Document Comparison
QSA_Qualification_Requirements_v3_0.pdf
→
QSA_Qualification_Requirements_v4.0.pdf
92% similar
60 → 65
Pages
25328 → 26159
Words
112
Content Changes
Content Changes
112 content changes. 66 administrative changes (dates, page numbers) hidden.
Added
p. 2
• Increased Violation period to three (3) years
• Clarified QSA Company and Employee qualification requirements
• Enhanced Business Legitimacy requirements
• Enhanced separation of duties, independence, and conflict of interest requirements
• Clarified regional requirements
• Clarified subcontracting vs. partnership with active QSA Company
• Enhanced QSA Employee skills and experience requirements
• Added PCI SSC Code of Professional Responsibility
• Enhanced background check requirements
• Enhanced QSA Company internal quality assurance requirements
• Enhanced Evidence (Assessment workpaper) retention requirements
• Added Security Incident Response
• Enhanced annual requalification requirements
• Enhanced Assessor Quality Management process: QSA Audit, Quality Remediation and Revocation process
• Updated the QSA Agreement (Appendix A)
• Updated insurance requirements (Appendix B)
• Added QSA Company application (Appendix C)
March 2021 4.0
• Added requirement for annual QA questionnaire
• Added requirement for QA staff at QSA Company has PCI credential
• Added requirement for periodic checks on QA process
• Added requirement for QSA Company to have conflict of interest policy
• Added requirement for QSAs …
• Clarified QSA Company and Employee qualification requirements
• Enhanced Business Legitimacy requirements
• Enhanced separation of duties, independence, and conflict of interest requirements
• Clarified regional requirements
• Clarified subcontracting vs. partnership with active QSA Company
• Enhanced QSA Employee skills and experience requirements
• Added PCI SSC Code of Professional Responsibility
• Enhanced background check requirements
• Enhanced QSA Company internal quality assurance requirements
• Enhanced Evidence (Assessment workpaper) retention requirements
• Added Security Incident Response
• Enhanced annual requalification requirements
• Enhanced Assessor Quality Management process: QSA Audit, Quality Remediation and Revocation process
• Updated the QSA Agreement (Appendix A)
• Updated insurance requirements (Appendix B)
• Added QSA Company application (Appendix C)
March 2021 4.0
• Added requirement for annual QA questionnaire
• Added requirement for QA staff at QSA Company has PCI credential
• Added requirement for periodic checks on QA process
• Added requirement for QSA Company to have conflict of interest policy
• Added requirement for QSAs …
Added
p. 5
Participating Payment Brand Refer to QSA Agreement.
PCI CPE Maintenance Guide Provides the number of CPEs required on an annual basis by assessors to remain certified.
PCI CPE Maintenance Guide Provides the number of CPEs required on an annual basis by assessors to remain certified.
Added
p. 6
QSA Program The PCI SSC Qualified Security Assessor (QSA) Program described in this document and related PCI SSC publications.
• PCI QSA Program Guide
• ROC Reporting Template
Applications must indicate all geographic region(s) or countries for which the QSA Company candidate is applying. See the Website
• PCI SSC Programs Fee Schedule. All application packages must include a signed QSA Agreement and all required documentation. Applicants must send their completed application packages by mail to the following address (e-mail submissions will not be accepted):
• PCI QSA Program Guide
• ROC Reporting Template
Applications must indicate all geographic region(s) or countries for which the QSA Company candidate is applying. See the Website
• PCI SSC Programs Fee Schedule. All application packages must include a signed QSA Agreement and all required documentation. Applicants must send their completed application packages by mail to the following address (e-mail submissions will not be accepted):
Added
p. 10
• Copy of current QSA Company (or candidate QSA Company) formation document or equivalent approved by PCI SSC (the “Business License”), including year of incorporation, and location(s) of offices (Refer to the Documents Library on the Website
• To the extent permitted by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the QSA Company, QSA Company candidate or any principal thereof, and any Assessor-Employee thereof, and the status and resolution
The QSA Company must have a conflict of interest policy and provide the policy to PCI SSC upon request. The QSA Company’s conflict of interest policy must:
• Identify key areas in which conflict, or the appearance of conflict, may arise for Assessor- Employees
• Require the disclosure of potential conflicts in writing (via the QSA Company’s conflict of interest disclosure process to the QSA Company by the Assessor-Employee at hire and annually
• …
• To the extent permitted by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the QSA Company, QSA Company candidate or any principal thereof, and any Assessor-Employee thereof, and the status and resolution
The QSA Company must have a conflict of interest policy and provide the policy to PCI SSC upon request. The QSA Company’s conflict of interest policy must:
• Identify key areas in which conflict, or the appearance of conflict, may arise for Assessor- Employees
• Require the disclosure of potential conflicts in writing (via the QSA Company’s conflict of interest disclosure process to the QSA Company by the Assessor-Employee at hire and annually
• …
Added
p. 14
• Description of the applicant QSA Company’s relevant areas of specialization within information security (for example, network security, database and application security, and incident response), demonstrating at least one area of specialization
• Evidence of a dedicated security practice, such as:
• Brief description of other core business offerings
• Description of size and types of market segments in which the applicant QSA Company tends to focus, such as Fortune 500, financial industry, insurance industry, or small-to- medium sized businesses
• List of languages supported by the applicant QSA Company
• Two client references from security engagements performed by the applicant QSA Company within the last 12 months 3.2 QSA Employee
• Skills and Experience 3.2.1 Requirement Each QSA Employee performing or managing PCI SSC Assessments must satisfy the following requirements:
• Possess at least one of the following accredited, industry-recognized professional certifications from each list:
• (METI) Registered Information Security Specialist (RISS)*
• *If RISS is the only …
• Evidence of a dedicated security practice, such as:
• Brief description of other core business offerings
• Description of size and types of market segments in which the applicant QSA Company tends to focus, such as Fortune 500, financial industry, insurance industry, or small-to- medium sized businesses
• List of languages supported by the applicant QSA Company
• Two client references from security engagements performed by the applicant QSA Company within the last 12 months 3.2 QSA Employee
• Skills and Experience 3.2.1 Requirement Each QSA Employee performing or managing PCI SSC Assessments must satisfy the following requirements:
• Possess at least one of the following accredited, industry-recognized professional certifications from each list:
• (METI) Registered Information Security Specialist (RISS)*
• *If RISS is the only …
Added
p. 18
• Résumé or Curriculum Vitae (CV) of each candidate Associate QSA Employee, describing the requirements above, with respective dates.
