Document Comparison
QIR_Program_Guide_September2015.pdf
→
QIR_Program_Guide_v4.1.pdf
51% similar
16 → 16
Pages
5717 → 5158
Words
53
Content Changes
Content Changes
53 content changes. 26 administrative changes (dates, page numbers) hidden.
Added
p. 2
September 2015 3.0 Minor edits to simplify program⎯e.g., Allowing sole proprietors to join the program by removing the requirement to have two trained employees on staff at all times
March 2018 4.0 Update to reflect QIR Program Expansion
March 2023 4.1 Update PA-DSS references and add applicable Software Security Framework (SSF) references
March 2018 4.0 Update to reflect QIR Program Expansion
March 2023 4.1 Update PA-DSS references and add applicable Software Security Framework (SSF) references
Added
p. 4
• QIR Program Overview
• QIR Program Roles and Responsibilities
• Qualified Installation Process Overview
• QIR Quality Management 1.1 QIR Program Overview The QIR Program offers a credential (the QIR Professional Qualification) for those industry practitioners who implement, configure, and/or support Payment Applications, Payment Software, and related payment technologies and services on behalf of merchants and service providers. To gain the qualification, the practitioner must demonstrate their knowledge of those critical security controls that mitigate the most common causes of loss of Cardholder Data in the payment card industry today.
QIR Professional Qualification provides confidence in the quality, reliability, and consistency of a QIR Professional’s work and that the Payment Application, Payment Software and related technologies they install, configure, and service have been implemented in a manner that targets the Customer’s security risk.
The QIR Program also simplifies the process for identifying and engaging integrators and resellers qualified by PCI SSC to assist merchants …
• QIR Program Roles and Responsibilities
• Qualified Installation Process Overview
• QIR Quality Management 1.1 QIR Program Overview The QIR Program offers a credential (the QIR Professional Qualification) for those industry practitioners who implement, configure, and/or support Payment Applications, Payment Software, and related payment technologies and services on behalf of merchants and service providers. To gain the qualification, the practitioner must demonstrate their knowledge of those critical security controls that mitigate the most common causes of loss of Cardholder Data in the payment card industry today.
QIR Professional Qualification provides confidence in the quality, reliability, and consistency of a QIR Professional’s work and that the Payment Application, Payment Software and related technologies they install, configure, and service have been implemented in a manner that targets the Customer’s security risk.
The QIR Program also simplifies the process for identifying and engaging integrators and resellers qualified by PCI SSC to assist merchants …
Added
p. 6
• Ensuring that the installation or upgrade of Payment Applications, Payment Software and related technologies
•and provision of related services and activities in connection with the deployment, configuration, or access to any of the customer’s foregoing
•in a Customer’s Cardholder Data environment is implemented in a manner that addresses high-priority security risks
• Supporting any investigations by PCI Forensic Investigators relating to Customers and/or Cardholder Data environments with respect to which the QIR Professional performed any Services in connection with the QIR Program
• Servicing the Payment Applications, Payment Software, and related technologies
•for example, troubleshooting, delivering remote updates, and providing remote support
•if engaged to do so, in accordance with the information provided by the application vendor in implementation or installation guidance or other relevant supporting materials, and in accordance with PCI DSS 2.2 QIR Program Objectives The QIR program focuses on the following objectives:
• Reducing the likelihood of Cardholder Data loss from merchant or …
•and provision of related services and activities in connection with the deployment, configuration, or access to any of the customer’s foregoing
•in a Customer’s Cardholder Data environment is implemented in a manner that addresses high-priority security risks
• Supporting any investigations by PCI Forensic Investigators relating to Customers and/or Cardholder Data environments with respect to which the QIR Professional performed any Services in connection with the QIR Program
• Servicing the Payment Applications, Payment Software, and related technologies
•for example, troubleshooting, delivering remote updates, and providing remote support
•if engaged to do so, in accordance with the information provided by the application vendor in implementation or installation guidance or other relevant supporting materials, and in accordance with PCI DSS 2.2 QIR Program Objectives The QIR program focuses on the following objectives:
• Reducing the likelihood of Cardholder Data loss from merchant or …
Added
p. 7
• Verifying that the Customer’s environment meets the minimum requirements for software or hardware for the payment technologies that are included in Qualified Installation
• Reviewing the latest vendor documentation and training programs available for the specific version(s) of the Payment Application, Payment Software and/or related technologies involved, prior to undertaking a Qualified Installation
• Directing the Customer to the QIR Feedback Form for Payment Brands and Others (“QIR Feedback form”) on the Website, where the form can be completed and submitted to PCI SSC
• Determining the level of access required to support the Customer, and strictly following secure access, installation, maintenance, and support processes outlined in the payment technology vendor’s latest installation or implementation guidance
• Notifying the Customer that security is at risk if any application or other technology they choose to install or maintain has been identified as vulnerable
• Developing an installation, configuration, and maintenance plan from the information provided …
• Reviewing the latest vendor documentation and training programs available for the specific version(s) of the Payment Application, Payment Software and/or related technologies involved, prior to undertaking a Qualified Installation
• Directing the Customer to the QIR Feedback Form for Payment Brands and Others (“QIR Feedback form”) on the Website, where the form can be completed and submitted to PCI SSC
• Determining the level of access required to support the Customer, and strictly following secure access, installation, maintenance, and support processes outlined in the payment technology vendor’s latest installation or implementation guidance
• Notifying the Customer that security is at risk if any application or other technology they choose to install or maintain has been identified as vulnerable
• Developing an installation, configuration, and maintenance plan from the information provided …
Added
p. 8
The QIR Implementation Statement confirms what the QIR Professional did, what they observed, and what they informed the Customer of in connection with the Qualified Installation. The QIR Professional is not performing a PCI DSS assessment. Compliance with PCI DSS remains the responsibility of the Customer.
