Document Comparison
PFI_Qualification_Requirements_v3.1_April_2018.pdf
→
PFI_Qualification_Requirements_v3.2.pdf
94% similar
38 → 37
Pages
12894 → 13201
Words
97
Content Changes
Content Changes
97 content changes. 43 administrative changes (dates, page numbers) hidden.
Added
p. 2
June 2019 3.2 Added “within 18 months” to Section 3.1.2 for the redacted report submittals when applying to be a PFI Company Enhanced section 4.2 Background Checks Clarified that PFI candidate applications must be completed within 12 months
Added
p. 12
• Reviewed by its QSA Employee.
List of PFI Company’s language proficiencies Proof of substantial and appropriate knowledge and experience in investigating security breaches and compromises of data to enable the PFI Company (or candidate) to perform PFI Investigations in a proficient manner in accordance with industry practice and expectations Proof of competence in the use of industry-recognized forensic tools and software applications, as well as an investigative methodology that meet industry recognized legal and law enforcement standards List of all PFI Employees (or candidates) of the PFI Company (or candidate) and their respective individual qualifications Proven methodology for acquiring and analyzing digital evidence including live response and volatile memory analysis Proven methodology for investigating data security compromises involving each of the following:
• E-commerce compromises involving web applications Proficiency to analyze/reverse-engineer malware Attestation that each employee of the PFI Company (or candidate) with …
List of PFI Company’s language proficiencies Proof of substantial and appropriate knowledge and experience in investigating security breaches and compromises of data to enable the PFI Company (or candidate) to perform PFI Investigations in a proficient manner in accordance with industry practice and expectations Proof of competence in the use of industry-recognized forensic tools and software applications, as well as an investigative methodology that meet industry recognized legal and law enforcement standards List of all PFI Employees (or candidates) of the PFI Company (or candidate) and their respective individual qualifications Proven methodology for acquiring and analyzing digital evidence including live response and volatile memory analysis Proven methodology for investigating data security compromises involving each of the following:
• E-commerce compromises involving web applications Proficiency to analyze/reverse-engineer malware Attestation that each employee of the PFI Company (or candidate) with …
Added
p. 17
Phone number Fax number E-mail address 4.2 Background Checks 4.2.1 Requirement Each PFI Company must perform background checks that satisfy the provisions described below (to the extent legally permitted within the applicable jurisdiction) with respect to each applicant PFI Employee.
Minor offenses
•for example, misdemeanors or non-US equivalents
•are allowed; but major offenses
•for example, felonies or non-US equivalents
•automatically disqualify a candidate from qualifying as a PFI Employee. Upon request, each PFI Company must provide to PCI SSC the background check history for each PFI Employee (or candidate PFI Employee), to the extent legally permitted within the applicable jurisdiction.
Note: PCI SSC reserves the right to decline or reject any application or applicant PFI Employee.
Attestation that its policies and hiring procedures include performing background checks: Examples of background checks include previous employment history, criminal record, credit history, and reference checks.
A written statement that it successfully completed such background checks for …
Minor offenses
•for example, misdemeanors or non-US equivalents
•are allowed; but major offenses
•for example, felonies or non-US equivalents
•automatically disqualify a candidate from qualifying as a PFI Employee. Upon request, each PFI Company must provide to PCI SSC the background check history for each PFI Employee (or candidate PFI Employee), to the extent legally permitted within the applicable jurisdiction.
Note: PCI SSC reserves the right to decline or reject any application or applicant PFI Employee.
Attestation that its policies and hiring procedures include performing background checks: Examples of background checks include previous employment history, criminal record, credit history, and reference checks.
A written statement that it successfully completed such background checks for …
Added
p. 25
Background check procedure and policy attestation as required in section 4.2.2, including:
• Attestation that its policies and hiring procedures include performing background checks.
• A summary description of current PFI personnel background check policies and procedures.
PFI QA Program Designation of Quality Assurance Manager.
Description of contents of the candidate PFI Company’s quality assurance manual.
Evidence Handling Copies of the candidate PFI Company’s policies and procedures regarding evidence handling, preservation, integrity and collection, along with associated standard form of employee acknowledgement.