Added
p. 21
• A written statement that it successfully completed such background checks for each candidate Assessor-Employee.
• The QSA Company must adhere to all QSA Program quality assurance requirements described in this document or otherwise established by PCI SSC from time to time.
• Requirements for internal periodic checks, at least annually, of the QSA Company’s QA program to monitor the effectiveness, and evolving QA processes, of such QA program
• The QSA Company must have qualified personnel (independent of the assessing and/or authoring QSA Employee) conduct a quality assurance review of assessment procedures performed, supporting documentation and workpapers retained in accordance with QSA Company’s Workpaper Retention Policy, information documented in the ROC related to the appropriate selection of system components, sampling procedures, compensating controls, remediation recommendations, proper use of payment definitions, consistent findings, thorough documentation of results, sampled workpaper retention review, and review of servicing markets/qualified regions.
• As of March 31, 2022, all …
• The QSA Company must adhere to all QSA Program quality assurance requirements described in this document or otherwise established by PCI SSC from time to time.
• Requirements for internal periodic checks, at least annually, of the QSA Company’s QA program to monitor the effectiveness, and evolving QA processes, of such QA program
• The QSA Company must have qualified personnel (independent of the assessing and/or authoring QSA Employee) conduct a quality assurance review of assessment procedures performed, supporting documentation and workpapers retained in accordance with QSA Company’s Workpaper Retention Policy, information documented in the ROC related to the appropriate selection of system components, sampling procedures, compensating controls, remediation recommendations, proper use of payment definitions, consistent findings, thorough documentation of results, sampled workpaper retention review, and review of servicing markets/qualified regions.
• As of March 31, 2022, all …
Added
p. 24
• A requirement that all Assessment Results and Related Materials must be classified as confidential and handled accordingly, with detailed instructions describing how Assessor- Employees are to comply with this requirement. If the classification and handling of confidential information is addressed in other confidential and sensitive data protection handling policies of the QSA Company, this should be clearly noted within the Workpaper Retention Policy.
Added
p. 26
Note: QSA Companies must ensure that each of its QSA Employees only works on those PCI SSC Assessments for which the QSA Employee is properly qualified by PCI SSC, has appropriate skills, including technology and language, and has an appropriate understanding of the customer’s/client’s business.
Added
p. 27
• Proof of maintaining professional certification(s) as required per Section 3.2, “QSA Employee
• Payment of annual re-qualification fees in accordance with the Website
• Payment of annual re-qualification fees in accordance with the Website
• Proof of information-systems audit training within the last 12 months in accordance with the current version of the PCI CPE Maintenance Guide
• Payment of annual re-qualification fees in accordance with the Website
• Payment of annual re-qualification fees in accordance with the Website
• Proof of information-systems audit training within the last 12 months in accordance with the current version of the PCI CPE Maintenance Guide
Added
p. 28
The AQM team will review the completed QSA Annual QA Questionnaire to monitor the QSA Company’s on-going adherence to program requirements and provide relevant feedback in the Portal.
Added
p. 51
• WORKERS’ COMPENSATION: Statutory Workers Compensation as required by applicable law and
• EMPLOYER’S LIABILITY with a limit of $1,000,000
• COMMERCIAL GENERAL LIABILITY INSURANCE including PRODUCTS, COMPLETED OPERATIONS, ADVERTISING INJURY, PERSONAL INJURY and CONTRACTUAL LIABILITY INSURANCE with the following minimum limits for Bodily Injury and Property Damage on an Occurrence basis: $1,000,000 per occurrence and $2,000,000 annual aggregate. PCI SSC to be added as “Additional Insured.” The policy Coverage Territory must include the entire Region(s) in which the QSA Company has qualified to operate.
• COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non-owned autos subject to minimum limits of $1,000,000 per accident
• EMPLOYER’S LIABILITY with a limit of $1,000,000
• COMMERCIAL GENERAL LIABILITY INSURANCE including PRODUCTS, COMPLETED OPERATIONS, ADVERTISING INJURY, PERSONAL INJURY and CONTRACTUAL LIABILITY INSURANCE with the following minimum limits for Bodily Injury and Property Damage on an Occurrence basis: $1,000,000 per occurrence and $2,000,000 annual aggregate. PCI SSC to be added as “Additional Insured.” The policy Coverage Territory must include the entire Region(s) in which the QSA Company has qualified to operate.
• COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non-owned autos subject to minimum limits of $1,000,000 per accident
Added
p. 54
The Company hereby certifies that it has a conflict of interest policy and agrees to provide that policy to PCI SSC upon request.
Added
p. 55
• Agrees to maintain and adhere to a conflict of interest policy, and provide the policy and/or any signed disclosure statements to PCI SSC upon request
Added
p. 59
Internal Quality Assurance
• 4.3.1 Provisions The Company acknowledges and agrees that, as of March 31, 2022, all quality assurance reviews must be completed by personnel qualified by PCI SSC as a QSA, AQSA, or PCIP The Company understands and agrees that it must annually provide to PCI SSC the completed QSA Annual QA Questionnaire in the Portal The Company acknowledges and agrees that it must adhere to all quality assurance requirements described in the QSA Qualification Requirements and supporting documentation, must have a quality assurance program, documented in its Quality Assurance manual, and must maintain and adhere to a documented quality assurance process and manual that includes all items described in Section 4.3.1 of the QSA Qualification Requirements.