A QIR Implementation Statement must be produced as part of each Qualified Installation and must be delivered to the Customer within ten (10) business days after completion of the Qualified Installation.
Note: There may be multiple retail locations, corporate offices, or other places where applications or related technologies are installed as part of the Qualified Installation. Where a Qualified Installation involves multiple customer locations, the QIR Professional may choose to prepare a number of QIR Implementation Statements that together represent all locations.
The QIR Professional must store the QIR Implementation Statement and any associated work papers for a minimum of three (3) years from the completion of …
A QIR Implementation Statement must be produced as part of each Qualified Installation and must be delivered to the Customer within ten (10) business days after completion of the Qualified Installation.
Note: There may be multiple retail locations, corporate offices, or other places where applications or related technologies are installed as part of the Qualified Installation. Where a Qualified Installation involves multiple customer locations, the QIR Professional may choose to prepare a number of QIR Implementation Statements that together represent all locations.
The QIR Professional must store the QIR Implementation Statement and any associated work papers for a minimum of three (3) years from the completion of …
Added
p. 9
This part is divided into two sections:
Part 2a: Critical controls. This part is applicable to all Qualified Installations.
Part 2b: This part is applicable only to PCI Validated Payment Software or PCI PA-DSS Validated Payment Applications.
Part 3: QIR Professional Additional Observations Records observations or details that the Customer should be aware of. Includes items identified in the Details section that require explanation.
If a QIR Professional is installing or supporting a point-of-sale technology, the QIR Professional or the Customer should not use that technology for unrelated functions⎯i.e., web browsing or email.
Part 2a: Critical controls. This part is applicable to all Qualified Installations.
Part 2b: This part is applicable only to PCI Validated Payment Software or PCI PA-DSS Validated Payment Applications.
Part 3: QIR Professional Additional Observations Records observations or details that the Customer should be aware of. Includes items identified in the Details section that require explanation.
If a QIR Professional is installing or supporting a point-of-sale technology, the QIR Professional or the Customer should not use that technology for unrelated functions⎯i.e., web browsing or email.
Added
p. 9
• Advise Customers to:
Turn on remote access only when necessary; Monitor when in use; and Turn off access immediately thereafter.
• Use remote access software only when absolutely necessary, and in a secure manner, to access Customer sites for installation, support, and maintenance purposes.
• Use multi-factor authentication with strong cryptography.
QIR Professionals using remote access software must follow the information provided by the application vendor in the vendor documentation, which may contain instructions on using remote access security features. The QIR Professional is required to manage all remote access to Customers as follows:
Turn on remote access only when necessary; Monitor when in use; and Turn off access immediately thereafter.
• Use remote access software only when absolutely necessary, and in a secure manner, to access Customer sites for installation, support, and maintenance purposes.
• Use multi-factor authentication with strong cryptography.
QIR Professionals using remote access software must follow the information provided by the application vendor in the vendor documentation, which may contain instructions on using remote access security features. The QIR Professional is required to manage all remote access to Customers as follows:
Added
p. 10
• Site access must be restricted, and authentication credentials assigned to only those personnel who need access.
• Remote QIR Professional access to Customer sites must only come from specific IP addresses expected by the network design.
• Unique, complex, and secure authentication credentials must be used for each Customer.