Evidence of candidate PFI Employees’ proficiency in using the candidate PFI’s forensic investigation tools (such as copies of relevant certifications or evidence of training).
• Attestation that its policies and hiring procedures include performing background checks.
• A summary description of current PFI personnel background check policies and procedures.
PFI QA Program Designation of Quality Assurance Manager.
Description of contents of the candidate PFI Company’s quality assurance manual.
Evidence Handling Copies of the candidate PFI Company’s policies and procedures regarding evidence handling, preservation, integrity and collection, along with associated standard form of employee acknowledgement.
Evidence of candidate PFI Employees’ proficiency in using the candidate PFI’s forensic investigation tools (such as copies of relevant certifications or evidence of training).
Removed
p. 6
• QSA Qualification Requirements
• PCI DSS Glossary of Terms, Abbreviations, and Acronyms (see Website)
• PCI 3DS Core Security Standard 1.3 PFI Application and Initial Qualification Process In addition to outlining the requirements that a PFI Company and its PFI Employees must meet to perform PFI Investigations, this document describes the information that must be provided to the Approving Organization as part of the PFI Company application and qualification process. Each outlined requirement is followed by the information that must be submitted to the Approving Organization to document that the QSA Company applying to become a PFI Company meets or exceeds the stated requirements.
• PCI DSS Glossary of Terms, Abbreviations, and Acronyms (see Website)
• PCI 3DS Core Security Standard 1.3 PFI Application and Initial Qualification Process In addition to outlining the requirements that a PFI Company and its PFI Employees must meet to perform PFI Investigations, this document describes the information that must be provided to the Approving Organization as part of the PFI Company application and qualification process. Each outlined requirement is followed by the information that must be submitted to the Approving Organization to document that the QSA Company applying to become a PFI Company meets or exceeds the stated requirements.
Modified
p. 6
Information that must be submitted as part of the PFI Application Package is specified in the PFI Application Checklist attached hereto as Appendix A. All PFI Application Packages must include all of the documentation specified in the PFI Application Checklist. All remaining materials specified in the PFI Qualification Requirements but not required as part of the PFI Application Package must be provided to the Approving Organization as part of the Qualification Review process and, in any event, prior to final …
Information that must be submitted as part of the PFI Application Package is specified in the PFI Application Checklist attached hereto as Appendix A. All PFI Application Packages must include all documentation specified in the PFI Application Checklist. All remaining materials specified in the PFI Qualification Requirements but not required as part of the PFI Application Package must be provided to the Approving Organization as part of the Qualification Review process and, in any event, prior to final qualification by …
Modified
p. 8 → 7
PFI Companies and PFI Employees must not enter into, accept or endure any agreement,
Removed
p. 9
• A PFI Company that has performed a PA-DSS Assessment, P2PE Assessment or 3-D Secure Assessment (as defined in the then-current version of (or successor document to) the QSA Qualification Requirements For Payment Application Qualified Security Assessors (PA-QSA), Payment Card Industry (PCI) Qualification Requirements For Point-to-Point Encryption (P2PE)TM Qualified Security Assessors
• Contract preparation
• Contract preparation
Modified
p. 9 → 8
With respect to each PFI Investigation, the PFI Company must enter into a written agreement directly with the applicable Entity Under Investigation, which at a minimum: (a) expressly includes such terms and provisions as may be necessary, reasonable or appropriate, or otherwise required by PCI SSC for purposes of enabling the PFI Company and its PFI Employees to perform such PFI Investigation, and render and deliver all associated PFI Services, conclusions, findings and PFI Reports, in each case, in …
Modified
p. 9 → 8
PFI Companies and PFI Employees are not permitted to perform any PFI Investigation for any company, organization or other entity for which the PFI Company (or any then-current PFI Employee of such PFI Company) has performed, within the then preceding three (3) years, a PCI DSS Assessment, ASV Assessment or QIR Installation (as defined in the then-current version of (or successor document to) the Payment Card Industry (PCI) Qualification Requirements for Qualified Integrators and Resellers (QIRs) appearing on the …