• 4.3.1 Provisions The Company acknowledges and agrees that, as of March 31, 2022, all quality assurance reviews must be completed by personnel qualified by PCI SSC as a QSA, AQSA, or PCIP The Company understands and agrees that it must annually provide to PCI SSC the completed QSA Annual QA Questionnaire in the Portal The Company acknowledges and agrees that it must adhere to all quality assurance requirements described in the QSA Qualification Requirements and supporting documentation, must have a quality assurance program, documented in its Quality Assurance manual, and must maintain and adhere to a documented quality assurance process and manual that includes all items described in Section 4.3.1 of the QSA Qualification Requirements.
Added
p. 63
METI RISS Certification number: Date achieved:
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Qualification Requirements For Qualified Security Assessors (QSA) Version 3.0
Payment Card Industry (PCI) Qualification Requirements For Qualified Security Assessors (QSA) Version 4.0
Modified
p. 2
• Added QSA Employee application (Appendix D) 2.1 Updated Section 3.2.1 to clarify professional certification requirements.
Modified
p. 2
• Clarified ‘in process’ certifications
• Clarified ‘in process’ certifications 3.1 Updated Section 3.2.1 adding RISS professional certification to List A
Removed
p. 4
In addition to the qualifications offered under the PCI SSC Qualified Security Assessor Program described in this document and related PCI SSC publications (the “QSA Program”), PCI SSC offers the following related assessor qualifications under its corresponding PCI SSC programs: Payment Application
• Qualified Security Assessor (PA-QSA), PCI Forensics Investigator (PFI), Qualified Security Assessor for Point-to-Point Encryption (QSA (P2PE)), and Payment Application
• Qualified Security Assessor for Point-to-Point Encryption (PA-QSA (P2PE)). Qualification under each of these Programs requires QSA Company qualification and satisfaction of applicable PCI SSC Program-specific requirements.
• Qualified Security Assessor (PA-QSA), PCI Forensics Investigator (PFI), Qualified Security Assessor for Point-to-Point Encryption (QSA (P2PE)), and Payment Application
• Qualified Security Assessor for Point-to-Point Encryption (PA-QSA (P2PE)). Qualification under each of these Programs requires QSA Company qualification and satisfaction of applicable PCI SSC Program-specific requirements.
Modified
p. 4 → 5
Associate QSA Employee An individual who is employed by a QSA Company and has satisfied and continues to satisfy all QSA Requirements applicable to Associate QSA Employees.
Associate QSA Employee (“AQSA”) An individual who is employed by a QSA Company and has satisfied and continues to satisfy all QSA Requirements applicable to Associate QSA Employees.
Modified
p. 5
PCI DSS Assessment The onsite review of an entity by a QSA Company to determine the entity’s compliance with the PCI DSS for QSA Program purposes.
PCI DSS Assessment The review of an entity by a QSA Company to determine the entity’s compliance with the PCI DSS for QSA Program purposes.
Modified
p. 5 → 6
QSA Employee An individual who is employed by a QSA Company and satisfies and continues to satisfy all QSA Requirements applicable to QSA Employees.
QSA Annual QA Questionnaire With respect to the QSA Annual QA Questionnaire Process, the then-current version of the form available on the Portal that must be completed by QSA Companies on an annual basis and provided to PCI SSC for quality monitoring purposes QSA Employee An individual who is employed by a QSA Company and satisfies and continues to satisfy all QSA Requirements applicable to QSA Employees.
Modified
p. 5 → 6
QSA Requirements With respect to a given QSA Company or Assessor-Employee, the applicable requirements and obligations thereof pursuant to the QSA Qualification Requirements, the QSA Agreement, each addendum, supplement, or other agreement or attestation entered into between such QSA Company or Assessor-Employee and PCI SSC, and any and all other policies, procedures, requirements, validation or qualification requirements, or obligations imposed, mandated, provided for or otherwise established by PCI SSC from time to time in connection with any PCI SSC Program …
QSA Requirements With respect to a given QSA Company or Assessor-Employee, the applicable requirements and obligations thereof pursuant to the QSA Qualification Requirements, the QSA Agreement, each addendum, supplement, or other agreement or attestation entered into between such QSA Company or Assessor- Employee and PCI SSC, and any and all other policies, procedures, requirements, validation or qualification requirements, or obligations imposed, mandated, provided for or otherwise established by PCI SSC from time to time in connection with any PCI SSC …
Modified
p. 7
Section 6. Assessor Quality Management describes PCI SSC’s assessor quality management process, including remediation and revocation.
Section 6: Assessor Quality Management describes PCI SSC’s assessor quality management process, including remediation and revocation.
Modified
p. 7
Appendices: The appendices to the QSA Qualification Requirements include the QSA Agreement (Appendix A), insurance requirements (Appendix B), QSA Company (Appendix C), QSA Employee (Appendix D), Associate QSA Employee (Appendix E) application forms.
Appendices: The appendices to the QSA Qualification Requirements include the QSA Agreement (Appendix A), Insurance Requirements (Appendix B), QSA Company (Appendix C), QSA Employee (Appendix D), Associate QSA Employee (Appendix E) application forms.
Modified
p. 7 → 8
• PCI SSC Code of Professional Responsibility 1.6 QSA Company Application Process This document describes the information that must be provided to PCI SSC as part of the application and qualification process, as well as ongoing requalification requirements. Each outlined requirement is followed by the information (“Provision”) that must be submitted to document how the security company and employees meet or exceed the stated requirements.