• Data transmissions must always be encrypted.
• Remote QIR Professional access to Customer sites must only come from specific IP addresses expected by the network design.
• Unique, complex, and secure authentication credentials must be used for each Customer.
• Data transmissions must always be encrypted.
Added
p. 10
• Providing instructions for the Customer to eliminate all connectivity
•for example, open firewall ports
•between the QIR Professional and the Customer 3.3 Service Fees Pricing and fees charged by QIR Professionals (or the companies that employ them) for the Services they provide to Customers in connection with Qualified Installations are negotiated directly between the QIR Professional (or the company that employs them) and the applicable Customer. PCI SSC is not involved in any way with any such fees or pricing.
•for example, open firewall ports
•between the QIR Professional and the Customer 3.3 Service Fees Pricing and fees charged by QIR Professionals (or the companies that employ them) for the Services they provide to Customers in connection with Qualified Installations are negotiated directly between the QIR Professional (or the company that employs them) and the applicable Customer. PCI SSC is not involved in any way with any such fees or pricing.
Added
p. 11
Without limiting the foregoing, all Qualified Installations and Services must be performed in accordance with all applicable Qualification Requirements, including but not limited to, the requirements specified in the QIR Program Guide, the QIR Qualification Requirements, and the QIR Implementation Instructions. In order to help ensure the foregoing, PCI SSC engages in ongoing QIR Professional monitoring, through both direct interaction and QIR Feedback Forms received from Customers and third parties.
Added
p. 11
In order to help ensure the quality of each Qualified Installation, the QIR Professional should consider the following (as a minimum):
• Review the PCI DSS and related requirements that apply to the Qualified Installation. References are provided in the QIR Implementation Instructions available on the Website.
• Where available, review information documented in QIR Implementation Statements relating to similar installations.
• Thoroughly document all Qualified Installation results.
• Review all QIR Implementation Statements for quality and completeness before publication. The QIR Implementation Instructions contains a checklist of tasks to be completed as part of a Qualified Installation.
• Review all information provided in the vendor documentation on how to configure and support their products securely.
• Adequacy of QIR Implementation Statement content
• Competence of staff assigned to Qualified Installation Engagements
• Review the PCI DSS and related requirements that apply to the Qualified Installation. References are provided in the QIR Implementation Instructions available on the Website.
• Where available, review information documented in QIR Implementation Statements relating to similar installations.
• Thoroughly document all Qualified Installation results.
• Review all QIR Implementation Statements for quality and completeness before publication. The QIR Implementation Instructions contains a checklist of tasks to be completed as part of a Qualified Installation.
• Review all information provided in the vendor documentation on how to configure and support their products securely.
• Adequacy of QIR Implementation Statement content
• Competence of staff assigned to Qualified Installation Engagements
Added
p. 12
Note: The QIR Professional may redact sensitive or confidential information that does not materially impact PCI SSC’s quality assurance review.
Failure to satisfy applicable requirements or meet applicable quality levels may result in any or all of the actions described in Section 5.3 below.
Failure to satisfy applicable requirements or meet applicable quality levels may result in any or all of the actions described in Section 5.3 below.
Added
p. 13
Status designations are not necessarily progressive: Any QIR Professional’s status may be revoked for quality concerns or failure to satiafy applicable Qualification Requirements. Accordingly, a QIR Professional may move directly from Good Standing to Revocation. Non-severe quality concerns are generally addressed through the Remediation process (described below) in order to promote improved performance.
Added
p. 13
During Remediation, QIR Professionals may continue to perform Qualified Installations and other Services. During Remediation and generally in connection with PCI SSC’s QIR Program quality assurance initiatives, PCI SSC may monitor and require QIR Professionals to provide QIR Implementation Statements and any other materials, information, or work product generated or obtained during the course of Qualified Installations (redacted in accordance with QIR Program policy). Such materials must be provided within three (3) weeks of PCI SSC’s request. QIR Professionals may also be charged fees to cover PCI SSC’s costs of monitoring and Remediation.