Modified
p. 9 → 8
• QSA (P2PE) and PA-QSA (P2PE) or Payment Card Industry (PCI) 3-D Secure (PCI 3DS) Qualification Requirements for 3DS Assessors (as applicable) appearing on the Website) of a product or solution that was involved in a given Security Issue is only permitted to assess the involvement of that product or solution as part of a PFI Investigation if the PFI Company ensures that the business unit and personnel utilized by such PFI Company in connection with such Assessment are reasonably …
A PFI Company that has performed a PA-DSS Assessment, P2PE Assessment or 3-D Secure Assessment (as defined in the then-current version of (or successor document to) the QSA Qualification Requirements For Payment Application Qualified Security Assessors (PA-QSA), Payment Card Industry (PCI) Qualification Requirements For Point-to-Point Encryption (P2PE)TM Qualified Security Assessors
• QSA (P2PE) and PA-QSA (P2PE) or Payment Card Industry (PCI) 3-D Secure (PCI 3DS) Qualification Requirements for 3DS Assessors (as applicable) appearing on the Website) of a product or …
• QSA (P2PE) and PA-QSA (P2PE) or Payment Card Industry (PCI) 3-D Secure (PCI 3DS) Qualification Requirements for 3DS Assessors (as applicable) appearing on the Website) of a product or …
Modified
p. 9 → 8
PFI Companies and PFI Employees are not permitted to perform any PFI Investigation for any company, organization or other entity that is using any product, solution or service provided by or through the PFI Company or PFI Employee other than:
Modified
p. 9 → 8
PFI Investigation services Contract preparation
Removed
p. 10
• Access to network configurations and plans
• Access to physical location maps and/or any relevant entry passes
• Inclusion and participation in incident-management exercises
• Access to physical location maps and/or any relevant entry passes
• Inclusion and participation in incident-management exercises
Modified
p. 10 → 9
PFI Companies may be engaged to perform services pertaining to the anticipated investigation outside of the PFI Region(s) for which they have been qualified by PCI SSC only with prior written consent of PCI SSC for each engagement for which there may be lack of available PFI Companies in the region.
Modified
p. 10 → 9
The PFI Company shall provide to the Approving Organization proof of coverage statements for all subcontractors identified on the Subcontractor List (defined in Section 3.2.1 below), demonstrating to the Approving Organization's satisfaction that all such subcontractors are covered under the PFI Company's insurance or that such subcontractors have in effect their own insurance coverage satisfying all insurance requirements of the PFI Program as they apply to PFI Companies.
Modified
p. 11 → 10
For the first year of qualification, the applicable initial regional PFI Company fees (per region) must be paid in full within 30 days of receipt of the invoice(s).
Modified
p. 11 → 10
For each subsequent year the applicable annual regional PFI Company renewal fee(s) must be paid in full within 30 days of notification.
Modified
p. 11 → 10
• revised fee schedule on the Website shall be deemed to constitute effective legal notice of a fee change. Failure to qualify as a PFI Company within 180 days of application submission will result in forfeiture of application and/or initial processing fees.
• revised fee schedule on the Website shall be deemed to constitute effective legal notice of a fee change. Failure to qualify as a PFI Company within 12 months of application submission will result in forfeiture of application and/or initial processing fees.
Modified
p. 12 → 11
Fulfill all PFI Company requirements and promptly notify PCI SSC of any failure to do so.
Modified
p. 12 → 11
Comply with all terms and conditions of all agreements between the PFI Company and PCI SSC, including without limitation, the QSA Agreement and the PFI Addendum.
Modified
p. 12 → 11
Have one or more dedicated forensic investigation divisions, departments, units or practices, of which all employees participating in any technical aspect of any PFI Investigation are PFI Employees.
Modified
p. 12 → 11
Ensure that each PFI Investigation conducted by the PFI Company is supervised by a Lead Investigator.
Modified
p. 12 → 11
Ensure that there is at least one (1) Core Forensic Investigator at all times on a full-time basis for each of the PFI Regions for which the PFI Company has been qualified.
