSC regarding the Company’s business legitimacy, independence, and required insurance coverage pursuant to Section 2 of the QSA Qualification Requirements and agrees to comply with such requirements.

Section 2 − QSA Company Business Requirements (continued) Independence

• 2.2.2 Provisions (continued) The Company hereby:

Added p. 58

PCI SSC assessment guidance.

Added p. 63

Primary Contact: Title:

Modified p. 1

Payment Card Industry (PCI) ~~Qualification Requirements For~~ Qualified Security Assessors (QSA) Version ~~4.0~~

Payment Card Industry (PCI) Qualified Security Assessors (QSA) Qualification Requirements Version 4.2

Modified p. 2

• Increased Violation period to three (3) ~~years~~

• Increased Violation period to three (3) years.

Modified p. 2

• Clarified QSA Company and Employee qualification ~~requirements~~

• Clarified QSA Company and Employee qualification requirements.

Modified p. 2

• Enhanced Business Legitimacy ~~requirements~~

• Enhanced Business Legitimacy requirements.

Modified p. 2

• Enhanced separation of duties, independence, and conflict of interest ~~requirements~~

• Enhanced separation of duties, independence, and conflict of interest requirements.

Modified p. 2

• Clarified regional ~~requirements~~

• Clarified regional requirements.

Modified p. 2

• Clarified subcontracting vs. partnership with active QSA ~~Company~~

• Clarified subcontracting vs. partnership with active QSA Company.

Modified p. 2

• Enhanced QSA Employee skills and experience ~~requirements~~

• Enhanced QSA Employee skills and experience requirements.

Modified p. 2

• Added PCI SSC Code of Professional ~~Responsibility~~

• Added PCI SSC Code of Professional Responsibility.

Modified p. 2

• Enhanced background check ~~requirements~~

• Enhanced background check requirements.

Modified p. 2

• Enhanced QSA Company internal quality assurance ~~requirements~~

• Enhanced QSA Company internal quality assurance requirements.

Modified p. 2

• Enhanced Evidence (Assessment workpaper) retention ~~requirements~~

• Enhanced Evidence (Assessment workpaper) retention requirements.

Modified p. 2

• Added Security Incident ~~Response~~

• Added Security Incident Response.

Modified p. 2

• Enhanced annual requalification ~~requirements~~

• Enhanced annual requalification requirements.

Modified p. 2

• Enhanced Assessor Quality Management process: QSA Audit, Quality Remediation and Revocation ~~process~~

• Enhanced Assessor Quality Management process: QSA Audit, Quality Remediation and Revocation process.

Modified p. 2

• Updated the QSA Agreement (Appendix A)

• Updated the QSA Agreement (Appendix A).

Modified p. 2

• Updated insurance requirements (Appendix B)

• Updated insurance requirements (Appendix B).

Modified p. 2

• Added QSA Company application (Appendix C)

• Added QSA Company application (Appendix C).

Modified p. 2

• Updated requirement for QSA Employees to include two Industry ~~Certifications~~

• Updated requirement for QSA Employees to include two Industry Certifications.

Modified p. 2 → 3

~~March 2021 4.0~~

• Added requirement for annual QA ~~questionnaire~~

• Added requirement for annual QA questionnaire.

Modified p. 2 → 3

• Added requirement for QA staff at QSA Company has PCI ~~credential~~

• Added requirement for QA staff at QSA Company has PCI credential.

Modified p. 2 → 3

• Added requirement for periodic checks on QA ~~process~~

• Added requirement for periodic checks on QA process.

Modified p. 2 → 3

• Added requirement for QSA Company to have ~~conflict of interest policy~~

• Added requirement for QSA Company to have conflict-of-interest policy.

Modified p. 2 → 3

• Added requirement for QSAs to have appropriate skills for ~~assessments~~

• Added requirement for QSAs to have appropriate skills for assessments.

Modified p. 2 → 3

• Added requirement that QSAs must be ~~training~~ on the version of standard they are ~~using~~

• Added requirement that QSAs must be trained on the version of standard they are using.

Modified p. 2 → 3

• Removed requirement that QSAs must submit CPEs to PCI ~~SSC~~

• Removed requirement that QSAs must submit CPEs to PCI SSC.

Modified p. 2 → 3

• Removed requirement that customer information not be stored on ~~Internet~~ accessible ~~systems~~

• Removed requirement that customer information not be stored on Internet- accessible systems.

Modified p. 2 → 3

• Performed minor clarifications in language ~~throughout~~

• Performed minor clarifications in language throughout.

Modified p. 5 → 6

When implemented properly, PCI DSS requirements provide a well-aimed defense for merchants and service providers against data exposure and compromise. As a result, assessment of merchants and service providers for compliance with PCI DSS requirements has become increasingly critical in today’s environment and is key to the success of ~~the~~ PCI DSS.

When implemented properly, PCI DSS requirements provide a well-aimed defense for merchants and service providers against data exposure and compromise. As a result, assessment of merchants and service providers for compliance with PCI DSS requirements has become increasingly critical in today’s environment and is key to the success of PCI DSS.

Modified p. 5 → 6

Independent security organizations qualified by PCI SSC to validate an entity’s adherence to PCI DSS requirements are referred to as “Qualified Security Assessor Companies” or “QSA Companies.” Validation of PCI DSS requirements by QSA Companies is important to the effectiveness of ~~the~~ PCI DSS; and the quality, reliability, and consistency of a QSA Company’s work provides confidence that cardholder data is adequately protected. The proficiency with which a QSA Company conducts a PCI DSS Assessment can therefore have a tremendous …

Independent security organizations qualified by PCI SSC to validate an entity’s adherence to PCI DSS requirements are referred to as “Qualified Security Assessor Companies” or “QSA Companies.” Validation of PCI DSS requirements by QSA Companies is important to the effectiveness of PCI DSS; and the quality, reliability, and consistency of a QSA Company’s work provides confidence that cardholder data is adequately protected. The proficiency with which a QSA Company conducts a PCI DSS Assessment can therefore have a tremendous impact …

Modified p. 5 → 6

PCI DSS The then-current version of the Payment Card Industry (PCI) Data Security Standard and ~~Security Assessment~~ Procedures as from time to time amended and made available on the Website.

PCI DSS The then-current version of the Payment Card Industry (PCI) Data Security Standard Requirements and Testing Procedures as from time to time amended and made available on the Website.

Modified p. 5 → 6

PCI DSS Assessment The review of an entity by a QSA Company to determine the entity’s compliance with ~~the~~ PCI DSS for QSA Program purposes.

PCI DSS Assessment The review of an entity by a QSA Company to determine the entity’s compliance with PCI DSS for QSA Program purposes.

Removed p. 6

Template for Report on Compliance (“ROC Reporting Template”) The mandatory template for completing a Report on Compliance for submission to the Participating Payment Brands and/or acquirers.

Modified p. 6 → 7

PCI SSC Assessment With respect to a given QSA Company, any assessment performed for purposes of validating the compliance of any third party (or any third-party product, application, ~~service~~ or solution) with any PCI SSC standard for purposes of any PCI SSC Program.

PCI SSC Assessment With respect to a given QSA Company, any assessment performed for purposes of validating the compliance of any third party (or any third-party product, application, service, or solution) with any PCI SSC standard for purposes of any PCI SSC Program.

Modified p. 6 → 7

QSA Annual QA Questionnaire With respect to the QSA Annual QA Questionnaire Process, the then-current version of the form available on the Portal that must be completed by QSA Companies on an annual basis and provided to PCI SSC for quality monitoring ~~purposes QSA Employee An individual who is employed by a QSA Company and satisfies and continues to satisfy all QSA Requirements applicable to QSA Employees.~~

QSA Annual QA Questionnaire With respect to the QSA Annual QA Questionnaire Process, the then-current version of the form available on the Portal that must be completed by QSA Companies on an annual basis and provided to PCI SSC for quality monitoring purposes.