Remediation is a joint effort between the QIR Professional and PCI SSC to improve the quality of the QIR Professional’s work. To participate in Remediation, the QIR Professional must agree to comply with all Remediation requirements and conditions specified by PCI SSC, including but not limited to, submission of a Remediation plan acceptable to PCI SSC, which details …
Remediation is a joint effort between the QIR Professional and PCI SSC to improve the quality of the QIR Professional’s work. To participate in Remediation, the QIR Professional must agree to comply with all Remediation requirements and conditions specified by PCI SSC, including but not limited to, submission of a Remediation plan acceptable to PCI SSC, which details …
Added
p. 14
• Violation of any obligation regarding non-disclosure of confidential materials
• Failure to maintain physical, electronic, and procedural safeguards to protect confidential or sensitive information; and/or failure to report to PCI SSC unauthorized access to any system that stores confidential or sensitive information
• Engagement in unprofessional or unethical business conduct, including misrepresentation of the PCI DSS or any other PCI SSC requirements or documents in order to sell products or services
• Failure to provide quality services, based on Customer feedback or evaluation by PCI SSC, any of its affiliates, or any third party
• Cheating on any exam in connection with QIR Program training, including without limitation submitting work that is not the work of the QIR Professional taking the exam; theft of or unauthorized access to an exam; use of an alternate, stand-in or proxy during an exam; use of any prohibited or unauthorized materials, notes, or computer programs during an …
• Failure to maintain physical, electronic, and procedural safeguards to protect confidential or sensitive information; and/or failure to report to PCI SSC unauthorized access to any system that stores confidential or sensitive information
• Engagement in unprofessional or unethical business conduct, including misrepresentation of the PCI DSS or any other PCI SSC requirements or documents in order to sell products or services
• Failure to provide quality services, based on Customer feedback or evaluation by PCI SSC, any of its affiliates, or any third party
• Cheating on any exam in connection with QIR Program training, including without limitation submitting work that is not the work of the QIR Professional taking the exam; theft of or unauthorized access to an exam; use of an alternate, stand-in or proxy during an exam; use of any prohibited or unauthorized materials, notes, or computer programs during an …
Added
p. 16
The QIR Professional must maintain adequate physical, electronic, and procedural safeguards consistent with industry-accepted practices to protect sensitive and confidential information against loss or unauthorized access during storage, processing, and/or transmitting of this information.
All such documented evidence must be made available to PCI SSC, PFIs, and Participating Payment Brands upon request, for the time period specified above, even if the QIR Professional has left the QIR Program.
These are the acceptable forms of documented evidence:
• Copies of any logs or configuration files used or generated
• Copies of any Payment Application, Payment Software, or payment technology vendor written/published documentation used
• Copies of any troubleshooting requests raised with the Payment Application, Payment Software or technology vendor during or as a result of the implementation
• Any written/published Payment Application or Payment Software vendor procedures used during the implementation
• Any written process documents
• Change-control documentation
• System-configuration files
• Written/published methodologies
• Any written/published vendor procedures
• Copies/screenshots of …
All such documented evidence must be made available to PCI SSC, PFIs, and Participating Payment Brands upon request, for the time period specified above, even if the QIR Professional has left the QIR Program.
These are the acceptable forms of documented evidence:
• Copies of any logs or configuration files used or generated
• Copies of any Payment Application, Payment Software, or payment technology vendor written/published documentation used
• Copies of any troubleshooting requests raised with the Payment Application, Payment Software or technology vendor during or as a result of the implementation
• Any written/published Payment Application or Payment Software vendor procedures used during the implementation
• Any written process documents
• Change-control documentation
• System-configuration files
• Written/published methodologies
• Any written/published vendor procedures
• Copies/screenshots of …
Modified
p. 1
Payment Card Industry (PCI) Qualified Integrators and Resellers™ Program Guide Version 3.0
Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)™ Program Guide Version 4.1
Removed
p. 4
QIR Program Background QIR Program Roles and Responsibilities QIR Program Overview Pre-Implementation Activities Qualified Installation Process Overview Post-Implementation Activities QIR Quality Management 1.1 QIR Program Background
PCI SSC operates the Payment Application Data Security Standards (PA-DSS) program. The program promotes the development and implementation of secure commercial payment applications that do not store prohibited data, and helps to ensure that payment applications support compliance with the PCI DSS.
Organizations qualified by PCI SSC to implement, configure and/or support PA-DSS validated Payment Applications on behalf of merchants and service providers are referred to as “Qualified Integrator and Reseller Companies” or “QIR Companies.” The quality, reliability and consistency of a QIR Company’s work provide confidence that the application has been implemented in a manner that supports the customer’s PCI DSS compliance.
PCI SSC operates the Payment Application Data Security Standards (PA-DSS) program. The program promotes the development and implementation of secure commercial payment applications that do not store prohibited data, and helps to ensure that payment applications support compliance with the PCI DSS.