Modified
p. 12 → 11
Ensure that it employs at least one (1) QSA Employee at all times on a full-time basis and requires the QSA Employee to review all technical aspects of all of its PFI Investigations.
Modified
p. 12 → 11
Ensure that all Lead Investigators on each PFI Investigation have completed required PFI Program training and/or information sessions within the two-year period prior to leading a given PFI Investigation (including without limitation, Participating Payment Brand-specific training such as PIN security compliance validation training).
Modified
p. 12 → 11
Ensure that a PA-QSA Employee (defined in the QSA Qualification Requirements For Payment Application Qualified Security Assessors (PA-QSA)) that is in Good Standing as such is available to be assigned to each PFI Investigation, if needed.
Modified
p. 12 → 11
•such
Ensure that each PFI Employee has successfully completed annual training for incident response and computer forensics professionals•such as renewal of certifications, including but not limited to: information systems audit training to support such professional certifications as CISSP, CISM, CISA, or GIAC certification (in addition to any required PCI SSC training).
Modified
p. 12 → 11
Ensure that each PFI Employee is proficient in the use of each forensic tool used by the PFI Company.
Removed
p. 13
• Two independent references from merchants, service providers, financial institutions, or other entities for which the PFI Company (or candidate) has performed forensic security investigations within the 12 months prior to the PFI Company application date
• Proof of existing relationships with appropriate cyber-crime oriented law enforcement
• Proof of existing relationships with appropriate cyber-crime oriented law enforcement
Modified
p. 13 → 11
Ensure that each PFI Employee stays up to date on current trends, threats and emerging technologies (for example, mobile, tokenization, cloud, etc.).
Modified
p. 13 → 11
Ensure that each PFI Employee is in Good Standing as a PFI Employee.
Modified
p. 13 → 11
Track PFI Employee compliance with all PFI Employee requirements and promptly notify PCI SSC if any of its PFI Employees fails to satisfy any PFI Employee requirement.
Modified
p. 13 → 12
• Ensure that all technical aspects of all of its PFI Investigations are: o Performed and managed solely by Lead Investigators, Core Forensic investigators and/or PFI Employees in Good Standing, and o Reviewed by its QSA Employee.
• Performed and managed solely by Lead Investigators, Core Forensic investigators and/or PFI Employees in Good Standing, and
Modified
p. 13 → 12
•and only permit its PFI Employees to engage in
•PFI Investigations with respect to which the PFI Company has determined in good faith (immediately prior to initiating such PFI Investigation) that the data loss associated with the Security Issue under investigation originated in a PFI Region for which the PFI Company is then qualified by PCI SSC and satisfies all corresponding regional PFI Program requirements (including but not limited to payment of applicable qualification and renewal fees) in …
Only engage in
•and only permit its PFI Employees to engage in
•PFI Investigations with respect to which the PFI Company has determined in good faith (immediately prior to initiating such PFI Investigation) that the data loss associated with the Security Issue under investigation originated in a PFI Region for which the PFI Company is then qualified by PCI SSC and satisfies all corresponding regional PFI Program requirements (including but not limited to payment of applicable qualification and renewal fees) in …
•and only permit its PFI Employees to engage in
•PFI Investigations with respect to which the PFI Company has determined in good faith (immediately prior to initiating such PFI Investigation) that the data loss associated with the Security Issue under investigation originated in a PFI Region for which the PFI Company is then qualified by PCI SSC and satisfies all corresponding regional PFI Program requirements (including but not limited to payment of applicable qualification and renewal fees) in …
Modified
p. 13 → 12
Upon reasonable request of any Participating Payment Brand, attend requested conference calls with Participating Payment Brands and third parties, such as point-of- sale (POS) vendors, resellers, integrators and others, addressing issues related to payment applications and/or security practices.
Modified
p. 13 → 12
Descriptions of the types of forensic examinations that the PFI Company (or candidate) has performed.
Modified
p. 13 → 12
At least two (2) redacted forensic investigation reports from within the last 18 months of multi-box environments, such as a website and server or point-of-sale device and interconnected card payment network. The reports must include, as a minimum, details on:
Removed
p. 14
• Documentation that the PFI Company (or candidate) employs a minimum of one (1) QSA Employee at all times.