Modified
p. 7 → 8
Note: QSA Companies are authorized to perform PCI DSS Assessments and QSA- related duties only in the geographic region(s) or country(s) in which they have been qualified to perform services. Under no circumstances may QSA Companies perform PCI DSS Assessments
•or act as a QSA Company in any capacity
•outside of the qualifiedregion(s). If QSA Program- related tasks must be performed outside of the qualified region it may be necessary to engage a QSA Company within that region to perform the …
•or act as a QSA Company in any capacity
•outside of the qualified
Note: QSA Companies are authorized to perform PCI DSS Assessments and QSA-related duties only in the geographic region(s) or country(s) in which they have been qualified to perform services. Under no circumstances may QSA Companies perform PCI DSS Assessments
•or act as a QSA Company in any capacity
•outside of the qualified region(s) or countries. If QSA Program-related tasks must be performed outside of the qualified region or country it may be necessary to engage a QSA Company within that region or …
•or act as a QSA Company in any capacity
•outside of the qualified region(s) or countries. If QSA Program-related tasks must be performed outside of the qualified region or country it may be necessary to engage a QSA Company within that region or …
Modified
p. 7 → 8
Note: A QSA Company is eligible to take part in the Associate QSA Program if it is in Good Standing (as defined in the QSA Agreement) as a QSA Company and has been active as a QSA Company for at least two years. Associate QSA Employee candidates must submit an Associate QSA Employee Application (see Appendix E).
Note: A QSA Company is eligible to take part in the Associate QSA Program if it is in Good Standing (as defined in the QSA Agreement) as a QSA Company and has been active as a QSA Company for at least two years. Associate QSA Employee candidates must submit an Associate QSA Employee Application (see Appendix E) to PCI SSC.
Modified
p. 8 → 9
Note: PCI SSC reserves the right to reject any application from any applicant (company or employee) that PCI SSC determines has committed, within three (3) years prior to the application date, any conduct that may be considered a “Violation” (defined for purposes of Section 6.3 below or the QSA Agreement) if committed by a QSA Company or Assessor-Employee. The period of ineligibility will be a minimum of one (1) year, as determined by PCI SSC in a reasonable and non-discriminatory …
Note: Applications that are inactive for a period of 180 calendar days will be deleted. PCI SSC reserves the right to reject any application from any applicant (company or employee) that PCI SSC determines has committed, within three (3) years prior to the application date, any conduct that may be considered a “Violation” (defined for purposes of Section 6.3 below or the QSA Agreement) if committed by a QSA Company or Assessor-Employee. The period of ineligibility will be a minimum …
Modified
p. 9 → 10
•
• Written statements describing any past or present appeals or revocations of any qualification issued by PCI SSC to the QSA Company (or any predecessor entity or, unless prohibited by applicable law, any Assessor-Employee of any of the foregoing), and the current status and any resolution thereof 2.2 Independence 2.2.1 Requirement The QSA Company must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing PCI …
Modified
p. 9 → 10
The QSA Company must have a code-of-conduct policy, and provide the policy to PCI SSC upon request. The QSA Company’s code-of-conduct policy must support
•and never contradict
•the PCI SSC Code of Professional Responsibility.
•and never contradict
•the PCI SSC Code of Professional Responsibility.
The QSA Company must have a code-of-conduct policy and provide the policy to PCI SSC upon request. The QSA Company’s code-of-conduct policy must support
•and never contradict
•the PCI SSC Code of Professional Responsibility.
•and never contradict
•the PCI SSC Code of Professional Responsibility.
Modified
p. 9 → 11
• The QSA Company will not undertake to perform any PCI SSC Assessment of any entity that it controls, is controlled by, is under common control with, or in which it holds any investment.
Modified
p. 10 → 11
• The QSA Company must fully disclose in the Report on Compliance if it assesses any customer that uses any security-related device or security-related application developed or manufactured by the QSA Company, or to which the QSA Company owns the rights, or that the QSA Company has configured or manages, including but not limited to the following:
Modified
p. 10 → 11
• Vulnerability scanning services or solutions § When recommending remediation actions that include one of its own solutions or products, the QSA Company must also recommend other market options that exist.
• When recommending remediation actions that include one of its own solutions or products, the QSA Company must also recommend other market options that exist.
Modified
p. 10 → 11
• The QSA Company must have separation of duties controls in place to ensure Assessor- Employees conducting or assisting with PCI SSC Assessments are independent and not subject to any conflict of interest.
Modified
p. 10 → 11
• The QSA Company will not use its status as a “listed QSA” to market services unnecessary to bring QSA Company clients into compliance with the PCI DSS or any other PCI SSC Standard.
Modified
p. 10 → 11
• The QSA Company must not misrepresent any requirement of the PCI DSS or any other PCI SSC Standard in connection with its promotion or sales of services to its clients, or state or imply that the PCI DSS or any other PCI SSC Standard requires usage of the QSA Company's products or services.
Modified
p. 10 → 12
• The QSA Company must notify its Assessor-Employees of the independence requirements provided for in this document, as well as QSA Company’s independence policy and conflict of interest policy, at least annually.
Modified
p. 11 → 13
• Annual regional re-qualification fees for subsequent years (also vary by country or region)
Modified
p. 11 → 13
PCI SSC requires that a QSA Agreement between PCI SSC and the applicant QSA Company be signed by a duly authorized officer of the applicant QSA Company, and submitted to PCI SSC in unmodified form with the completed QSA Company application package.
PCI SSC requires that a QSA Agreement between PCI SSC and the applicant QSA Company be signed by a duly authorized officer of the applicant QSA Company and submitted to PCI SSC in unmodified form with the completed QSA Company application package.
Modified
p. 12 → 14
• Be in Good Standing as a QSA Company; • Have been active as a QSA Company for at least two years; • Have at least one QSA Employee that qualifies as a Mentor (refer to Section 3.3.3 for Mentor requirements); and • Adhere to the requirements of the Mentor program. Refer to Section 3.3.3 for Mentor Requirements.