Organizations qualified by PCI SSC to implement, configure and/or support PA-DSS validated Payment Applications on behalf of merchants and service providers are referred to as “Qualified Integrator and Reseller Companies” or “QIR Companies.” The quality, reliability and consistency of a QIR Company’s work provide confidence that the application has been implemented in a manner that supports the customer’s PCI DSS compliance.
Removed
p. 5
A QIR Company may be any form of legal entity and must comply with all QIR Company Requirements.
Only companies that are qualified by PCI SSC and are in “Good Standing” (or in Remediation) as QIR Companies are permitted to perform Qualified Installations. All QIR Companies are listed on the QIR List.
QIR Company responsibilities generally include (without limitation) the following:
Ensuring installations and configurations of PA-DSS validated Payment Applications are in accordance with the applicable PA-DSS Implementation Guide in a manner which supports PCI DSS compliance.
Maintaining a quality assurance program that includes vetting of employees involved in Qualified Installations, personnel training and education on PCI DSS and applicable PA- DSS Implementation Guides.
Supporting any PFI forensic investigations in which the application the QIR installed at a customer environment may be involved.
Servicing the payment applications (for example, troubleshooting, delivering remote updates and providing remote support) if engaged to do so, …
Only companies that are qualified by PCI SSC and are in “Good Standing” (or in Remediation) as QIR Companies are permitted to perform Qualified Installations. All QIR Companies are listed on the QIR List.
QIR Company responsibilities generally include (without limitation) the following:
Ensuring installations and configurations of PA-DSS validated Payment Applications are in accordance with the applicable PA-DSS Implementation Guide in a manner which supports PCI DSS compliance.
Maintaining a quality assurance program that includes vetting of employees involved in Qualified Installations, personnel training and education on PCI DSS and applicable PA- DSS Implementation Guides.
Supporting any PFI forensic investigations in which the application the QIR installed at a customer environment may be involved.
Servicing the payment applications (for example, troubleshooting, delivering remote updates and providing remote support) if engaged to do so, …
Removed
p. 5
Ensuring that QIR Companies install and configure PA-DSS validated payment applications into customer environments in a manner that supports PCI DSS compliance, and Ensuring that QIR Companies are accountable for ensuring that such installations facilitate their customers’ PCI DSS compliance efforts.
Modified
p. 5 → 6
• Providing the Customer with a completed QIR Implementation Statement after completion of a Qualified Installation
Modified
p. 5 → 6
• Documenting any potential security risks identified by the QIR Professional in the QIR Implementation Statement
Modified
p. 5 → 6
• Protecting confidential and sensitive information
Removed
p. 6
Pricing and fees charged by QIR Companies for the services they provide to customers in connection with Qualified Installations are negotiated directly between the QIR Company and the applicable customer. Fees and pricing for Qualified Installations and related services of QIR Companies are not set by PCI SSC, and PCI SSC is not involved in any way with such fees or pricing.
Removed
p. 6
Requalify every three years.
Require all continuing QIR Employees to successfully complete all required QIR Program training and training examinations every three years. QIR Employees failing to satisfy this requirement must do so before leading or managing any Qualified Installation.
Annually review and update, as applicable, the QIR Company’s Quality Manual (See Section 6.1 below).
Require all QIR Employees to annually review PA-DSS Payment Application training materials to maintain current knowledge of all major and minor software changes.
Train employees and contractors with access to customer sites on how to access, install, maintain and support payment applications (and any connected systems) in accordance with the information provided by the application vendor in the PA-DSS Implementation Guide and other supporting materials.
Require all continuing QIR Employees to successfully complete all required QIR Program training and training examinations every three years. QIR Employees failing to satisfy this requirement must do so before leading or managing any Qualified Installation.
Annually review and update, as applicable, the QIR Company’s Quality Manual (See Section 6.1 below).
Require all QIR Employees to annually review PA-DSS Payment Application training materials to maintain current knowledge of all major and minor software changes.
Train employees and contractors with access to customer sites on how to access, install, maintain and support payment applications (and any connected systems) in accordance with the information provided by the application vendor in the PA-DSS Implementation Guide and other supporting materials.
Modified
p. 6
Please refer to the QIR Qualification Requirements to review specific information regarding qualification as a QIR Company or QIR Employee.
Please refer to the QIR Qualification Requirements to review specific information regarding requalification as a QIR Professional, or for more information on initial application and qualification processes.
Removed
p. 7
Sell and install only those Validated Application Versions that are identified on the Website as “Acceptable for New Deployments.” o Confirm before the start of a new Engagement that the application is Acceptable for New Deployments.