• List of PFI Company’s language proficiencies
• Proof of substantial and appropriate knowledge and experience in investigating security breaches and compromises of data to enable the PFI Company (or candidate) to perform PFI Investigations in a proficient manner in accordance with industry practice and expectations
• Proof of competence in the use of industry-recognized forensic tools and software applications, as well as an investigative methodology that meet industry recognized legal and law enforcement standards
• List of all PFI Employees (or candidates) of the PFI Company (or candidate) and their respective individual qualifications
• Proven methodology for acquiring and analyzing digital evidence including live response and volatile memory analysis
• Proven methodology for investigating data security compromises involving each of the following:
• Proficiency to analyze/reverse-engineer malware
• Attestation that each employee of the PFI Company (or candidate) …
• List of PFI Company’s language proficiencies
• Proof of substantial and appropriate knowledge and experience in investigating security breaches and compromises of data to enable the PFI Company (or candidate) to perform PFI Investigations in a proficient manner in accordance with industry practice and expectations
• Proof of competence in the use of industry-recognized forensic tools and software applications, as well as an investigative methodology that meet industry recognized legal and law enforcement standards
• List of all PFI Employees (or candidates) of the PFI Company (or candidate) and their respective individual qualifications
• Proven methodology for acquiring and analyzing digital evidence including live response and volatile memory analysis
• Proven methodology for investigating data security compromises involving each of the following:
• Proficiency to analyze/reverse-engineer malware
• Attestation that each employee of the PFI Company (or candidate) …
Modified
p. 14 → 12
• Documentation that the PFI Company (or candidate) employs a minimum of at least one (1) Core Forensic Investigator for each PFI Region for which the PFI Company (or candidate) has applied for qualification (or has been qualified) at all times (and initiates qualification procedures for all candidate Core Forensic Investigators at the time of the initial PFI Company application)
• If made, the recommendations for remediation Two independent references from merchants, service providers, financial institutions, or other entities for which the PFI Company (or candidate) has performed forensic security investigations within the 12 months prior to the PFI Company application date Proof of existing relationships with appropriate cyber-crime-oriented law enforcement agencies pertinent to each PFI Region for which the PFI Company (or candidate) has applied for qualification as a PFI Company (or has been qualified as a …
Modified
p. 15 → 14
Maintain, on a 24-hour per day basis throughout the year, a staff of PFI Employees who provide the first level of phone and incident response for each applicable PFI Region.
Modified
p. 15 → 14
Maintain a sufficient number of PFI Employees and other staff to appropriately respond to emergency situations and deploy the necessary response team within 24 hours of notice of the applicable Security Issue.
Modified
p. 15 → 14
Employ at least one PCI SSC-qualified QSA Employee (in compliance with all requirements applicable to QSA Employees as set forth in the QSA Qualification Requirements) at all times.
Modified
p. 15 → 14
Initiate each PFI Investigation at the applicable Entity Under Investigation’s facilities no later than five (5) business days after the date of execution of the applicable PFI Investigation services agreement between the PFI Company and such Entity Under Investigation.
Modified
p. 15 → 14
Deploy staff in response to emergency situations within 24 hours of discovery.
Modified
p. 15 → 14
Ensure the availability of emergency PFI Employees to provide second-level analyst support in connection with each PFI Investigation, including upon discovery of and during ongoing investigation of the corresponding Security Issue.
Modified
p. 15 → 14
Maintain appropriate equipment and storage facilities to ensure timely availability of required and appropriate equipment in connection with each Security Issue for which the PFI is engaged to perform PFI Investigation services.
Modified
p. 15 → 14
Promptly notify PCI SSC of all changes to subject matter experts utilized by the PFI Company in connection with PFI Investigations.
Removed
p. 16
• Successfully complete PCI SSC PFI Employee training annually
Modified
p. 16 → 15
Full-time employee of the PFI Company (meaning this work cannot be subcontracted to non-employees, unless PCI SSC has given prior written consent for each applicable subcontracted worker in each instance).