Modified
p. 12 → 14
• Description of the applicant QSA Company’s experience and knowledge with information security audit engagements, preferably related to payment systems, equal to at least one year or three separate audits
Modified
p. 12 → 14
• The total number of employees on staff and the number of those performing security assessments § Brief description of other core business offerings
• The total number of employees on staff and the number of those performing security assessments
Modified
p. 13 → 15
• Pass background checks required per Section 4.2.
Modified
p. 13 → 15
• Possess sufficient information security knowledge and experience to conduct technically complex security assessments.
Modified
p. 13 → 15
• Possess a minimum of one year of experience in each of the following information security disciplines (experience may be acquired concurrently
•for example, if the role involved experience in multiple disciplines at the same time):
•for example, if the role involved experience in multiple disciplines at the same time):
Modified
p. 13 → 15
• Network security § Possess a minimum of one year of experience in each of the following audit/ assessment disciplines (experience may be acquired concurrently, for example, if the role involved experience in multiple disciplines at the same time):
• Possess a minimum of one year of experience in each of the following audit/ assessment disciplines (experience may be acquired concurrently, for example, if the role involved experience in multiple disciplines at the same time):
Removed
p. 14
Note: The requirement to possess at least one industry-recognized certification from each list is effective as of January 1, 2019 for new QSA Employees.
For QSA Employees qualified and added to the search tool prior to January 1, 2019, this requirement is effective July 1, 2019 (for example, upon annual requalification after June 30, 2019).
“In process” certifications, where the certification number has not yet been issued, do not meet the requirement.
§ Adhere to the PCI SSC Code of Professional Responsibility.
For QSA Employees qualified and added to the search tool prior to January 1, 2019, this requirement is effective July 1, 2019 (for example, upon annual requalification after June 30, 2019).
“In process” certifications, where the certification number has not yet been issued, do not meet the requirement.
§ Adhere to the PCI SSC Code of Professional Responsibility.
Modified
p. 14 → 16
• IIA Certified Internal Auditor (CIA) § Possess knowledge about the PCI DSS and all applicable documents on the PCI SSC Website.
• Possess knowledge about the PCI DSS and all applicable documents on the PCI SSC Website.
Modified
p. 14 → 16
• Attend annual QSA Employee training provided by PCI SSC, and legitimately pass, of his or her own accord without any unauthorized assistance, all examinations conducted as part of training. If a QSA Employee fails to pass any exam in connection with such training, the QSA Employee must no longer lead or manage any PCI SSC Assessment until successfully passing the exam.
Modified
p. 15 → 17
• Pass background checks required per Section 4.2.
Modified
p. 15 → 17
• A record of working experience and responsibilities outlined in Section 3.2.1 above, by completing and submitting Appendix D for each candidate QSA Employee, and;
Modified
p. 15 → 17
• Possess either a university or college diploma in an Information Security or IT-related field; or a minimum of two years’ experience in an Information Security or IT-related field.
Modified
p. 15 → 17
• Attend annual QSA Employee training provided by PCI SSC, and legitimately pass, of his or her own accord without any unauthorized assistance, all examinations conducted as part of training. If an Associate QSA Employee fails to pass any exam in connection with such training, the Associate QSA Employee must no longer assist on any PCI SSC Assessment until successfully passing the exam.
Modified
p. 15 → 17
• Adhere to the PCI SSC Code of Professional Responsibility.
Modified
p. 15 → 17
• Be an employee of the QSA Company (meaning this work cannot be subcontracted to non- employees)
Modified
p. 16 → 18
• A record of educational accomplishments and/or working experience and responsibilities outlined in Section 3.3.1 above, by completing and submitting Appendix E for each candidate Associate QSA Employee; and
Modified
p. 16 → 18
• The Mentor must be a QSA Employee who has been certified for at least three years and has led at least three PCI DSS assessments resulting in ROCs in the last three years for three different clients.
Modified
p. 16 → 18
• A Mentor must have no more than three Associate QSA Employees assigned to them at one time.
Modified
p. 16 → 18
• The QSA Company will maintain a Mentor Manual that will clearly document the responsibilities of Mentors based on applicable PCI SSC Mentor requirements, including those set forth herein and in the QSA Program Guide.
Modified
p. 16 → 18
The QSA Company applying to join the Associate QSA program must provide a copy of its Mentor Manual for review by PCI SSC. Details on the contents of the Mentor Manual as well as templates can be found in the QSA Program Guide.
The QSA Company applying to join the Associate QSA program must provide a copy of its Mentor Manual for review by PCI SSC (refer to the Website for the most recent version of PCI SSC’s AQSA Mentor Manual template). Details on the contents of the Mentor Manual as well as templates can be found in the QSA Program Guide.
Modified
p. 18 → 20
• E-mail address 4.2 Background Checks 4.2.1 Requirement Each QSA Company must perform background checks that satisfy the provisions described below (to the extent legally permitted within the applicable jurisdiction) with respect to each applicant Assessor-Employee.
Modified
p. 18 → 20
• Attestation that its policies and hiring procedures include performing background checks: Examples of background checks include previous employment history, criminal record, credit history, and reference checks.
Modified
p. 19 → 21
• A summary description of current Assessor-Employee personnel background check policies and procedures, which must require and include the following:
Modified
p. 19 → 21
• Annual background checks consistent with this section for each of its Assessor- Employees for any change in criminal records, arrests or convictions 4.3 Internal Quality Assurance 4.3.1 Requirement § The QSA Company must adhere to all QSA Program quality assurance requirements described in this document or otherwise established by PCI SSC from time to time.
• Annual background checks consistent with this section for each of its Assessor- Employees for any change in criminal records, arrests or convictions 4.3 Internal Quality Assurance 4.3.1 Requirement
Modified
p. 19 → 21
• The QSA Company must have a quality assurance (QA) program, documented in its Quality Assurance manual.