Be prepared to answer any questions the customer may have, or know where to refer the customer, regarding the payment application listing information on the Website, such as: o The Revalidation Date is based on the acceptance of a specific application by PCI SSC. Each validated payment application must undergo an annual attestation until the Expiry Date is reached. Payment applications that have not yet expired appear on the Acceptable for New Deployments list. o The Expiry Date is based on the lifecycle of PA-DSS. All payment applications validated to a particular version of PA-DSS expire on the same date. When the Expiry Date is reached, if a specific payment application has not …
Be prepared to answer any questions the customer may have, or know where to refer the customer, regarding the payment application listing information on the Website, such as: o The Revalidation Date is based on the acceptance of a specific application by PCI SSC. Each validated payment application must undergo an annual attestation until the Expiry Date is reached. Payment applications that have not yet expired appear on the Acceptable for New Deployments list. o The Expiry Date is based on the lifecycle of PA-DSS. All payment applications validated to a particular version of PA-DSS expire on the same date. When the Expiry Date is reached, if a specific payment application has not …
Modified
p. 7
Preparation activities that the QIR Company must consider prior to undertaking a Qualified Installation include but are not limited to:
Preparation activities that the QIR Professional must consider prior to undertaking a Qualified Installation include but are not limited to:
Modified
p. 7
• Providing the Customer with the name of the QIR Professional who will be responsible for the Engagement, an estimate of work to be performed, expected duration of the work, and notice of any potential down time
Removed
p. 8
Determine the level of access that will be required to support the customer, and strictly follow secure access, installation, maintenance and support processes outlined in the application vendor’s latest PA-DSS Implementation Guide.
Develop an installation, configuration and maintenance plan from the information provided by the application vendor in the PA-DSS Implementation Guide and any other supporting materials.
Develop an installation, configuration and maintenance plan from the information provided by the application vendor in the PA-DSS Implementation Guide and any other supporting materials.
Removed
p. 8
All tasks in the QIR Implementation Statement are the responsibility of the Lead QIR. Some of the tasks may be automatically performed by the payment application; other tasks will be performed by the QIR Employee. The PA-DSS Implementation Guide for the validated payment application will provide instructions on how to configure the payment application or other software. The customer may choose to perform some of these tasks rather than the QIR Company. It is important that the Lead QIR document all tasks that both the QIR Company and the customer are to perform, and that both the QIR Company and the customer understand and agree to the tasks before commencement.
Modified
p. 8 → 7
• Ensuring that QIR Professional access credentials are unique per QIR Professional and per Customer
Modified
p. 8 → 7
The QIR Implementation Statement provides a checklist of tasks to be completed as part of a Qualified Installation. Some or all of these tasks will apply to any given implementation. It is the responsibility of the Lead QIR to understand how each item within the QIR Implementation Statement applies to the particular implementation.
The QIR Implementation Statement provides a checklist of tasks to be completed as part of a Qualified Installation. Some or all of these tasks will apply to any given implementation. It is the responsibility of the QIR Professional to understand how each item within the QIR Implementation Statement applies to the particular implementation.
Modified
p. 8
Both the QIR Implementation Statement and the vendor documentation for the payment technologies must be used during the installation. The QIR Professional must retain evidence of all configurable elements of a Qualified Installation (whether performed by the QIR Professional or Customer) and must retain these work papers as part of the installation documentation. Examples of types of evidence are provided in Appendix A.
Removed
p. 9
Signatures The signature of the Lead QIR indicates acceptance of responsibility and accountability for the completed installation.
The signature of the customer is required to confirm a copy of the QIR Implementation Statement has been provided to them.
NOTE: The Lead QIR is expected to review the results of the installation with the customer to demonstrate the Payment Application has been installed and configured in a manner that supports compliance with PCI DSS, and if applicable, that potential areas of vulnerability have been identified.
The signature of the customer is required to confirm a copy of the QIR Implementation Statement has been provided to them.
NOTE: The Lead QIR is expected to review the results of the installation with the customer to demonstrate the Payment Application has been installed and configured in a manner that supports compliance with PCI DSS, and if applicable, that potential areas of vulnerability have been identified.
Modified
p. 9 → 8
A template for the QIR Implementation Statement is available on the Website. Supporting guidance, the QIR Implementation Instructions, is also on the Website and explains how to complete the QIR Implementation Statement. The Implementation Statement is divided into three (3) parts; Part 1: Implementation Statement Summary, Part 2: Implementation Statement Details and Part 3: QIR Employee Additional Observations. QIR Companies must follow the defined format for all Qualified Installations.
A template for the QIR Implementation Statement is available on the Website. Supporting guidance, the QIR Implementation Instructions, is also on the Website and explains how to complete the QIR Implementation Statement.