Modified
p. 16 → 15
Knowledgeable in identifying full magnetic-stripe data, CVV2 and PIN blocks.
Modified
p. 16 → 15
Active incident response certification, such as SANs GIAC Certified Incident Handler (GCIH), GIAC Certified Forensics Analyst (GCFA), or equivalent certification satisfactory to the Approving Organization; or a minimum three (3) years of forensic investigation/incident handling experience.
Modified
p. 16 → 15
Successfully complete PCI SSC PFI Employee training annually Successfully complete annual training for incident response and computer forensics professionals such as renewal of certifications (in addition to any required PCI SSC training).
Modified
p. 16 → 15
Adhere to the PCI SSC Code of Professional Responsibility.
Modified
p. 16 → 15
Such other requirements as PCI SSC may reasonably establish from time to time for PFI Employees.
Modified
p. 16 → 15
Only PFI Employees who satisfy the above requirements are authorized to perform, manage or otherwise be involved with any technical aspects of any PFI Investigation.
Modified
p. 16 → 15
Approved subcontractors are not permitted to include, and no PFI Company shall permit any of its subcontractors to include, any company logo or reference to a company other than the responsible PFI Company, in any PFI report or other materials in connection with work performed as a subcontractor for the PFI.
Modified
p. 16 → 15
Upon reasonable request of PCI SSC, each PFI Employee may be required (and agrees) to demonstrate the aforementioned skills (and all other skills and expertise required of such individuals pursuant to the PFI Qualification Requirements) to the Approving Organization.
Modified
p. 16 → 15
Proof of Incident Response certification, such as SANs GIAC Certified Incident Handler (GCIH) or GIAC Certified Forensics Analyst (GCFA), if applicable.
Modified
p. 17 → 16
Satisfy all PFI Employee requirements.
Modified
p. 17 → 16
Be a full-time employee of the PFI Company. Subcontracted resources are not permitted to fulfill this role.
Modified
p. 17 → 16
Operate in a role that is primarily as a forensic investigator within the applicable PFI Company’s dedicated PFI Investigation division, department, unit, or practice.
Modified
p. 17 → 16
Possess sufficient information security knowledge and experience to conduct technically complex enterprise security investigations in a proficient manner in accordance with industry expectations.
Modified
p. 17 → 16
Possess a Bachelor of Science (or equivalent) or higher degree in Computer Science, Electrical Engineering, Computer Engineering and/or Forensics, or a minimum five (5) years of equivalent industry experience.
Modified
p. 17 → 16
Satisfy all such other requirements as PCI SSC may reasonably establish from time to time for Core Forensic Investigators, including without limitation, if requested by PCI SSC, demonstration of expertise in performing forensic investigations.
Modified
p. 17 → 16
Résumé demonstrating a BS or higher degree in Computer Science, Electrical Engineering, Computer Engineering and/or Forensics or minimum five (5) years of equivalent industry experience.
Removed
p. 18
• PFI Investigations; and
• E-mail address 4.2 Background Checks PFI Companies must satisfy all background check requirements applicable to QSA Companies as specified in the QSA Qualification Requirements.
• E-mail address 4.2 Background Checks PFI Companies must satisfy all background check requirements applicable to QSA Companies as specified in the QSA Qualification Requirements.
Modified
p. 18 → 17
PFI Investigations; and Oversight of PFI Company’s internal quality assurance program for PFI Investigations (described further in Section 4.4 below).
Modified
p. 18
Only PFI Employees are permitted to manage, perform or otherwise be involved in any technical aspects of PFI Investigations.
Modified
p. 18
All PFI Investigations and all related work product strictly comply with the PFI Program Guide.
Modified
p. 18
All PFI Reports are generated for each PFI Investigation.
Modified
p. 19 → 18
Each PFI Company must have documented the details of the aforementioned quality assurance program in a program manual that includes, without limitation, all required PFI Report templates (such program manual may (but need not) be included as part of the program manual required in accordance with Section 4.3 of the QSA Qualification Requirements).
Modified
p. 19
• The PFI Company must provide a Feedback Report in the form attached hereto as Appendix C to each Entity Under Investigation (and if applicable, to each acquirer) at the completion of its PFI Investigation thereof and request that it be promptly completed and delivered to PCI SSC.
• Appeals requirements and/or processes The PFI Company must provide a Feedback Report in the form attached hereto as Appendix C to each Entity Under Investigation (and if applicable, to each acquirer) at the completion of its PFI Investigation thereof and request that it be promptly completed and delivered to PCI SSC.
Modified
p. 19
PCI SSC reserves the right, upon reasonable notice, to conduct PFI Company site visits for purposes of auditing the processes and procedures used by PFI Company in connection with PFI Investigations; and each PFI Company must comply with all such requests and provide PCI SSC with reasonable access for such purposes.
Modified
p. 20 → 19
Each PFI Company (or candidate) shall, upon request, provide to the Approving Organization a description of the contents of the PFI Company’s quality assurance manual, to confirm that the manual addresses all aspects of the PFI Company’s procedures and requirements for PFI Investigations and report review processes, including without limitation, a requirement that all PFI Employees must comply with all PFI Employee requirements.
Modified
p. 20 → 19
Additionally, each PFI Company (or candidate) must provide to PCI SSC prompt written notice of any change to any information previously provided to PCI SSC or any other Approving Organization if such change is reasonably likely to impact the Good Standing of such PFI Company or to cause the PFI Company to no longer be eligible for PFI Company qualification.
Modified
p. 20 → 19
All information, materials and documentation must be provided to the Approving Organization in English or with a certified English translation.
Modified
p. 20
The PFI Company (or candidate) must provide to the Approving Organization a blank copy of the documentation that all employees sign acknowledging the company’s policies and procedures for handling and preserving the integrity of evidence and how evidence is collected.
Modified
p. 20
PFI Company (or candidate) must provide to the Approving Organization proof that employees collecting evidence are proficient in use of the tools being used for the examination. This can be demonstrated by copies of certifications or notable experience in résumés.
Modified
p. 21
Prior to each PFI Investigation, pursuant to a written agreement directly with the applicable Entity Under Investigation, obtain from that Entity Under Investigation (a) full authorization to provide to each affected Participating Payment Brand (and, if the Entity Under Investigation is a merchant, the affected acquirer(s)), a copy of each PFI Report (and each version and portion thereof) resulting from such PFI Investigation, except to the extent prohibited by applicable law, and (b) such Entity Under Investigation’s acknowledgement of …
Modified
p. 21
After each PFI Investigation, simultaneously with its delivery of each portion (excluding the Executive Summary) of the proposed Final PFI Report (and PIN Security Requirements Report, if applicable) resulting from such PFI Investigation to the Entity Under Investigation (or any contractor, representative, professional advisor, agent or affiliate thereof), deliver a copy thereof to each affected Participating Payment Brand (and, if the Entity Under Investigation is a merchant, each affected acquirer(s)), except to the extent prohibited by applicable law.
Modified
p. 21
After each PFI Investigation, simultaneous with its delivery of each complete proposed Final PFI Report (and PIN Security Requirements Report, if applicable) resulting from such PFI Investigation to the Entity Under Investigation (or any contractor, representative, professional advisor, agent or affiliate thereof), deliver a copy thereof to each affected Participating Payment Brand (and, if the Entity Under Investigation is a merchant, each affected acquirer(s)), except to the extent prohibited by applicable law.
Modified
p. 21
Follow the PFI Guidelines and utilize the incident report templates as outlined in the PFI Program Guide, for all PFI Investigations.
Modified
p. 21
Participate in all discussions of the PFI Investigation as reasonably requested by the Entity Under Investigation, the affected acquirer(s) if the Entity Under Investigation is a merchant, and/or the affected Participating Payment Brands.
Modified
p. 21
Ensure and certify in each Final PFI Report that each PFI Investigation has been conducted strictly in accordance with all applicable PFI Requirements (including without limitation, the Independence Requirements provided for in Section 2.3 above).