Modified p. 7 → 8

The requirements provided in this document serve as a qualification baseline and provide a transparent process for QSA Company and Assessor-Employee qualification and ~~re-qualification.~~ QSA Companies and ~~Assessor Employees~~ must adhere to all applicable requirements provided in this document and must provide all required provisions described in this document.

The requirements provided in this document serve as a qualification baseline and provide a transparent process for QSA Company and Assessor-Employee qualification and requalification. QSA Companies and Assessor-Employees must adhere to all applicable requirements provided in this document and must provide all required provisions described in this document.

Modified p. 7 → 9

Section 5: QSA Ongoing Qualification outlines the annual ~~re-qualification~~ process.

Section 5: QSA Ongoing Qualification outlines the annual requalification process.

Removed p. 8

PCI SSC 401 Edgewater Place, Suite 600 Wakefield, MA 01880, USA Phone number: 1-781-876-8855

Modified p. 8 → 9

• ROC ~~Reporting~~ Template

• PCI DSS ROC Template

Modified p. 8 → 10

To facilitate preparation of the ~~application package,~~ refer to Appendix C: “QSA Company Application,” Appendix D, “QSA Employee Application,” and Appendix E, “Associate QSA Employee Application.” All application materials and the signed QSA Agreement must be submitted in English. The QSA Agreement is binding in English even if the QSA Agreement was translated and reviewed in another language. All other documentation provided by the QSA Company (or candidate) in a language other than English must be accompanied by a certified …

To facilitate preparation of the application, refer to Appendix C: “QSA Company Application,” Appendix D, “QSA Employee Application,” and Appendix E, “Associate QSA Employee Application.” All application materials and the signed QSA Agreement must be submitted in English. The QSA Agreement is binding in English even if the QSA Agreement was translated and reviewed in another language. All other documentation provided by the QSA Company (or candidate) in a language other than English must be accompanied by a certified English …

Modified p. 8 → 10

Note: QSA Companies are authorized to perform PCI DSS Assessments ~~and QSA-related duties~~ only in the geographic region(s) or country(s) in which they have been qualified to perform services. Under no circumstances may QSA Companies perform PCI DSS Assessments •or act as a QSA Company in any capacity

•outside of the qualified region(s) or countries. If QSA Program-related tasks must be performed outside of the qualified region or country it may be necessary to engage a QSA Company within that region …

Note: QSA Companies are authorized to perform PCI DSS Assessments only in the geographic region(s) or country(s) in which they have been qualified to perform services. Under no circumstances may QSA Companies perform PCI DSS Assessments outside of the qualified region(s) or countries. If QSA Program-related tasks must be performed outside of the qualified region or country it may be necessary to engage a QSA Company within that region or country to perform the related tasks.

Modified p. 8 → 10

Applications must indicate all geographic region(s) or countries for which the QSA Company candidate is applying. See the Website

• PCI SSC Programs Fee Schedule. ~~All application packages must include a signed QSA Agreement and all required documentation.~~ Applicants must ~~send~~ their completed application packages ~~by mail~~ to the ~~following address (e-mail submissions will not be accepted):~~

Applications must indicate all geographic region(s) or countries for which the QSA Company candidate is applying. See the Website

• PCI SSC Programs Fee Schedule. Applicants must reach out to the QSA Program Manager via email (qsa@pcisecuritystandards.org) in order to receive instructions to submit their completed application packages to PCI SSC via the Assessor Portal.

Modified p. 10 → 11

• Business License Requirements for more ~~information)~~

• Business License Requirements for more information).

Modified p. 10 → 11

• To the extent permitted by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the QSA Company, QSA Company candidate or any principal thereof, and any Assessor-Employee thereof, and the status and ~~resolution~~

• To the extent permitted by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the QSA Company, QSA Company candidate or any principal thereof, and any Assessor-Employee thereof, and the status and resolution.

Modified p. 10 → 11

• Written statements describing any past or present appeals or revocations of any qualification issued by PCI SSC to the QSA Company (or any predecessor entity or, unless prohibited by applicable law, any Assessor-Employee of any of the foregoing), and the current status and any resolution thereof 2.2 Independence 2.2.1 Requirement The QSA Company must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing PCI …

• Written statements describing any past or present appeals or revocations of any qualification issued by PCI SSC to the QSA Company (or any predecessor entity or, unless prohibited by applicable law, any Assessor-Employee of any of the foregoing), and the current status and any resolution thereof.

Modified p. 10 → 11

The QSA Company must have a ~~conflict of interest~~ policy and provide the policy to PCI SSC upon request. The QSA Company’s ~~conflict of interest~~ policy must:

The QSA Company must have a conflict-of-interest policy and provide the policy to PCI SSC upon request. The QSA Company’s conflict-of-interest policy must:

Modified p. 10 → 11

• Identify key areas in which conflict, or the appearance of conflict, may arise for Assessor- ~~Employees~~

• Identify key areas in which conflict, or the appearance of conflict, may arise for Assessor- Employees.

Modified p. 10 → 11

• Require the disclosure of potential conflicts in writing (via the QSA Company’s ~~conflict of~~ interest disclosure process to the QSA Company by the Assessor-Employee at hire and ~~annually~~

• Require the disclosure of potential conflicts in writing (via the QSA Company’s conflict-of- interest disclosure process to the QSA Company by the Assessor-Employee at hire and annually.

Removed p. 11

• Application or network firewalls

• Intrusion detection/prevention systems

• Database or other storage solutions

• Encryption solutions

• Security audit log solutions

• File integrity monitoring solutions

• Anti-virus solutions

• Vulnerability scanning services or solutions

Modified p. 11 → 12

• Include a blank copy of the QSA Company’s ~~conflict of interest~~ disclosure form(s) that each Assessor-Employee is required to complete and sign to disclose potential conflicts or confirm the absence of potential conflicts.

• Include a blank copy of the QSA Company’s conflict-of-interest disclosure form(s) that each Assessor-Employee is required to complete and sign to disclose potential conflicts or confirm the absence of potential conflicts.

Modified p. 11 → 12

• The QSA Company will not use its status as a “listed QSA” to market services unnecessary to bring QSA Company clients into compliance with ~~the~~ PCI DSS or any other PCI SSC Standard.

• The QSA Company will not use its status as a “listed QSA” to market services unnecessary to bring QSA Company clients into compliance with PCI DSS or any other PCI SSC Standard.

Modified p. 11 → 12

• The QSA Company must not misrepresent any requirement of ~~the~~ PCI DSS or any other PCI SSC Standard in connection with its promotion or sales of services to its clients, or state or imply that ~~the~~ PCI DSS or any other PCI SSC Standard requires usage of the QSA Company's products or services.

• The QSA Company must not misrepresent any requirement of PCI DSS or any other PCI SSC Standard in connection with its promotion or sales of services to its clients, or state or imply that PCI DSS or any other PCI SSC Standard requires usage of the QSA Company's products or services.

Modified p. 12

• The QSA Company must notify its Assessor-Employees of the independence requirements provided for in this document, as well as QSA Company’s independence policy and ~~conflict of~~ interest policy, at least annually.

• The QSA Company must notify its Assessor-Employees of the independence requirements provided for in this document, as well as QSA Company’s independence policy and conflict-of- interest policy, at least annually.