Removed
p. 10
QIR Companies using remote access software must follow the PA-DSS Implementation Guide, which contains instructions on using remote access security features. The QIR Company is required to manage all remote access to customers as follows: o Site access must be restricted and authentication credentials assigned to only those personnel who need access. o Remote QIR Company access to customer sites must only come from specific and known IP addresses. o Unique, complex and secure authentication credentials must be used for each customer. o Data transmissions must always be encrypted.
Modified
p. 10 → 9
If a QIR Professional is troubleshooting or debugging for a Customer, any Cardholder Data that is collected must be encrypted while stored and securely deleted immediately after use.
Modified
p. 10 → 9
The QIR Company must immediately report all vulnerabilities or potential breaches to the customer.
The QIR Professional must immediately report all known security vulnerabilities or identified security breaches, whether suspected or actual, to the Customer.
Modified
p. 10 → 9
The QIR Company must review, at least annually, updates to the applicable PA-DSS Implementation Guide and supporting documentation to remain current with all major and minor software changes, and QIR Company training materials must be updated to reflect all major and minor software changes.
The QIR Professional must review, at least annually, updates to the applicable vendor documentation to remain current with all major and minor changes.
Removed
p. 11
Providing instructions for the customer to eliminate all connectivity
•for example, open firewall ports
•between the QIR Company and the customer.
•for example, open firewall ports
•between the QIR Company and the customer.
Modified
p. 11 → 10
• Ensuring the QIR Professional’s credentials not needed by the Customer are securely removed from all Customer sites after any installation or maintenance tasks have been completed
Modified
p. 11 → 10
• Providing instructions for the Customer to remove QIR Professional user accounts and credentials, if the QIR Professional no longer supports the Customer
Removed
p. 12
PCI SSC quality assurance process begins with QIR Company and QIR Employee qualification and related training process.
Together, these quality checks allow PCI SSC to reasonably monitor the quality of QIR Companies and Employees. So long as PCI SSC determines in its reasonable discretion that a QIR Company continues to satisfy applicable QIR Requirements and meets prescribed quality levels for Qualified Installations, that QIR Company will remain in Good Standing as a QIR Company. Failure to satisfy applicable requirements or meet applicable quality levels may result in any or all of the actions described in Section 6.4 below.
Together, these quality checks allow PCI SSC to reasonably monitor the quality of QIR Companies and Employees. So long as PCI SSC determines in its reasonable discretion that a QIR Company continues to satisfy applicable QIR Requirements and meets prescribed quality levels for Qualified Installations, that QIR Company will remain in Good Standing as a QIR Company. Failure to satisfy applicable requirements or meet applicable quality levels may result in any or all of the actions described in Section 6.4 below.
Modified
p. 12 → 11
Any payment card brand, acquiring bank or other person or entity may submit QIR Feedback Forms to PCI SSC to provide feedback on a Qualified Installation. Additionally, a Qualified Security Assessor (QSA) Company or Employee that assesses a merchant or service provider that has had a Qualified Installation performed may submit a QIR Feedback Form regarding the QIR Company that performed that installation.
Any payment card brand, acquiring bank, merchant, service provider, or other person or entity may submit a QIR Feedback Form to PCI SSC to provide feedback on a Qualified Installation. Additionally, a Qualified Security Assessor (QSA) Company or Employee that assesses a merchant or service provider that has had a Qualified Installation performed may submit a QIR Feedback Form regarding the QIR Professional that performed that installation.
Modified
p. 12 → 11
• Ability to effectively communicate the results of the Qualified Installation and any potential risks or exposures identified during the Qualified Installation
Modified
p. 12
PCI SSC then performs monitoring activities to gain assurance that established requirements are in place and maintained as expected. This is achieved most often through review and monitoring of QIR Customer Feedback Forms, and may include audits of QIR Implementation Statements and other materials, information or work product generated or obtained during the course of Qualified Installations. PCI SSC reserves the right to conduct such activities at any time, and each QIR Company is required to cooperate in such quality …
PCI SSC then performs monitoring activities to gain assurance that established requirements are in place and maintained as expected. This is achieved most often through review and monitoring of QIR Feedback Forms and may include audits of QIR Implementation Statements and other materials, information, or work product generated or obtained during the course of Qualified Installations. PCI SSC reserves the right to conduct such activities at any time, and each QIR Professional is required to cooperate in such quality assurance …
Removed
p. 13
Note: These status designations are not necessarily progressive: Any QIR Company’s or QIR Employee’s status may be revoked or a QIR Company’s QIR Agreement terminated for quality concerns. Accordingly, a QIR Company or QIR Employee may move directly from Good Standing to Revocation (defined below).