Modified
p. 21
Ensure and certify in each Final PFI Report that the judgments, conclusions and findings therein: o accurately reflect, include and are based solely upon the factual evidence as gathered, discovered and determined to be relevant to the PFI Investigation by the PFI Company in its sole discretion during the course of that PFI Investigation o reflect the independent judgments, findings and conclusions of the PFI Company and its PFI Employees only, acting in their sole discretion; and o were …
Removed
p. 22
• Upon request of any affected Participating Payment Brand, promptly make drafts of applicable PFI Reports and related work papers available to such Participating Payment Brand.
Modified
p. 22
Upon request of any affected Participating Payment Brand in connection with a given Security Issue investigated or being investigated by the PFI Company, reasonably cooperate with such Participating Payment Brand in such Participating Payment Brand’s investigation of such Security Issue.
Modified
p. 22
Upon request of any affected Participating Payment Brand, provide to such Participating Payment Brand a list of corresponding affected payment card account information found from each PFI Investigation, including without limitation, exposed payment card account numbers and related details.
Removed
p. 23
• Payment of all applicable annual PFI renewal fees
• For each PFI Employee, proof of incident response and computer forensics training within the 12 months prior to renewal to support professional certifications (such as CISSP, CISM, or CISA certification), in addition to any required PCI SSC training; and
• Satisfactory feedback from Entities Under Investigation that have undergone PFI Investigation by the PFI Company, as well as Approving Organization(s) and Participating Payment Brands.
• For each PFI Employee, proof of incident response and computer forensics training within the 12 months prior to renewal to support professional certifications (such as CISSP, CISM, or CISA certification), in addition to any required PCI SSC training; and
• Satisfactory feedback from Entities Under Investigation that have undergone PFI Investigation by the PFI Company, as well as Approving Organization(s) and Participating Payment Brands.
Modified
p. 23
Payment of all applicable annual PFI renewal fees For each PFI Employee, proof of completion of all required applicable annual PCI SSC training and information sessions, as applicable (e.g., proof that each Lead Investigator has completed all required PFI Program training and/or information sessions within the preceding two (2) year period; and that each PFI Employee has successfully completed annual training for incident response and computer forensics professionals); For each PFI Employee, proof of incident response and …
Modified
p. 24
Note: Failure to successfully qualify as a PFI Company within 180 days of initial application submission will result in forfeiture of all PFI Program application and initial processing fees and closure of the application.
Note: Failure to successfully qualify as a PFI Company within 12 months of initial application submission will result in forfeiture of all PFI Program application and initial processing fees and closure of the application.
Removed
p. 25
PFI QA Program Designation of Quality Assurance Manager Description of contents of the candidate PFI Company’s quality assurance manual Evidence Handling Copies of the candidate PFI Company’s policies and procedures regarding evidence handling, preservation, integrity and collection, along with associated standard form of employee acknowledgement Evidence of candidate PFI Employees’ proficiency in using the candidate PFI’s forensic investigation tools (such as copies of relevant certifications)
Modified
p. 25
Proof of incident response certification for each PFI Employee, such as SANs GIAC Certified Incident Handler (GCIH) or GIAC Certified Forensics Analyst (GCFA).
Proof of industry-recognized incident response certification for each PFI Employee, such as GIAC Certified Incident Handler (GCIH) or GIAC Certified Forensics Analyst (GCFA).
Modified
p. 25
Administrative Requirements Contact information for each primary and secondary contact as required by Section 4.1.2 above.
Administrative Requirements Contact information for each primary and secondary contact as required by Section 4.1.2.
Modified
p. 37 → 36
PFI Employee requirements The specific requirements applicable to PFI Employees as set out in Section 3.3.1 below, and such additional requirements as PCI SSC may establish for PFI Employees from time to time in connection with the PFI Program.
PFI Employee requirements The specific requirements applicable to PFI Employees as set out in Section 3.3.1, and such additional requirements as PCI SSC may establish for PFI Employees from time to time in connection with the PFI Program.
Modified
p. 37
PFI Reports Defined in Section 3.3 of the PFI Program Guide (see also Section 4.3.1 below).
PFI Reports Defined in Section 3.3 of the PFI Program Guide (see also Section 4.3.1).