Modified
p. 19 → 21
• The QSA Company must maintain and adhere to a documented quality assurance process and manual, which includes all of the following:
Modified
p. 19 → 21
• Requirements for handling and retention of workpapers and other PCI DSS Assessment Results and Related Materials (defined in the QSA Agreement; see also Section 4.5 for specific requirements for Workpaper Retention Policy requirements and specifications)
• Requirements for handling and retention of workpapers and other PCI DSS Assessment Results and Related Materials (defined in the QSA Agreement; see also
Removed
p. 20
• Requirement for all Assessor-Employees to regularly monitor the Website for updates, guidance and new publications relating to the QSA Program § The QSA Company must have qualified personnel (independent of the assessing and/or authoring QSA Employee) conduct a quality assurance review of assessment procedures performed, supporting documentation workpapers retained in accordance with QSA Company’s Workpaper Retention Policy, information documented in the ROC related to the appropriate selection of system components, sampling procedures, compensating controls, remediation recommendations, proper use of payment definitions, consistent findings, and thorough documentation of results.
Modified
p. 20 → 22
• The QSA Company must inform each PCI SSC Assessment Services client of the QSA Feedback Form (available on the Website) upon commencement of each PCI SSC Assessment.
Modified
p. 20 → 22
• PCI SSC, at its sole discretion, reserves the right to conduct audits of the QSA Company at any time and further reserves the right to conduct site visits at the expense of the QSA Company.
Modified
p. 20 → 22
• Upon request, the QSA Company (or applicant) must provide a complete copy of the quality assurance manual to PCI SSC.
Removed
p. 21
• Systems storing customer data do not reside on Internet accessible systems
Modified
p. 21 → 23
• Physical, electronic, and procedural safeguards including:
Modified
p. 21 → 23
• Strong encryption of customer data on portable devices such as laptops and removable media § A blank copy of the QSA Company’s confidentiality agreement(s) that each Assessor- Employee is required to sign 4.5 Evidence (Assessment Workpaper) Retention 4.5.1 Requirement § Assessment Results and Related Materials (defined in the QSA Agreement), including but not limited to PCI SSC Assessment workpapers and related materials, represent the evidence generated and/or gathered by a QSA Company to support the contents of each ROC …
• Assessment Results and Related Materials (defined in the QSA Agreement), including but not limited to PCI SSC Assessment workpapers and related materials, represent the evidence generated and/or gathered by a QSA Company to support the contents of each ROC or assessment report. Retention of Assessment Results and Related Materials is required and the Assessment Results and Related Materials relating to a given PCI SSC Assessment should represent all steps of the PCI SSC Assessment from end-to-end. Such Assessment Results …
Modified
p. 21 → 24
• A blank copy of the QSA Company’s Workpaper Retention Policy agreement that each Assessor-Employee is required to sign, included as part of the policy, which includes agreement to conform at all times with the Workpaper Retention Policy and the QSA Qualification Requirements.
Modified
p. 22 → 24
• A requirement that Assessment Results and Related Materials must be retained for at least three (3) years and must include all digital and hard copy evidence created and/or obtained by or on behalf of the QSA Company during each PCI SSC Assessment
•including but not limited to: documentation reviewed (policies, processes, procedures, network and dataflow diagrams), case logs, meeting agendas and notes, evidence of onsite and offsite activities (including interview notes), screenshots, config files, results of any tests performed, and …
•including but not limited to: documentation reviewed (policies, processes, procedures, network and dataflow diagrams), case logs, meeting agendas and notes, evidence of onsite and offsite activities (including interview notes), screenshots, config files, results of any tests performed, and …
Modified
p. 22 → 24
• Requirements ensuring that the QSA Company has confirmed that all Assessment Results and Related Materials relating to a given PCI SSC Assessment has in fact been retained in accordance with the procedures defined in the Workpaper Retention Policy, prior to releasing the final ROC or assessment report for that PCI SSC Assessment.
Modified
p. 22 → 24
• All Assessment Results and Related Materials must be made available to PCI SSC and/or its Affiliates upon request for a minimum of three (3) years after completion of the applicable PCI SSC Assessment.
Modified
p. 22 → 24
• The QSA Company must provide a copy of the Workpaper Retention Policy and related procedures to PCI SSC upon request, including copies of any other policies and procedures referenced within any of the foregoing documents, such as general confidential and sensitive data protection handling policies for the QSA Company.
Modified
p. 22 → 25
The customer notification must be documented and retained in accordance with the QSA Company’s evidence-retention policy, along with a summary of the Incident and what actions
The customer notification must be documented and retained in accordance with the QSA Company’s evidence-retention policy, along with a summary of the Incident and what actions were taken in connection with the Incident and corresponding discovery and/or notification. QSA Companies and Assessor-Employees are required to be familiar with the obligations for reporting Incidents to each of the Participating Payment Brands.
Modified
p. 23 → 25
No QSA Company or Assessor-Employee shall take any action after an Incident that is reasonably likely to diminish the integrity of, or otherwise interfere with or negatively affect the ability of a PFI to perform, any PFI Investigation (see the PCI Forensic Investigator (PFI) Program Guide for additional details).
No QSA Company or Assessor-Employee shall take any action after an Incident that is reasonably likely to diminish the integrity of, or otherwise interfere with or negatively affect the ability of a PCI Forensic Investigator (PFI) to perform, any “PFI Investigation” (see the PCI Forensic Investigator (PFI) Program Guide on the Website for additional details).
Modified
p. 23 → 25
• Instructions and procedures for notifying customers of Incidents discovered during or in connection with the performance of any PCI SSC Assessment or other QSA Program- related services, and documenting those Incidents and related information in accordance with Section 4.6.1.
Modified
p. 23 → 25
• Retention requirement for all incident-related documentation, notices, and reports, with the same protections as those noted for work-paper retention in the QSA Company’s evidence- retention policy and procedures.
Modified
p. 24 → 26
Additionally, each Assessor-Employee must be re-qualified by PCI SSC on an annual basis. The annual re-qualification date is based upon the Assessor-Employee’s previous qualification date. Re-qualification requires proof of CPEs as noted in Section 5.2.2, proof of training successfully completed, payment of annual training and re-qualification fees, and continued compliance with applicable QSA Requirements.