Nonetheless, non-severe quality concerns are generally first addressed through the Remediation process (described below) in order to promote improved performance.
Nonetheless, non-severe quality concerns are generally first addressed through the Remediation process (described below) in order to promote improved performance.
Removed
p. 13
During Remediation, QIR Companies and QIR Employees may continue to perform installations, configurations and operational support. During Remediation and generally in connection with PCI SSC’s QIR Program quality assurance initiatives, PCI SSC may monitor and require QIR Companies to provide QIR Implementation Statements and any other materials, information or work product generated or obtained during the course of Qualified Installations (redacted in accordance with QIR Program policy). Such materials must be provided within three (3) weeks of PCI SSC’s request. QIR Companies may also be charged fees to cover PCI SSC’s costs of monitoring and Remediation.
Remediation is a joint effort between the QIR Company and PCI SSC to improve the quality of the QIR Company work product. The QIR Company must submit a Remediation plan acceptable to PCI SSC, detailing how the QIR Company plans to improve the quality of its Qualified Installations and related work product. PCI SSC may …
Remediation is a joint effort between the QIR Company and PCI SSC to improve the quality of the QIR Company work product. The QIR Company must submit a Remediation plan acceptable to PCI SSC, detailing how the QIR Company plans to improve the quality of its Qualified Installations and related work product. PCI SSC may …
Modified
p. 13
If administrative or non-severe quality problems are detected, PCI SSC will typically recommend participation in the Remediation program. Remediation provides an opportunity for QIR Companies and/or Employees to improve performance by working closely with PCI SSC staff; and in the absence of participation, quality issues may increase.
If administrative or non-severe quality problems are detected, PCI SSC will typically recommend participation in the Remediation program, which provides an opportunity for QIR Professionals to improve performance by working closely with PCI SSC staff.
Modified
p. 15
Revocation is subject to appeal and possible reinstatement of qualification in accordance with QIR Program policies and procedures. All appeals must be submitted to PCI SSC in writing within thirty (30) days of Revocation, addressed to the PCI SSC General Manager, and must follow all applicable procedures as specified by PCI SSC. All determinations of PCI SSC regarding Revocation and any related appeals are in PCI SSC’s sole discretion, final and binding upon the QIR Company. In the event the …
Revocation is subject to appeal and possible reinstatement of qualification in accordance with QIR Program policies and procedures. All appeals must be submitted to PCI SSC in writing within thirty (30) days of Revocation, addressed to the PCI SSC QIR Program Manager, and must follow all applicable procedures as specified by PCI SSC. All determinations of PCI SSC regarding Revocation and any related appeals are in PCI SSC’s sole discretion, final, and binding upon the QIR Professional. In the event …
Modified
p. 15
Upon Revocation, the period of ineligibility will be a minimum of one (1) year as determined by PCI SSC in a reasonable and non-discriminatory manner (in light of the circumstances) after the date of Revocation or unsuccessful resolution of appeal, whichever is later.
Upon Revocation, the period of ineligibility will be a minimum of one (1) year (to be determined by PCI SSC in a reasonable and non-discriminatory manner, in light of the circumstances) after the date of Revocation or unsuccessful resolution of appeal, whichever is later.
Removed
p. 16
The following forms of documented evidence are acceptable for purposes of compliance with the QIR Program Guide.
Copies of any logs or configuration files used or generated Copies of any application-vendor written/published documentation used Copies of any troubleshooting requests raised with the application vendor during or as a result of the implementation Any written/published application-vendor procedures used during the implementation Any written process documents Interview notes Change-control documentation Installation logs System-configuration files Written/published methodologies Any written/published vendor procedures Copies/screenshots of any of the following: displays of payment card data including but not limited to POS devices, screens, logs and receipts Screenshots of any configuration settings including but not limited to those settings relevant to secure authentication, logging and remote access
Copies of any logs or configuration files used or generated Copies of any application-vendor written/published documentation used Copies of any troubleshooting requests raised with the application vendor during or as a result of the implementation Any written/published application-vendor procedures used during the implementation Any written process documents Interview notes Change-control documentation Installation logs System-configuration files Written/published methodologies Any written/published vendor procedures Copies/screenshots of any of the following: displays of payment card data including but not limited to POS devices, screens, logs and receipts Screenshots of any configuration settings including but not limited to those settings relevant to secure authentication, logging and remote access