Modified p. 13 → 14

QSA Company fees ~~Include:~~

QSA Company fees include:

Modified p. 13 → 14

• Annual regional ~~re-qualification~~ fees for subsequent years (also vary by country or region)

• Annual regional requalification fees for subsequent years (also vary by country or region)

Removed p. 14

• The total number of employees on staff and the number of those performing security assessments

Modified p. 14 → 15

• Description of the applicant QSA Company’s experience and knowledge with information security audit engagements, preferably related to payment systems, equal to at least one year or three separate ~~audits~~

• Description of the applicant QSA Company’s experience and knowledge with information security audit engagements, preferably related to payment systems, equal to at least one year or three separate audits.

Modified p. 14 → 15

• Description of the applicant QSA Company’s relevant areas of specialization within information security (for example, network security, database and application security, and incident response), demonstrating at least one area of ~~specialization~~

• Description of the applicant QSA Company’s relevant areas of specialization within information security (for example, network security, database and application security, and incident response), demonstrating at least one area of specialization.

Modified p. 14 → 15

• Evidence of a dedicated security ~~practice, such as:~~

• Evidence of a dedicated security practice⎯such as the total number of employees on staff and the number of those performing security assessments.

Modified p. 14 → 15

• Brief description of other core business ~~offerings~~

• Brief description of other core business offerings.

Modified p. 14 → 15

• Description of size and types of market segments in which the applicant QSA Company tends to focus, such as Fortune 500, financial industry, insurance industry, or ~~small-to- medium~~ sized ~~businesses~~

• Description of size and types of market segments in which the applicant QSA Company tends to focus, such as Fortune 500, financial industry, insurance industry, or small-to-medium sized businesses.

Removed p. 15

• Application security

• IT security auditing

Modified p. 15 → 16

• List of languages supported by the applicant QSA ~~Company~~

• List of languages supported by the applicant QSA Company.

Modified p. 15 → 16

• Two client references from security engagements performed by the applicant QSA Company within the last 12 months 3.2 QSA Employee

• Skills and Experience 3.2.1 Requirement Each QSA Employee performing or managing PCI SSC Assessments must satisfy the following requirements:

• Two client references from security engagements performed by the applicant QSA Company within the last 12 months.

Modified p. 15 → 16

• Information systems security

 Application security  Information systems security  Network security

Modified p. 15 → 16

• Information security risk assessment or risk management

 IT security auditing  Information security risk assessment or risk management

Removed p. 16

• (ISC)2 Certified Information System Security Professional (CISSP)

• Certified ISO 27001 Lead Implementer 1

• (METI) Registered Information Security Specialist (RISS)*

• ISACA Certified Information Systems Auditor (CISA)

• GIAC Systems and Network Auditor (GSNA)

• Certified ISO 27001, Lead Auditor, Internal Auditor 1

• IRCA ISMS Auditor or higher (e.g., Auditor/Lead Auditor, Principal Auditor)

• IIA Certified Internal Auditor (CIA)

To find out if your country has an accreditation body, visit the International Accreditation Forum (IAF) website at www.iaf.nu and use the IAF MLA signatories list to identify an accreditation body in your country or region.

Note: QSA Employees are only authorized to perform PCI DSS Assessments using versions of the PCI DSS for which they have successfully completed training.

Modified p. 16 → 17

~~• ISACA~~ Certified ~~Information Security Manager (CISM)~~

 IIA Certified Internal Auditor (CIA)

Modified p. 16 → 17

• Possess knowledge about ~~the~~ PCI DSS and all applicable documents on the PCI SSC Website.

• Possess knowledge about PCI DSS and all applicable documents on the PCI SSC Website.

Modified p. 17 → 18

• Be an employee of the QSA Company (meaning this work cannot be subcontracted to non- ~~employees)~~

• Be an employee of the QSA Company (meaning this work cannot be subcontracted to non- employees).

Modified p. 18 → 19

The QSA Company applying to join the Associate QSA program must provide a copy of its Mentor Manual for review by PCI SSC (refer to the Website for the most recent version of PCI SSC’s AQSA Mentor Manual template). Details on the contents of the Mentor Manual as well as templates can be found in the QSA Program Guide.

• The QSA Company applying to join the Associate QSA program must provide a copy of its Mentor Manual for review by PCI SSC (refer to the Website for the most recent version of PCI SSC’s AQSA Mentor Manual template). Details on the contents of the Mentor Manual as well as templates can be found in the QSA Program Guide.

Modified p. 19

PCI SSC has adopted a Code of Professional Responsibility (the “Code”) to help ensure that QSA Companies and Assessor-Employees adhere to high standards of ethical and professional conduct. All QSA Companies and Assessor-Employees must advocate, adhere to, and support the Code (available on the Website).

PCI SSC has adopted the PCI SSC Code of Professional Responsibility (the “Code”) to help ensure that QSA Companies and Assessor-Employees adhere to high standards of ethical and professional conduct. All QSA Companies and Assessor-Employees must advocate, adhere to, and support the Code (available on the Website).

Modified p. 20

• E-mail address 4.2 Background Checks 4.2.1 ~~Requirement~~ Each QSA Company must perform background checks that satisfy the provisions described below (to the extent legally permitted within the applicable jurisdiction) with respect to each applicant ~~Assessor-Employee.~~

• E-mail address 4.2 Background Checks 4.2.1 Requirements Each QSA Company must perform background checks that satisfy the provisions described below (to the extent legally permitted within the applicable jurisdiction) with respect to each applicant Assessor- Employee.

Modified p. 20

Minor offenses

•for example, misdemeanors or non-US equivalents

•are allowed; but major offenses

•for example, felonies or non-US equivalents

•automatically disqualify a candidate from qualifying as an Assessor-Employee. Upon request, each QSA Company must provide to PCI SSC the background check history for each Assessor-Employee (or candidate ~~Assessor- Employee),~~ to the extent legally permitted within the applicable jurisdiction.

Minor offenses

•for example, misdemeanors or non-US equivalents

•are allowed; but major offenses

•for example, felonies or non-US equivalents

•automatically disqualify a candidate from qualifying as an Assessor-Employee. Upon request, each QSA Company must provide to PCI SSC the background check history for each Assessor-Employee (or candidate Assessor-Employee), to the extent legally permitted within the applicable jurisdiction.

Removed p. 21

• Verification of aliases (when applicable)

• Annual background checks consistent with this section for each of its Assessor- Employees for any change in criminal records, arrests or convictions 4.3 Internal Quality Assurance 4.3.1 Requirement

• A resource planning policy and process for PCI DSS Assessments which includes: onboarding requirements for Assessor-Employees, résumés and current skill sets for Assessor-Employees, and a process for ongoing training, monitoring, and evaluation of Assessor-Employees to ensure their skill sets stay current and relevant for PCI DSS Assessments

• Identification of QA manual process owner

• Approval and sign-off processes for PCI SSC Assessments and respective reports

• Requirements for independent quality review of QSA Company and Assessor- Employee work product

• Requirements for internal periodic checks, at least annually, of the QSA Company’s QA program to monitor the effectiveness, and evolving QA processes, of such QA program

• Requirements for handling and retention of workpapers and other PCI DSS Assessment Results …

Modified p. 21

• Comprehensive country and (if applicable) state level review of records of any criminal activity such as felony (or non-US equivalent) convictions or outstanding warrants, within the past five years minimum

 Verification of aliases (when applicable)  Comprehensive country and (if applicable) state level review of records of any criminal activity such as felony (or non-US equivalent) convictions or outstanding warrants, within the past five years minimum  Annual background checks consistent with this section for each of its Assessor- Employees for any change in criminal records, arrests, or convictions 4.3 Internal Quality Assurance 4.3.1 Requirements

Modified p. 21

• The QSA Company must maintain and adhere to a documented quality assurance process and manual, which ~~includes~~ all of the following:

• The QSA Company must maintain and adhere to a documented quality assurance process and manual, which includes, at minimum, all of the following:

Modified p. 21

• List of PCI SSC Programs in which the QSA Company participates

 Company name  List of PCI SSC Programs in which the QSA Company participates  A resource planning policy and process for PCI DSS Assessments which includes:

Modified p. 21

• Descriptions of all job functions and responsibilities within the QSA Company relating to its status and obligations as a QSA Company

 Descriptions of all job functions and responsibilities within the QSA Company relating to its status and obligations as a QSA Company  Identification of QA manual process owner

Removed p. 22

• Distribution and availability of the QA manual

• Evidence of annual review by the QA manual process owner

• Coverage of all activities relevant to the particular PCI SSC Program, and references to the corresponding PCI SSC Qualification Requirements for that program, and to other applicable PCI SSC Program documentation for information concerning other PCI SSC Program-specific requirements

Modified p. 22

• Requirement for all Assessor-Employees to regularly monitor the Website for updates, ~~guidance~~ and new publications relating to the QSA Program

 Requirement for all Assessor-Employees to regularly monitor the Website for updates, guidance, and new publications relating to the QSA Program

Modified p. 22

• As of ~~March 31, 2022, all quality assurance reviews~~ must be ~~completed by personnel~~ qualified by PCI SSC as a QSA Employee, AQSA, or PCI Professional qualified by PCI SSC (“PCIP”).

• QA Primary Reviewers (identified in Section 1.1 of the ROC) must be qualified by PCI SSC as a QSA Employee, AQSA, or PCI Professional qualified by PCI SSC (“PCIP”).

Modified p. 23

• Protection of systems storing customer data by network and application layer controls including technologies such as firewall(s) and ~~IDS/IPS~~

 Protection of systems storing customer data by network and application layer controls including technologies such as firewall(s) and IDS/IPS.

Modified p. 23

• Restricting access ~~(e.g.,~~ via ~~locks) to~~ the physical office ~~space~~

 Restricting access •e.g., via locks

•to the physical office space.

Modified p. 23

• Restricting access ~~(e.g.,~~ via locked file ~~cabinets) to~~ paper ~~files~~

 Restricting access •e.g., via locked file cabinets

•to paper files.

Modified p. 23

• Restricting logical access to electronic files via least-privilege/role-based access ~~control~~

 Restricting logical access to electronic files via least-privilege/role-based access control.

Modified p. 23

• Strong encryption of customer data when transmitted over public ~~networks~~

 Strong encryption of customer data when transmitted over public networks.

Modified p. 23

• Secure transport and storage of backup ~~media~~

 Secure transport and storage of backup media.

Modified p. 23

• Strong encryption of customer data on portable devices such as laptops and removable ~~media~~

 Strong encryption of customer data on portable devices such as laptops and removable media.

Modified p. 23

• A blank copy of the QSA Company’s confidentiality agreement(s) that each ~~Assessor- Employee~~ is required to ~~sign 4.5 Evidence (Assessment Workpaper) Retention 4.5.1 Requirement~~

• A blank copy of the QSA Company’s confidentiality agreement(s) that each Assessor-Employee is required to sign.

Modified p. 25

• Instructions and procedures for notifying customers of Incidents discovered during or in connection with the performance of any PCI SSC Assessment or other QSA ~~Program- related~~ services, and documenting those Incidents and related information in accordance with Section 4.6.1.

• Instructions and procedures for notifying customers of Incidents discovered during or in connection with the performance of any PCI SSC Assessment or other QSA Program-related services, and documenting those Incidents and related information in accordance with Section 4.6.1.

Modified p. 26

Additionally, each Assessor-Employee must be ~~re-qualified~~ by PCI SSC on an annual basis. The annual ~~re-qualification~~ date is based upon the Assessor-Employee’s previous qualification date. ~~Re-qualification~~ of QSA Employees requires proof of at least two of accredited, ~~industry- recognized~~ professional certifications in accordance with Section 3.2.1 above. Requalification of both QSA Employees and AQSA Employees requires proof of training successfully completed, payment of annual training and ~~re-qualification~~ fees, and continued compliance with applicable QSA Requirements.

Additionally, each Assessor-Employee must be requalified by PCI SSC on an annual basis. The annual requalification date is based upon the Assessor-Employee’s previous qualification date. Requalification of QSA Employees requires proof of at least two of accredited, industry-recognized professional certifications in accordance with Section 3.2.1 above. Requalification of both QSA Employees and AQSA Employees requires proof of training successfully completed, payment of annual training and requalification fees, and continued compliance with applicable QSA Requirements.

Modified p. 26

Negative feedback from QSA Company clients (merchants, service providers, etc.), PCI SSC, Participating Payment Brands, or others may impact QSA Company and/or Assessor-Employee eligibility for ~~re-qualification.~~

Negative feedback from QSA Company clients (merchants, service providers, etc.), PCI SSC, Participating Payment Brands, or others may impact QSA Company and/or Assessor-Employee eligibility for requalification.

Modified p. 27

• Payment of annual fee for each region or country ~~qualified~~

• Payment of annual fee for each region or country qualified.

Modified p. 27

Note: PCI SSC may from ~~time to time~~ request ~~that~~ QSA Companies and/or ~~Assessor- Employees~~ submit additional information or materials in order to demonstrate adherence to applicable requirements or as part of the applicable qualification or ~~re-qualification~~ process.

Note: PCI SSC may from time-to-time request QSA Companies and/or Assessor-Employees submit additional information or materials in order to demonstrate adherence to applicable requirements or as part of the applicable qualification or requalification process.

Modified p. 27

• Skills and ~~Experience.~~

• Skills and Experience.”

Modified p. 27

• Payment of annual ~~re-qualification~~ fees in accordance with the Website

• Payment of annual requalification fees in accordance with the Website

Modified p. 27

• Payment of annual ~~re-qualification~~ fees in accordance with the Website

• Payment of annual requalification fees in accordance with the Website

Modified p. 27

• PCI SSC Programs Fee ~~Schedule Associate QSA Employees~~

• PCI SSC Programs Fee Schedule, and PCI SSC Assessor Requalification Policy.

Modified p. 27

• Proof of information-systems audit training within the last 12 months in accordance with the current version of the PCI CPE Maintenance ~~Guide~~

• Proof of information-systems audit training within the last 12 months in accordance with the current version of the PCI CPE Maintenance Guide.

Modified p. 27

• PCI SSC Programs Fee ~~Schedule~~

• PCI SSC Programs Fee Schedule, and PCI SSC Assessor Requalification Policy.

Modified p. 29

• Failure to meet applicable PCI SSC Program quality standards or comply with applicable QSA Requirements (including but not limited to requirements associated with participation in the Associate QSA ~~Program)~~

• Failure to meet applicable PCI SSC Program quality standards or comply with applicable QSA Requirements (including but not limited to requirements associated with participation in the Associate QSA Program).

Modified p. 29

• Failure to pay applicable PCI SSC Program ~~fees~~

• Failure to pay applicable PCI SSC Program fees.

Modified p. 29

• Failure to meet applicable PCI SSC Program training requirements (annual or ~~otherwise)~~

• Failure to meet applicable PCI SSC Program training requirements (annual or otherwise).

Modified p. 29

• Failure to meet applicable PCI SSC Program continuing education ~~requirements~~

• Failure to meet applicable PCI SSC Program continuing education requirements.

Modified p. 29

• Failure to provide quality services, based on customer feedback or evaluation by PCI SSC or its ~~affiliates~~

• Failure to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates.

Modified p. 29 → 30

• Failure to maintain applicable PCI SSC Program insurance ~~requirements~~

• Failure to maintain applicable PCI SSC Program insurance requirements.

Modified p. 29 → 30

• Failure to comply with or validate compliance in accordance with applicable Program Qualification Requirements (defined in the QSA Agreement), PCI SSC Standards or program guides, or the terms of the QSA Agreement or supplements or addenda ~~thereto~~

• Failure to comply with or validate compliance in accordance with applicable Program Qualification Requirements (defined in the QSA Agreement), PCI SSC Standards or program guides, or the terms of the QSA Agreement or supplements or addenda thereto.

Modified p. 29 → 30

• Failure to maintain physical, electronic, or procedural safeguards to protect confidential or sensitive ~~information~~

• Failure to maintain physical, electronic, or procedural safeguards to protect confidential or sensitive information.

Modified p. 29 → 30

• Failure to report unauthorized access to any system storing confidential or sensitive ~~information~~

• Failure to report unauthorized access to any system storing confidential or sensitive information.

Modified p. 29 → 30

• Engaging in unprofessional or unethical business conduct, including without limitation, plagiarism or other improper use of third-party work product in ROCs or other PCI SSC Assessment ~~reports~~

• Engaging in unprofessional or unethical business conduct, including without limitation, plagiarism or other improper use of third-party work product in ROCs or other PCI SSC Assessment reports.

Modified p. 30

• Failure to comply with any provision or obligation regarding non-disclosure or use of confidential information or ~~materials~~

• Failure to comply with any provision or obligation regarding non-disclosure or use of confidential information or materials.

Modified p. 30

• Cheating on any exam in connection with PCI SSC Program training; submitting exam work in connection with PCI SSC Program training that is not the work of the individual candidate taking the exam; theft of or unauthorized access to PCI SSC Program exam content; use of an alternate, stand-in or proxy during any PCI SSC Program exam; use of any prohibited or unauthorized materials, notes or computer programs during any such exam; or providing or communicating in any way …

Modified p. 30

• Providing false or intentionally incomplete or misleading information to the Council in any application or other ~~materials~~

• Providing false or intentionally incomplete or misleading information to the Council in any application or other materials.

Modified p. 30

• Failure to be in Good Standing (as defined in the QSA Agreement) as a QSA Company or to be in Good Standing (as defined in the applicable Program Qualification Requirements) with respect to any other PCI SSC qualification then held by such QSA Company or ~~Assessor- Employee~~ (as applicable), in each case including but not limited to failure to successfully complete applicable quality assurance audits and/or comply with all applicable requirements, policies, and procedures of PCI SSC's quality assurance, …

• Failure to be in Good Standing (as defined in the QSA Agreement) as a QSA Company or to be in Good Standing (as defined in the applicable Program Qualification Requirements) with respect to any other PCI SSC qualification then held by such QSA Company or Assessor-Employee (as applicable), in each case including but not limited to failure to successfully complete applicable quality assurance audits and/or comply with all applicable requirements, policies, and procedures of PCI SSC's quality assurance, remediation, …

Modified p. 30

• Failure to promptly notify PCI SSC of any event described above that occurred within three (3) years of the QSA Company’s or Assessor-Employee’s initial qualification date Each Violation constitutes a breach of the QSA Agreement and the applicable addendum or supplement for each applicable PCI SSC Program, and a failure to comply with applicable QSA Requirements, and may result in revocation of QSA Company and/or Assessor-Employee qualification, revocation of any other PCI SSC Program qualification, and/or termination of the …

• Failure to promptly notify PCI SSC of any event described above that occurred within three (3) years of the QSA Company’s or Assessor-Employee’s initial qualification date.

Modified p. 30 → 31

• A company and/or individual (as applicable) the Qualification of which has been revoked can reapply after 180 days; provided however, that (i) if revoked in connection with Remediation, an election not to participate in Remediation when offered, or due to failure to satisfy applicable quality assurance standards set by PCI SSC, such company and/or individual shall be ineligible to re-apply to the QSA Program for a period of two (2) years; and (ii) acceptance of qualification applications after revocation …

Removed p. 31

Note: When reading Sections 5 or 6 of this document in connection with any PCI SSC Program (other than the QSA Program) for which qualification as a QSA Company or QSA Employee is required (e.g., the PA-DSS Program), unless otherwise expressly provided in the applicable documentation for such other program, references in Sections 5 and 6 to terms specific to the QSA Program (e.g., QSA Company, QSA Employee, QSA Requirement, and PCI DSS Assessment) should be read to include the corresponding terms of such other PCI SSC Program. For example, for purposes of the PA-DSS Program, the term QSA Employee as it appears in this Section 6 should be read to include the term PA-QSA Employee as well.

Modified p. 32

Regions/Countries Applying For (see the Website - PCI SSC Programs Fee Schedule):

Regions/Countries Applying For (see the Website − PCI SSC Programs Fee Schedule):

Modified p. 33

QSA acknowledges that data security practices exist within a rapidly changing environment and agrees to monitor the Website at least weekly for changes to ~~the~~ PCI DSS, other applicable PCI SSC Standards, QSA Qualification Requirements and other applicable Program Qualification Requirements (defined in Section A.3.4 below). QSA will incorporate all such changes into all PCI SSC Assessments initiated on or after the effective date of such changes. QSA acknowledges and agrees that any ROC or other required report regarding a …

QSA acknowledges that data security practices exist within a rapidly changing environment and agrees to monitor the Website at least weekly for changes to PCI DSS, other applicable PCI SSC Standards, QSA Qualification Requirements and other applicable Program Qualification Requirements (defined in Section A.3.4 below). QSA will incorporate all such changes into all PCI SSC Assessments initiated on or after the effective date of such changes. QSA acknowledges and agrees that any ROC or other required report regarding a PCI …

Modified p. 34

A.3.3 QSA Service Staffing QSA shall ensure that a QSA Employee that is fully qualified in accordance with all applicable provisions of the relevant Program Qualification Requirements supervises all aspects of each engagement to perform Services, including without limitation, being present onsite for the duration of each PCI SSC ~~Assessment,~~ reviewing the work product that supports QSA's PCI SSC Assessment procedures, and ensuring adherence to the applicable Program Qualification Requirements and PCI SSC Standards. Employees performing the following tasks must …

A.3.3 QSA Service Staffing QSA shall ensure that a QSA Employee that is fully qualified in accordance with all applicable provisions of the relevant Program Qualification Requirements supervises all aspects of each engagement to perform Services, including without limitation, being present onsite for the duration of each PCI SSC Assessment or performing PCI SSC Assessment activities remotely according to PCI SSC assessment guidance, reviewing the work product that supports QSA's PCI SSC Assessment procedures, and ensuring adherence to the applicable …

Modified p. 34

A.3.4 QSA Requirements QSA agrees to comply with all QSA Requirements, including without limitation, QSA’s responsibilities and obligations pursuant to this Agreement, all quality assurance and Remediation requirements, and all requirements applicable to QSA Companies pursuant to the QSA Qualification Requirements and the then-current versions of (or successor documents to) the qualification and/or validation requirements published by PCI SSC with respect to each PCI SSC Program that requires qualification as a QSA Company as a prerequisite and in which QSA …

Modified p. 35

QSA agrees to pay all applicable fees imposed by PCI SSC in connection with QSA’s and its ~~Assessor-Employees’~~ participation in each PCI SSC Program in which QSA is a participant (collectively, "Fees"), in each case as and in the manner provided for in the applicable Program Qualification Requirements, the PCI SSC Programs Fee Schedule on the Website and/or the other applicable PCI SSC Program documentation. Such Fees may include, without limitation, initial processing fees, regional qualification fees, regional ~~re-qualification~~ fees, …

QSA agrees to pay all applicable fees imposed by PCI SSC in connection with QSA’s and its Assessor- Employees’ participation in each PCI SSC Program in which QSA is a participant (collectively, "Fees"), in each case as and in the manner provided for in the applicable Program Qualification Requirements, the PCI SSC Programs Fee Schedule on the Website and/or the other applicable PCI SSC Program documentation. Such Fees may include, without limitation, initial processing fees, regional qualification fees, regional requalification …

Modified p. 35

QSA acknowledges that PCI SSC may review and modify its Fees at any time and from time to time. Whenever a change in Fees occurs, PCI SSC shall notify QSA in accordance with the terms of Section A.10.1. Such change(s) will be effective immediately after the date of such notification. However, should QSA not agree with such change(s), QSA shall have the right to terminate this Agreement (or, if such change only applies to a Related PCI SSC Program, the …

Modified p. 36

(c) Except as expressly authorized herein, QSA shall not use any PCI SSC trademark, service mark, certification mark, logo or other indicator of origin or source (each a “Mark”) without the prior written consent of PCI SSC in each instance. Without limitation of the foregoing, absent the prior written consent of PCI SSC in each instance and except as otherwise expressly authorized herein, QSA shall have no authority to make, and consequently shall not make, any statement that would constitute …

Modified p. 37

A.5.3 No Other Rights Granted Except as expressly stated in this Section A.5, no rights to use any party's or Member’s marks or other Intellectual Property Rights (as defined below) are granted herein, and each party respectively reserves all of its rights therein. Without limitation of the foregoing, except as expressly provided in this Agreement, no rights are granted to QSA with respect to any Intellectual Property Rights in ~~the~~ PCI DSS or any other PCI Materials.

A.5.3 No Other Rights Granted Except as expressly stated in this Section A.5, no rights to use any party's or Member’s marks or other Intellectual Property Rights (as defined below) are granted herein, and each party respectively reserves all of its rights therein. Without limitation of the foregoing, except as expressly provided in this Agreement, no rights are granted to QSA with respect to any Intellectual Property Rights in PCI DSS or any other PCI Materials.

Modified p. 37

A.5.4 Intellectual Property Rights (a) All Intellectual Property Rights, ~~title~~ and interest in and the PCI SSC Programs, ~~the~~ PCI DSS and all other PCI Materials, all materials QSA receives from PCI SSC, and each portion, future version, revision, extension, and improvement of any of the foregoing, are and at all times shall remain solely and exclusively the property of PCI SSC or its licensors, as applicable. Subject to the foregoing and to the restrictions set forth in Section A.6, …

A.5.4 Intellectual Property Rights (a) All Intellectual Property Rights, title, and interest in and the PCI SSC Programs, PCI DSS and all other PCI Materials, all materials QSA receives from PCI SSC, and each portion, future version, revision, extension, and improvement of any of the foregoing, are and at all times shall remain solely and exclusively the property of PCI SSC or its licensors, as applicable. Subject to the foregoing and to the restrictions set forth in Section A.6, so …

Modified p. 38 → 37

(c) QSA shall not during or at any time after the completion, ~~expiry~~ or termination of this Agreement in any way question or dispute PCI SSC's or its licensors’ (as applicable) Intellectual Property Rights in any PCI SSC Program or any of the PCI Materials.

(c) QSA shall not during or at any time after the completion, expiry, or termination of this Agreement in any way question or dispute PCI SSC's or its licensors’ (as applicable) Intellectual Property Rights in any PCI SSC Program or any of the PCI Materials.

Modified p. 38 → 37

(d) Except as otherwise expressly agreed by the parties, as between PCI SSC and QSA, all Intellectual Property Rights, ~~title~~ and interest in and to the materials created by QSA and submitted by QSA to PCI SSC in connection with its performance under this Agreement are and at all times shall remain vested in QSA, or its licensors.

(d) Except as otherwise expressly agreed by the parties, as between PCI SSC and QSA, all Intellectual Property Rights, title, and interest in and to the materials created by QSA and submitted by QSA to PCI SSC in connection with its performance under this Agreement are and at all times shall remain vested in QSA, or its licensors.

Modified p. 40 → 39

A.6.4 Personal Information In the event that QSA receives Personal Information from PCI SSC or any Member or QSA Company client in the course of providing Services or otherwise in connection with this Agreement, in addition to the obligations set forth elsewhere in this Agreement, QSA will at all times during the Term (as defined in Section A.9.1) maintain such data protection handling practices as may be required by PCI SSC from time to time, including without limitation, as a …

Modified p. 41 → 40

A.7 Indemnification and Limitation of Liability A.7.1 Indemnification QSA shall defend, indemnify, and hold harmless PCI SSC and its Members, and their respective subsidiaries, and all affiliates, subsidiaries, directors, officers, employees, agents, representatives, independent contractors, attorneys, successors, and assigns of any of the foregoing (collectively, including without limitation, PCI SSC and its Members, "Indemnified Parties") from and against any and all claims, losses, liabilities, damages, suits, actions, government proceedings, taxes, penalties or interest, associated auditing and legal expenses and other …

Modified p. 41

A.7.2 Indemnification Procedure QSA's indemnity obligations are contingent on the Indemnified Party's providing notice of the claim or liability to QSA, provided that the failure to provide any such notice shall not relieve QSA of such indemnity obligations except and to the extent such failure has materially and adversely affected QSA's ability to defend against such claim or liability. Upon receipt of such notice, QSA will be entitled to control, and will assume full responsibility for, the defense of such …

Modified p. 42 → 41

A.7.3 No Warranties; Limitation of Liability (a) PCI SSC PROVIDES ~~THE~~ PCI DSS, ALL OTHER PCI SSC STANDARDS, THE QSA PROGRAM, ALL OTHER PCI SSC PROGRAMS, THE QSA QUALIFICATION REQUIREMENTS, ALL OTHER PROGRAM QUALIFICATION REQUIREMENTS, THE WEBSITE AND ALL RELATED AND OTHER MATERIALS PROVIDED OR OTHERWISE MADE ACCESSIBLE BY PCI SSC IN CONNECTION WITH ANY PCI SSC PROGRAM (THE FOREGOING, COLLECTIVELY, THE "PCI MATERIALS") ON AN "AS IS" BASIS WITHOUT WARRANTY OF ANY KIND. QSA ASSUMES THE ENTIRE RISK AS …

A.7.3 No Warranties; Limitation of Liability (a) PCI SSC PROVIDES PCI DSS, ALL OTHER PCI SSC STANDARDS, THE QSA PROGRAM, ALL OTHER PCI SSC PROGRAMS, THE QSA QUALIFICATION REQUIREMENTS, ALL OTHER PROGRAM QUALIFICATION REQUIREMENTS, THE WEBSITE AND ALL RELATED AND OTHER MATERIALS PROVIDED OR OTHERWISE MADE ACCESSIBLE BY PCI SSC IN CONNECTION WITH ANY PCI SSC PROGRAM (THE FOREGOING, COLLECTIVELY, THE "PCI MATERIALS") ON AN "AS IS" BASIS WITHOUT WARRANTY OF ANY KIND. QSA ASSUMES THE ENTIRE RISK AS TO …

Modified p. 42 → 41

(b) PCI SSC MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT, INCLUDING WITHOUT LIMITATION, ANY PCI SSC PROGRAM, THE PCI MATERIALS OR ANY MATERIALS OR SERVICES PROVIDED UNDER OR IN CONNECTION WITH THIS AGREEMENT OR ANY PCI SSC PROGRAM. PCI SSC SPECIFICALLY DISCLAIMS, AND QSA EXPRESSLY WAIVES, ALL REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THIS AGREEMENT, EACH PCI SSC PROGRAM, THE PCI MATERIALS, ANY MATERIALS OR SERVICES PROVIDED …

Modified p. 42

(d) EXCEPT FOR DAMAGES CAUSED BY THE GROSS NEGLIGENCE OR WILLFUL MISCONDUCT OF A PARTY, AND EXCEPT FOR THE OBLIGATIONS OF QSA UNDER SECTIONS A.5 OR A.6, IN NO EVENT SHALL EITHER PARTY OR ANY MEMBER BE LIABLE TO THE OTHER FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT OR SPECIAL DAMAGES, HOWEVER CAUSED, WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF

(d) EXCEPT FOR DAMAGES CAUSED BY THE GROSS NEGLIGENCE OR WILLFUL MISCONDUCT OF A PARTY, AND EXCEPT FOR THE OBLIGATIONS OF QSA UNDER SECTIONS A.5 OR A.6, IN NO EVENT SHALL EITHER PARTY OR ANY MEMBER BE LIABLE TO THE OTHER FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT OR SPECIAL DAMAGES, HOWEVER CAUSED, WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY DOES …

Modified p. 43 → 42

A.7.4 Insurance At all times while this Agreement is in effect, QSA shall maintain insurance in such amounts, with such insurers, coverages, ~~exclusions~~ and deductibles which, at a minimum, meet the applicable insurance requirements for U.S. or European Union QSA Companies (as applicable) participating in each of the PCI SSC Programs in which QSA is a participant, including without limitation, the insurance requirements for QSA Companies set forth in Appendix B of the QSA Qualification Requirements. QSA acknowledges and agrees …

A.7.4 Insurance At all times while this Agreement is in effect, QSA shall maintain insurance in such amounts, with such insurers, coverages, exclusions, and deductibles which, at a minimum, meet the applicable insurance requirements for U.S. or European Union QSA Companies (as applicable) participating in each of the PCI SSC Programs in which QSA is a participant, including without limitation, the insurance requirements for QSA Companies set forth in Appendix B of the QSA Qualification Requirements. QSA acknowledges and agrees …

Modified p. 44 → 43

PCI SSC may terminate this Agreement and/or any Addendum effective as of the end of the then- current Term by providing QSA with written notice of its intent to terminate or not to renew this Agreement (or such Addendum, as applicable) at least sixty (60) days prior to the end of the then- current Term. Additionally, PCI SSC may terminate this Agreement and/or any Addendum: (i) with written notice upon QSA's voluntary or involuntary bankruptcy, receivership, reorganization dissolution or liquidation …

Modified p. 47 → 46

A.10.2 Audit and Financial Statements (a) QSA shall allow PCI SSC or its designated agents access during normal business hours throughout the Term and for six (6) months thereafter to perform audits of QSA's facilities, ~~operations~~ and records of Services to determine whether QSA has complied with this Agreement. QSA also shall provide PCI SSC or its designated agents during normal business hours with books, ~~records~~ and supporting documentation adequate to evaluate QSA's performance hereunder. Upon request, QSA shall provide …

A.10.2 Audit and Financial Statements (a) QSA shall allow PCI SSC or its designated agents access during normal business hours throughout the Term and for six (6) months thereafter to perform audits of QSA's facilities, operations, and records of Services to determine whether QSA has complied with this Agreement. QSA also shall provide PCI SSC or its designated agents during normal business hours with books, records, and supporting documentation adequate to evaluate QSA's performance hereunder. Upon request, QSA shall provide …

Modified p. 47 → 46

(b) Notwithstanding anything to the contrary in Section A.6 of this Agreement, in order to assist in ensuring the reliability and accuracy of QSA's PCI SSC Assessments, QSA hereby agrees to comply with all quality assurance procedures and requirements established or imposed by PCI SSC from time to time in connection with each PCI SSC Program in which QSA is a participant (including but not limited to conditions and requirements imposed in connection with remediation, revocation or any other Qualification …

Modified p. 48 → 47

A.10.3 Governing Law; Severability Any dispute in any way arising out of or in connection with the interpretation or performance of this Agreement, which cannot be amicably settled within thirty (30) days of the written notice of the dispute given to the other party by exercising the best efforts and good faith of the parties, shall be finally settled by the courts of Delaware (United States of America) in accordance with Delaware law without resort to its conflict of laws …

Modified p. 48 → 47

A.10.4 Entire Agreement; Modification; Waivers The parties agree that this Agreement, including the QSA Qualification Requirements and any other documents, addenda, supplements, amendments, appendices, exhibits, schedules or other materials incorporated herein by reference (each of which is hereby incorporated into and made a part of this Agreement by this reference), is the exclusive statement of the agreement between the parties with respect to the subject matter hereof, which supersedes and merges all prior proposals, understandings and all other agreements, oral …

Modified p. 49 → 48

A.10.5 Assignment QSA may not assign this Agreement, or assign, ~~delegate~~ or subcontract any of its rights and/or obligations under this Agreement (including but not limited to by subcontracting any of the foregoing to a related party or affiliate), without the prior written consent of PCI SSC, which consent PCI SSC may grant or withhold in its absolute discretion.

A.10.5 Assignment QSA may not assign this Agreement, or assign, delegate, or subcontract any of its rights and/or obligations under this Agreement (including but not limited to by subcontracting any of the foregoing to a related party or affiliate), without the prior written consent of PCI SSC, which consent PCI SSC may grant or withhold in its absolute discretion.

Modified p. 51 → 49

• EMPLOYER’S LIABILITY with a limit of ~~$1,000,000~~

• EMPLOYER’S LIABILITY with a limit of $1,000,000.

Modified p. 51 → 49

• COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non-owned autos subject to minimum limits of $1,000,000 per ~~accident~~

• COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non-owned autos subject to minimum limits of $1,000,000 per accident.

Modified p. 51 → 49

• CRIME/FIDELITY BOND including first-party employee dishonesty, robbery, fraud, theft, forgery, alteration, mysterious ~~disappearance~~ and destruction. Coverage must also include third-party employee ~~dishonesty, i.e.,~~ coverage for claims made by the QSA Company’s client against the QSA Company for theft committed by the QSA Company’s employees. The minimum limit shall be $1,000,000 each loss and annual aggregate. The policy Coverage Territory must include the entire Region(s) in which the QSA Company is qualified to operate.

• CRIME/FIDELITY BOND including first-party employee dishonesty, robbery, fraud, theft, forgery, alteration, mysterious disappearance, and destruction. Coverage must also include third-party employee dishonesty

•i.e., coverage for claims made by the QSA Company’s client against the QSA Company for theft committed by the QSA Company’s employees. The minimum limit shall be $1,000,000 each loss and annual aggregate. The policy Coverage Territory must include the entire Region(s) in which the QSA Company is qualified to operate.

Modified p. 51 → 49

If any of the above insurance is written on a claims-made basis, then Security Assessor shall maintain such insurance for five (5) years after the termination of this agreement. The limits shown in the appendix may be written in other ~~currencies,~~ but should be the equivalent of the limits in US dollars shown here.

If any of the above insurance is written on a claims-made basis, then Security Assessor shall maintain such insurance for five (5) years after the termination of this agreement. The limits shown in the appendix may be written in other currencies but should be the equivalent of the limits in US dollars shown here.