Additionally, each Assessor-Employee must be re-qualified by PCI SSC on an annual basis. The annual re-qualification date is based upon the Assessor-Employee’s previous qualification date. Re-qualification of QSA Employees requires proof of at least two of accredited, industry- recognized professional certifications in accordance with Section 3.2.1 above. Requalification of both QSA Employees and AQSA Employees requires proof of training successfully completed, payment of annual training and re-qualification fees, and continued compliance with applicable QSA Requirements.
Removed
p. 25
QSA Employees § Proof of information systems audit training within the last 12 months in accordance with the current version of the PCI SSC CPE Maintenance Guide § Maintaining professional certification(s) as required per Section 3.2, “QSA Employee
• Skills and Experience.” PCI SSC reserves the right to request proof of current professional certifications at any time § Payment of annual re-qualification fees in accordance with the Website
• PCI SSC Programs Fee Schedule Associate QSA Employees § Proof of information-systems audit training within the last 12 months in accordance with the current version of the PCI SSC CPE Maintenance Guide § Payment of annual re-qualification fees in accordance with the Website
• PCI SSC Programs Fee Schedule
• Skills and Experience.” PCI SSC reserves the right to request proof of current professional certifications at any time § Payment of annual re-qualification fees in accordance with the Website
• PCI SSC Programs Fee Schedule Associate QSA Employees § Proof of information-systems audit training within the last 12 months in accordance with the current version of the PCI SSC CPE Maintenance Guide § Payment of annual re-qualification fees in accordance with the Website
• PCI SSC Programs Fee Schedule
Modified
p. 25 → 27
• Payment of annual fee for each region or country qualified
Modified
p. 25 → 27
Note: PCI SSC may from time to time request that QSA Companies and/or Assessor-Employees submit additional information or materials in order to demonstrate adherence to applicable requirements or as part of the applicable qualification or re-qualification process.
Note: PCI SSC may from time to time request that QSA Companies and/or Assessor- Employees submit additional information or materials in order to demonstrate adherence to applicable requirements or as part of the applicable qualification or re-qualification process.
Modified
p. 28 → 30
• The QSA Company and/or Assessor-Employee (as applicable) name will be removed from the relevant QSA List and/or search tool (as applicable).
Modified
p. 28 → 30
• PCI SSC may notify third parties.
Modified
p. 28 → 30
• A company and/or individual (as applicable) the Qualification of which has been revoked can reapply after 180 days; provided however, that (i) if revoked in connection with Remediation, an election not to participate in Remediation when offered, or due to failure to satisfy applicable quality assurance standards set by PCI SSC, such company and/or individual shall be ineligible to re-apply to the QSA Program for a period of two (2) years; and (ii) acceptance of qualification applications after revocation …
Modified
p. 29 → 32
Regions/Countries Applying For (see the Website - PCI SSC Programs Fee Schedule):
Modified
p. 29 → 32
Applicant’s Officer Signature á Date á Job Title:
Applicant’s Officer Signature Date Job Title:
Modified
p. 29 → 32
PCI SSC Signature á Date á
PCI SSC Signature Date
Modified
p. 33 → 36
(c) Except as expressly authorized herein, QSA shall not use any PCI SSC trademark, service mark, certification mark, logo or other indicator of origin or source (each a “Mark”) without the prior written consent of PCI SSC in each instance. Without limitation of the foregoing, absent the prior written consent of PCI SSC in each instance and except as otherwise expressly authorized herein, QSA shall have no authority to make, and consequently shall not make, any statement that would constitute …
(c) Except as expressly authorized herein, QSA shall not use any PCI SSC trademark, service mark, certification mark, logo or other indicator of origin or source (each a “Mark”) without the prior written consent of PCI SSC in each instance. Without limitation of the foregoing, absent the prior written consent of PCI SSC in each instance and except as otherwise expressly authorized herein, QSA shall have no authority to make, and consequently shall not make, any statement that would constitute …
Removed
p. 48
§ WORKERS’ COMPENSATION: Statutory Workers Compensation as required by applicable law and § EMPLOYER’S LIABILITY with a limit of $1,000,000 § COMMERCIAL GENERAL LIABILITY INSURANCE including PRODUCTS, COMPLETED OPERATIONS, ADVERTISING INJURY, PERSONAL INJURY and CONTRACTUAL LIABILITY INSURANCE with the following minimum limits for Bodily Injury and Property Damage on an Occurrence basis: $1,000,000 per occurrence and $2,000,000 annual aggregate. PCI SSC to be added as “Additional Insured.” The policy Coverage Territory must include the entire Region(s) in which the QSA Company has qualified to operate.
Modified
p. 48 → 51
• CRIME/FIDELITY BOND including first-party employee dishonesty, robbery, fraud, theft, forgery, alteration, mysterious disappearance and destruction. Coverage must also include third-party employee dishonesty, i.e., coverage for claims made by the QSA Company’s client against the QSA Company for theft committed by the QSA Company’s employees. The minimum limit shall be $1,000,000 each loss and annual aggregate. The policy Coverage Territory must include the entire Region(s) in which the QSA Company is qualified to operate.