Modified p. 51 → 49

Without limiting Security Assessor’s indemnification duties as outlined in the Indemnification Section herein, PCI SSC shall be named as an additional insured under the Commercial General Liability for any claims and losses arising out of, allegedly arising out of or in any way connected to the Security Assessor’s performance of the Services under this agreement. The insurers shall agree that the Security Assessor’s insurance is ~~primary~~ and any insurance maintained by PCI SSC shall be excess and non- contributing to …

Without limiting Security Assessor’s indemnification duties as outlined in the Indemnification Section herein, PCI SSC shall be named as an additional insured under the Commercial General Liability for any claims and losses arising out of, allegedly arising out of or in any way connected to the Security Assessor’s performance of the Services under this agreement. The insurers shall agree that the Security Assessor’s insurance is primary, and any insurance maintained by PCI SSC shall be excess and non- contributing to …

Modified p. 53 → 51

Applicant QSA Company (the “Company”) Information ~~• Section 1~~ Company Name:

Section 1 − Applicant QSA Company (the “Company”) Information Company Name:

Modified p. 53 → 51

Primary Contact Name: ~~Job Title:~~

Primary Contact Name:

Modified p. 53 → 51

Secondary Contact Name: ~~Job Title:~~

Secondary Contact Name:

Modified p. 53 → 51

The Company acknowledges and agrees that in order to participate as a QSA Company in the QSA Program, it must satisfy all of the requirements specified in the QSA Qualification Requirements and supporting ~~documents~~

The Company acknowledges and agrees that in order to participate as a QSA Company in the QSA Program, it must satisfy all of the requirements specified in the QSA Qualification Requirements and supporting documents.

Modified p. 54 → 52

The Company hereby certifies that it has a ~~conflict of interest~~ policy and agrees to provide that policy to PCI SSC upon request.

The Company hereby certifies that it has a conflict-of-interest policy and agrees to provide that policy to PCI SSC upon request.

Modified p. 55 → 53

• Agrees to maintain and adhere to a ~~conflict of interest~~ policy, and provide the policy and/or any signed disclosure statements to PCI SSC upon ~~request~~

• Agrees to maintain and adhere to a conflict-of-interest policy, and provide the policy and/or any signed disclosure statements to PCI SSC upon request.

Modified p. 55 → 53

• Agrees not to use its status as a “listed QSA” to market services unnecessary to bring clients into compliance with ~~the~~ PCI DSS.

• Agrees not to use its status as a “listed QSA” to market services unnecessary to bring clients into compliance with PCI DSS.

Modified p. 55 → 53

• Agrees not to misrepresent any requirement of ~~the~~ PCI DSS in connection with its promotion or sales of services to clients, and not to state or imply that ~~the~~ PCI DSS requires usage of any of the Company’s products or services.

• Agrees not to misrepresent any requirement of PCI DSS in connection with its promotion or sales of services to clients, and not to state or imply that PCI DSS requires usage of any of the Company’s products or services.

Removed p. 56

PCI SSC Code of Professional Responsibility

• 3.3.1 Requirements The Company acknowledges and agrees that it has read and understands the PCI SSC Code of Professional Responsibility, and hereby agrees to advocate, continuously adhere to, and support the terms and provisions thereof.

Modified p. 56 → 54

Fees

• 2.4.1 ~~Requirements~~ The Company acknowledges that it will be charged an application processing fee, annual regional qualification fees for each geographic region or country in which the Company intends to perform PCI DSS Assessments, and annual fees for each Assessor-Employee’s PCI SSC training.

Section 2 − QSA Company Business Requirements (continued) Fees

• 2.4.1 Requirement The Company acknowledges that it will be charged an application processing fee, annual regional qualification fees for each geographic region or country in which the Company intends to perform PCI DSS Assessments, and annual fees for each Assessor-Employee’s PCI SSC training.

Modified p. 56 → 54

QSA Agreement

• 2.5.1 ~~Requirements~~ The Company acknowledges and agrees that along with its completed application package it is providing to

QSA Agreement

• 2.5.1 Requirement The Company acknowledges and agrees that along with its completed application package it is providing to

Removed p. 58

Contact name: Job title:

Contact name: Job title:

Modified p. 58 → 56

Provide two client references from security engagements within the last 12 months:

Section 3 − QSA Capability Requirements (continued) QSA Company Skills and Experience

• 3.1.2 Provisions (continued) Provide two client references from security engagements within the last 12 months:

Modified p. 58 → 56

Contact phone number: ~~E-mail address:~~

Contact phone number:

Modified p. 58 → 56

Contact phone number: ~~E-mail address:~~

Contact phone number:

Removed p. 59

Internal Quality Assurance

• 4.3.1 Provisions The Company acknowledges and agrees that, as of March 31, 2022, all quality assurance reviews must be completed by personnel qualified by PCI SSC as a QSA, AQSA, or PCIP The Company understands and agrees that it must annually provide to PCI SSC the completed QSA Annual QA Questionnaire in the Portal The Company acknowledges and agrees that it must adhere to all quality assurance requirements described in the QSA Qualification Requirements and supporting documentation, must have a quality assurance program, documented in its Quality Assurance manual, and must maintain and adhere to a documented quality assurance process and manual that includes all items described in Section 4.3.1 of the QSA Qualification Requirements.

Modified p. 59 → 57

The Company hereby attests that it successfully completes background checks for each candidate Assessor-Employee in accordance with the provisions of Section ~~4.2.2 Below is a summary description of the Company’s personnel background check policies:~~

The Company hereby attests that it successfully completes background checks for each candidate Assessor-Employee in accordance with the provisions of Section 4.2.2.

Modified p. 60 → 58

Conduct all PCI DSS Assessments ~~on-site~~ at the applicable client’s ~~facilities.~~

Conduct all PCI DSS Assessments onsite at the applicable client’s facilities or remotely according to the

Modified p. 60 → 59

Evidence (Workpaper) Retention

• 4.5.2 Provisions The Company has an evidence-retention policy and procedures per Section 4.5.1 of the QSA Qualification Requirements and agrees to retain all records created and/or obtained during each PCI DSS Assessment for a minimum of three (3) years.

Section 4 − QSA Administrative Requirements (continued) Evidence (Workpaper) Retention

• 4.5.2 Provisions The Company has an evidence-retention policy and procedures per Section 4.5.1 of the QSA Qualification Requirements and agrees to retain all records created and/or obtained during each PCI DSS Assessment for a minimum of three (3) years.

Modified p. 62 → 60

From (date): To (date): Total time: Years Months Examples of work and/or description of experience in information security risk assessment or risk management:

From (date): To (date): Total time: Years Months From (date): To (date): Total time: Years Months Examples of work and/or description of experience in information security risk assessment or risk management:

Modified p. 63 → 61

ISO 27001, Lead ~~Auditor/Implement er,~~ Internal Auditor Certification number:

ISO 27001, Lead Auditor/Implementer, Internal Auditor Certification number:

Modified p. 63 → 61

~~NOTE:~~ “In process” certifications, where the certification number has not yet been issued, do not meet the requirement.

Note: “In process” certifications, where the certification number has not yet been issued, do not meet the requirement.

Modified p. 63 → 61

(a) The information provided above is true, accurate and complete; (b) I have read and understand the QSA Qualification Requirements and will comply with the terms thereof; (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.

(a) The information provided above is true, accurate and complete; (b) I have read and understand the QSA Qualification Requirements and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.

Modified p. 65 → 63

~~Primary Contact~~ Primary Contact signature  Date  Candidate Associate QSA Employee Application Acknowledgement By signing below, I hereby acknowledge and agree that:

Primary Contact signature  Date  Candidate Associate QSA Employee Application Acknowledgement By signing below, I hereby acknowledge and agree that:

Document Comparison

Content Changes