Modified
p. 48 → 51
• TECHNOLOGY ERRORS & OMISSIONS, CYBER-RISK and PRIVACY LIABILITY INSURANCE covering liabilities for financial loss resulting or arising from acts, errors or omissions in rendering computer or information technology Services, or from data damage/destruction/corruption, including without limitation, failure to protect privacy, unauthorized access, unauthorized use, virus transmission, denial of service and loss of income from network security failures in connection with the Services provided under this agreement with a minimum limit of two million dollars ($2,000,000) each claim and annual …
Modified
p. 48 → 51
Without limiting Security Assessor’s indemnification duties as outlined in the Indemnification Section herein, PCI SSC shall be named as an additional insured under the Commercial General Liability for any claims and losses arising out of, allegedly arising out of or in any way connected to the Security Assessor’s performance of the Services under this agreement. The insurers shall agree that the Security Assessor’s insurance is primary and any insurance maintained by CPS SSC shall be excess and non- contributing to …
Without limiting Security Assessor’s indemnification duties as outlined in the Indemnification Section herein, PCI SSC shall be named as an additional insured under the Commercial General Liability for any claims and losses arising out of, allegedly arising out of or in any way connected to the Security Assessor’s performance of the Services under this agreement. The insurers shall agree that the Security Assessor’s insurance is primary and any insurance maintained by PCI SSC shall be excess and non- contributing to …
Modified
p. 50 → 53
The Company acknowledges and agrees that in order to participate as a QSA Company in the QSA Program, it must satisfy all of the requirements specified in the QSA Qualification Requirements and supporting documents QSA Company Business Requirements
• Section 2 The Company acknowledges the minimum business requirements and related information that must be provided to PCI SSC regarding the Company’s business legitimacy, independence, and required insurance coverage pursuant to Section 2 of the QSA Qualification Requirements, and agrees to comply …
• Section 2 The Company acknowledges the minimum business requirements and related information that must be provided to PCI SSC regarding the Company’s business legitimacy, independence, and required insurance coverage pursuant to Section 2 of the QSA Qualification Requirements, and agrees to comply …
The Company acknowledges and agrees that in order to participate as a QSA Company in the QSA Program, it must satisfy all of the requirements specified in the QSA Qualification Requirements and supporting documents
Modified
p. 51 → 54
The Company hereby certifies that it has a code-of-conduct policy, and agrees to provide that policy to PCI SSC upon request.
The Company hereby certifies that it has a code-of-conduct policy and agrees to provide that policy to PCI SSC upon request.
Modified
p. 51 → 55
• Agrees to maintain and adhere to a code-of-conduct policy, and provide the policy to PCI SSC upon request.
• Agrees to maintain and adhere to a code-of-conduct policy and provide the policy to PCI SSC upon request.
Removed
p. 54
Internal Quality Assurance
• 4.3.2 Provisions The Company acknowledges and agrees that it must adhere to all quality assurance requirements described in the QSA Qualification Requirements and supporting documentation, must have a quality assurance program, documented in its Quality Assurance manual, and must maintain and adhere to a documented quality assurance process and manual that includes all items described in Section 4.3.1 of the QSA Qualification Requirements.
The Company acknowledges and agrees that its internal quality assurance reviews must be performed by qualified personnel (independent of the assessing and/or authoring QSA Employee) and must cover assessment procedures performed, supporting documentation, information documented in the ROC related to the appropriate selection of system components, sampling procedures, compensating controls, remediation recommendations, proper use of payment definitions, consistent findings, and thorough documentation of results.
• 4.3.2 Provisions The Company acknowledges and agrees that it must adhere to all quality assurance requirements described in the QSA Qualification Requirements and supporting documentation, must have a quality assurance program, documented in its Quality Assurance manual, and must maintain and adhere to a documented quality assurance process and manual that includes all items described in Section 4.3.1 of the QSA Qualification Requirements.
The Company acknowledges and agrees that its internal quality assurance reviews must be performed by qualified personnel (independent of the assessing and/or authoring QSA Employee) and must cover assessment procedures performed, supporting documentation, information documented in the ROC related to the appropriate selection of system components, sampling procedures, compensating controls, remediation recommendations, proper use of payment definitions, consistent findings, and thorough documentation of results.
Modified
p. 54 → 59
Verification of aliases (when applicable) Reviewing records of any criminal activity, such as felony (or non-US equivalent) convictions or outstanding Annually review records of any criminal activity, such as felony (or non-US equivalent) convictions or outstanding warrants Minor offenses (for example, misdemeanors or non-US equivalents) are allowed, but major offenses (for example, felonies or non-US equivalents) automatically disqualify an employee from serving as an Assessor-Employee The Company understands and agrees that, upon request, it must provide to PCI SSC the …
Verification of aliases (when applicable) Reviewing records of any criminal activity, such as felony (or non-US equivalent) convictions or outstanding warrants Annually review records of any criminal activity, such as felony (or non-US equivalent) convictions or outstanding warrants Minor offenses (for example, misdemeanors or non-US equivalents) are allowed, but major offenses (for example, felonies or non-US equivalents) automatically disqualify an employee from serving as an Assessor-Employee The Company understands and agrees that, upon request, it must provide to PCI SSC …
Modified
p. 56 → 61
Duly authorized officer signature á Date á
Duly authorized officer signature Date
Modified
p. 58 → 63
ISO 27001, Lead Auditor/Implementer, Internal Auditor Certification number:
ISO 27001, Lead Auditor/Implement er, Internal Auditor Certification number:
Modified
p. 58 → 63
(a) The information provided above is true, accurate and complete; (b) I have read and understand the QSA Qualification Requirements and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.
(a) The information provided above is true, accurate and complete; (b) I have read and understand the QSA Qualification Requirements and will comply with the terms thereof; (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.
Modified
p. 58 → 63
Candidate signature á Date á
Candidate signature Date
Modified
p. 60 → 65
(a) The information provided above is true, accurate and complete; (b) I have read and understand the QSA Qualification Requirements and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.
(a) The information provided above is true, accurate and complete; (b) I have read and understand the QSA Qualification Requirements and will comply with the terms thereof; (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.
Modified
p. 60 → 65
Candidate signature á Date á
Candidate signature Date
Modified
p. 60 → 65
Primary Contact Primary Contact signature á Date á Candidate Associate QSA Employee Application Acknowledgement By signing below, I hereby acknowledge and agree that:
Primary Contact Primary Contact signature Date Candidate Associate QSA Employee Application Acknowledgement By signing below, I hereby acknowledge and agree that: