Document Comparison
asv_qualification_requirements_v2.1.pdf
→
ASV_Qualification_Requirements_v3.0.pdf
35% similar
46 → 52
Pages
18482 → 23723
Words
113
Content Changes
From Revision History
- October 2008 1.2 To align version number with PCI DSS v1.2; no other changes made.
Content Changes
113 content changes. 83 administrative changes (dates, page numbers) hidden.
Added
p. 5
ASV Lab Scan Test (or “Test”) The testing of a candidate or validated ASV scan solution by an ASV Validation Lab to demonstrate for ASV Program purposes whether such solution performs in accordance with the ASV Program Guide. The terms "Test," "Tested," and “Testing” will be interpreted accordingly.
ASV scan solution A set of security services, tool(s), and processes that is offered by an ASV to validate the compliance of a Scan Customer in accordance with PCI DSS Requirement 11.2.2 and that has been and remains validated by an ASV Validation Lab in accordance with ASV program requirements. ASV scan solutions include the tools, techniques, methods, procedures, associated scan reports, processes for exchanging information between the ASV and the Scan Customer, and the processes used by ASV Employees to:
ASV scan solution A set of security services, tool(s), and processes that is offered by an ASV to validate the compliance of a Scan Customer in accordance with PCI DSS Requirement 11.2.2 and that has been and remains validated by an ASV Validation Lab in accordance with ASV program requirements. ASV scan solutions include the tools, techniques, methods, procedures, associated scan reports, processes for exchanging information between the ASV and the Scan Customer, and the processes used by ASV Employees to:
Added
p. 6
PCI SSC Code of Professional Responsibility The then-current version of (or successor documents to) the PCI SSC Code of Professional Responsibility, as from time to time amended and made available on the Website.
Scan Customer Defined in the ASV Agreement.
Testing See definition of ASV Lab Scan Test.
Scan Customer Defined in the ASV Agreement.
Testing See definition of ASV Lab Scan Test.
Added
p. 6
1. The first involves the initial qualification of the security company itself.
2. The second relates to the initial qualification of the company’s employee(s) responsible for performing PCI Scanning Services.
3. The third consists of the Testing of the company’s candidate and/or validated ASV scan solution(s).
4. The final step is listing the ASV Company and its validated ASV scan solution on the ASV List.
2. The second relates to the initial qualification of the company’s employee(s) responsible for performing PCI Scanning Services.
3. The third consists of the Testing of the company’s candidate and/or validated ASV scan solution(s).
4. The final step is listing the ASV Company and its validated ASV scan solution on the ASV List.
Added
p. 7
In the event PCI SSC determines that an applicant does not meet ASV Program requirements, PCI SSC will notify the applicant, and the applicant may appeal within 30 days from the notice date. Appeals must be addressed to the ASV Program Manager at asv@pcisecuritystandards.org and provide specific details to support the appeal. If a company is unsuccessful on appeal, its name will not be placed on the ASV List.
To initiate the qualification process, the security company must submit its completed ASV Company application and signed ASV Agreement (in unmodified form) to PCI SSC. All information provided to PCI SSC to support the ASV Program application process must be accurate and complete as of the date of its submission.
Section 2: ASV Business Requirements covers minimum business requirements that must be demonstrated to PCI SSC by the security company. This section outlines information and items that must be provided to prove business …
To initiate the qualification process, the security company must submit its completed ASV Company application and signed ASV Agreement (in unmodified form) to PCI SSC. All information provided to PCI SSC to support the ASV Program application process must be accurate and complete as of the date of its submission.
Section 2: ASV Business Requirements covers minimum business requirements that must be demonstrated to PCI SSC by the security company. This section outlines information and items that must be provided to prove business …
Added
p. 8
All application materials (see Appendices C and D) and the signed ASV Agreement must be submitted in English. The ASV Agreement is binding in English even if the ASV Agreement was translated and reviewed in another language. All other documentation provided to PCI SSC by the ASV Company (or applicant) in a language other than English must be accompanied by a certified English translation (examples include business licenses and insurance certificates).
Note: PCI SSC reserves the right to reject any application from any applicant (company or employee) that PCI SSC determines has committed, within three (3) years prior to the application date, any conduct that would have been considered a “Violation” (see Section 5.4 below) if committed by an ASV Company or ASV Employee. The period of ineligibility will be a minimum of one (1) year, as determined by PCI SSC in a reasonable and non-discriminatory manner.
The ASV Company must …
Note: PCI SSC reserves the right to reject any application from any applicant (company or employee) that PCI SSC determines has committed, within three (3) years prior to the application date, any conduct that would have been considered a “Violation” (see Section 5.4 below) if committed by an ASV Company or ASV Employee. The period of ineligibility will be a minimum of one (1) year, as determined by PCI SSC in a reasonable and non-discriminatory manner.
The ASV Company must …
Added
p. 10
The ASV Company must notify its ASV Employees of the independence requirements provided for in this document, as well as the ASV Company’s independence policy, at least annually.
Added
p. 11
An ASV scan solution test fee for each ASV Lab Scan Test performed for a candidate ASV scan solution.
ASV Employee training fees for each ASV Employee (or applicant, as applicable) registered for such training.
Annual ASV Program requalification fees for subsequent years, which include fees for annual ASV Lab Scan Testing of each candidate and/or validated ASV scan solution and ASV Employee annual requalification training fees.
ASV scan solution test fees (initial and requalification) are due within 30 days of notice from PCI SSC.
Instructions for enrolling in applicable training are provided by PCI SSC. Each ASV Company applicant must enroll at least two ASV Employee candidates in training, and must pay associated initial training fees once the application is approved. Training fees for requalification are paid as part of the requalification training registration process.
Payment remittance details are included in the invoice that the applicant ASV Company receives from …
ASV Employee training fees for each ASV Employee (or applicant, as applicable) registered for such training.
Annual ASV Program requalification fees for subsequent years, which include fees for annual ASV Lab Scan Testing of each candidate and/or validated ASV scan solution and ASV Employee annual requalification training fees.
ASV scan solution test fees (initial and requalification) are due within 30 days of notice from PCI SSC.
Instructions for enrolling in applicable training are provided by PCI SSC. Each ASV Company applicant must enroll at least two ASV Employee candidates in training, and must pay associated initial training fees once the application is approved. Training fees for requalification are paid as part of the requalification training registration process.
Payment remittance details are included in the invoice that the applicant ASV Company receives from …
Added
p. 14
PCI SSC has adopted a Code of Professional Responsibility (the “Code”), available on the Website, to help ensure that all ASV Companies and ASV Employees adhere to high standards of ethical and professional conduct. All ASV Companies and ASV Employees must advocate, adhere to, and support the Code.
Added
p. 15
Attestation that its policies and hiring procedures include performing background checks: Examples of background checks include previous employment history, criminal record, credit history, and reference checks.
Attestation that it successfully completed such background checks for each applicant ASV Employee.
Attestation that it successfully completed such background checks for each applicant ASV Employee.
Added
p. 16
Annual background checks consistent with this section for each of its ASV Employees for any change in criminal records, arrests or convictions.
Added
p. 16
Each ASV Company’s must have and adhere to a change management policy and processes for changes to the ASV scan solution.
Each ASV Company must maintain and adhere to a documented quality assurance process and manual, which includes all of the following: o Requirement to document its PCI Scanning Services and a description of the review process for generating scan reports in accordance with the requirements of the ASV Program Guide, including at least the following:
Reviews of scanning procedures, scan reports, and supporting documentation, and additional information required pursuant to the ASV Program Guide related to the appropriate selection of system components Requirement that all ASV Employees must adhere to the ASV Program Guide Requirement that the ASV Company (or applicant) has and shall keep in place controls to maintain the integrity of its ASV scan solution. Each ASV scan solution must:
Be protected from unauthorized …
Each ASV Company must maintain and adhere to a documented quality assurance process and manual, which includes all of the following: o Requirement to document its PCI Scanning Services and a description of the review process for generating scan reports in accordance with the requirements of the ASV Program Guide, including at least the following:
Reviews of scanning procedures, scan reports, and supporting documentation, and additional information required pursuant to the ASV Program Guide related to the appropriate selection of system components Requirement that all ASV Employees must adhere to the ASV Program Guide Requirement that the ASV Company (or applicant) has and shall keep in place controls to maintain the integrity of its ASV scan solution. Each ASV scan solution must:
Be protected from unauthorized …
Added
p. 17
Each ASV Company must have a policy and adhere to a documented process for protection of confidential and sensitive information. This must include a confidentiality agreement signed by each ASV Employee as well as adequate physical, electronic, and procedural safeguards consistent with industry-accepted practices to protect confidential and sensitive information against any threats or unauthorized access during storage, processing, and/or communicating of this information. ASV Employees must acknowledge and agree to adhere to the policy. .
Added
p. 18
Physical, electronic, and procedural safeguards including: o Systems storing customer data do not reside on Internet-accessible systems o Protection of systems storing customer data by network and application layer controls including technologies such as firewall(s) and IDS/IPS o Restricting access (e.g., via locks) to the physical office space o Restricting access (e.g., via locked file cabinets) to paper files o Restricting logical access to electronic files via least-privilege/role-based access control o Strong encryption of Scan Customer data when transmitted over public networks o Secure transport and storage of backup media o Strong encryption of Scan Customer data on portable devices such as laptops and removable media Upon PCI SSC request, a copy of the ASV Company’s (or applicant’s) template confidentiality agreement that each ASV Employee is required to sign 4.5 Evidence Retention 4.5.1 Requirements Each ASV Company must securely maintain digital and/or hard copies of all case logs, …
Added
p. 20
Without limiting the foregoing, failure to meet any of the ASV Requirements, including without limitation, timely submission of annual requalification fees, satisfaction of annual training or Continuing Professional Education (CPE) requirements, or successful completion of required annual ASV Lab Scan Test, is grounds for Remediation.
ASV Companies that participate in Remediation and resolve all open issue(s) to PCI SSC’s satisfaction within the applicable time period
•typically ninety (90) calendar days, except as provided in the next paragraph
•established as part of the Remediation process (the “Remediation Period”) are returned to Good Standing. ASV Companies that fail to resolve such issues within the applicable Remediation Period are Revoked, and accordingly, removed from the ASV List (see Section 5.4 below).
ASV Companies that participate in Remediation and resolve all open issue(s) to PCI SSC’s satisfaction within the applicable time period
•typically ninety (90) calendar days, except as provided in the next paragraph
•established as part of the Remediation process (the “Remediation Period”) are returned to Good Standing. ASV Companies that fail to resolve such issues within the applicable Remediation Period are Revoked, and accordingly, removed from the ASV List (see Section 5.4 below).
Added
p. 20
Note: When an ASV Company qualifies for Remediation, its Primary Contact (designated in accordance with the ASV Agreement) will be notified and its listing on the ASV List will appear in red. The Remediation Statement on the Website affirms the Council’s position on Remediation, and any external queries about an ASV Company’s status will be directed to the ASV Company in question.
ASV Companies in Remediation may continue to perform PCI Scanning Services for which they are qualified by PCI SSC unless otherwise instructed by PCI SSC in connection with the Remediation process.
ASV Companies in Remediation may continue to perform PCI Scanning Services for which they are qualified by PCI SSC unless otherwise instructed by PCI SSC in connection with the Remediation process.
Added
p. 22
(i) successfully passes the ASV Lab Scan Test; (ii) submits a written request to PCI SSC requesting reinstatement as an ASV Company, identifying the ASV Validation Lab and date of the corresponding passed ASV Lab Scan Test; and (iii) meets all other ASV Requirements at the time of such request.
The following table summarizes the actions that occur at the indicated calendar days past the requalification date as a result of failure to timely pass the annual ASV Lab Scan Test.
Number of days past requalification date Action 30 Remediation: ASV Company listing turns red on the ASV List.
Revocation: Company’s listing is removed from the ASV List; Company no longer qualified by PCI SSC to perform PCI Scanning Services.
Abbreviated reinstatement ends: Company’s ability to be reinstated after successful completion of annual ASV Lab Scan Test but without submitting new ASV Company application ends.
The following table summarizes the actions that occur at the indicated calendar days past the requalification date as a result of failure to timely pass the annual ASV Lab Scan Test.
Number of days past requalification date Action 30 Remediation: ASV Company listing turns red on the ASV List.
Revocation: Company’s listing is removed from the ASV List; Company no longer qualified by PCI SSC to perform PCI Scanning Services.
Abbreviated reinstatement ends: Company’s ability to be reinstated after successful completion of annual ASV Lab Scan Test but without submitting new ASV Company application ends.
Added
p. 23
A.2 General Information Vendor Company Company Name:
Added
p. 23
Secondary Contact Name: Job Title:
Direct Telephone Number: E-mail:
Direct Telephone Number: E-mail:
Added
p. 24
Vendor acknowledges that data security practices exist within a rapidly changing environment and agrees to monitor the Website at least weekly for changes to the PCI DSS, other PCI SSC standards relevant to the ASV Program (collectively with the PCI DSS, “PCI SSC Standards”), ASV Qualification Requirements, ASV Program Guide and other ASV Program- related Website content (the foregoing, collectively, the “ASV Program Materials”). Vendor will incorporate all such changes into all PCI Scanning Services initiated on or after the effective date of such changes.
Added
p. 25
A.3.3 Vendor Service Staffing Without limiting the foregoing, Vendor agrees to comply with all requirements of, make all provisions provided for in, and ensure that its ASV Employees comply with all applicable ASV Requirements relating to employees, including but not limited to all requirements and provisions regarding employee background checks pursuant to the ASV Qualification Requirements. Vendor hereby represents, warrants and agrees that it has (and will have) obtained all required consents to all such background checks from each employee now or in the future performing any of the Services on Vendor’s behalf hereunder, prior to such employee performing such Services. Additionally, Vendor shall ensure that an ASV Employee that is fully qualified in accordance with all applicable ASV Requirements supervises all aspects of the PCI Scanning Services performed for each Scan Customer, including without limitation, reviewing the work product that supports Vendor’s PCI Scanning Services procedures and ensuring adherence …
Added
p. 26
(a) In connection with Vendor’s performance of PCI Scanning Services, it shall only advertise, offer, or use those of its ASV scan solutions that have been successfully Tested and qualified by (or on behalf of) PCI SSC, have received a corresponding Compliance Notification that has not been revoked, cancelled, expired or terminated, and appear on the ASV List throughout the course of the corresponding PCI Scanning Services engagement. PCI SSC shall have no obligation with respect to Vendor or any candidate or validated ASV scan solution having not successfully completed Testing other than informing Vendor that Vendor (or the applicable candidate or validated ASV scan solution) is not compliant with the PCI DSS by sending a non-compliance notification to Vendor.
(b) Even though an ASV scan solution has received a Compliance Notification, all ASV scan solutions are subject to successful completion of annual maintenance Testing for ASV Program purposes, including but …
(b) Even though an ASV scan solution has received a Compliance Notification, all ASV scan solutions are subject to successful completion of annual maintenance Testing for ASV Program purposes, including but …
Added
p. 27
Vendor agrees to pay all applicable fees imposed by PCI SSC relating to Vendor’s and its ASV Employees’ participation in the ASV Program (collectively, “Fees”), in each case as and in the manner provided for in the applicable ASV Program Materials or “PCI SSC Programs Fee Schedule” posted on the Website. Such Fees may include, without limitation, initial application or processing fees, qualification fees, requalification fees, training fees, fees in connection with quality assurance and/or Remediation, fees to cover administrative costs, re-listing, penalties and other costs, and other fees. Vendor agrees to pay all such Fees as and when required by PCI SSC and that all Fees are nonrefundable (regardless of whether Vendor’s application to participate in the ASV Program is approved, Vendor or any Vendor product or solution has been approved or removed from the ASV List, this Agreement has been terminated, or otherwise). Vendor acknowledges and agrees that …
Added
p. 28
A.5 Advertising and Promotion; Intellectual Property A.5.1 ASV List and Vendor Use of PCI Materials and Marks (a) So long as Vendor is qualified by PCI SSC as an ASV Company, PCI SSC may, at its sole discretion, display the identification of Vendor and each of its ASV scan solutions on the ASV List, along with information identifying Vendor, such ASV scan solutions, and corresponding qualification or compliance status information (including without limitation, good standing, Remediation and/or revocation status). Vendor shall provide all requested information necessary to ensure to PCI SSC’s satisfaction that the identification and information relating to Vendor and/or its ASV scan solutions on the ASV List is accurate. Without limiting the rights of PCI SSC set forth in the first sentence of this Section or elsewhere, PCI SSC expressly reserves the right to remove Vendor and any of its ASV scan solutions from the ASV List (or …
Added
p. 29
A.5.2 Uses of Vendor Name and Designated Marks Vendor grants PCI SSC and each Participating Payment Brand the right to use Vendor’s name and trademarks, as designated in writing by Vendor, to list Vendor on the ASV List and to include reference to Vendor in publications to Financial Institutions, Issuers, Merchants, Acquirers, Processors, and the public regarding the ASV Program. Neither PCI SSC nor any Participating Payment Brand shall be required to include any such reference in any materials or publicity regarding any PCI SSC Program. Vendor warrants and represents that it has authority to grant the foregoing rights to PCI SSC and the Participating Payment Brands.
A.5.3 No Other Rights Granted Except as expressly stated in this Section A.5, no rights to use any party’s or Member’s marks or other Intellectual Property Rights (as defined below) are granted herein, and each party respectively reserves all of its rights therein. Without …
A.5.3 No Other Rights Granted Except as expressly stated in this Section A.5, no rights to use any party’s or Member’s marks or other Intellectual Property Rights (as defined below) are granted herein, and each party respectively reserves all of its rights therein. Without …
Added
p. 30
(b) All right, title and interest in and to the Intellectual Property Rights in all materials generated by or on behalf of PCI SSC with respect to Vendor and/or results of assessments or Testing performed by or on behalf of PCI SSC (including without limitation, all results of ASV Lab Scan Tests) are and at all times shall remain the property of PCI SSC. Subject to the provisions of Section A.6, Vendor may use and disclose such materials solely for the purposes expressly permitted by this Agreement. Vendor shall not revise, abridge, modify or alter any such materials. Vendor shall not assert or imply that assessment or Testing results other than those upon which a given Compliance Notification was issued by PCI SSC are connected or related to that Compliance Notification. While a given ASV scan solution remains on the ASV List, Vendor shall have the right to make copies …
Added
p. 31
A.6.2 General Restrictions (a) Each party (the “Receiving Party”) agrees that all Confidential Information received from the other party (the “Disclosing Party”) shall: (i) be treated as confidential; (ii) be disclosed only to those Members, officers, employees, legal advisers, accountants, representatives and agents of the Receiving Party who have a need to know and be used solely as required in connection with (A) the performance of this Agreement and/or (B) the operation of such party’s or its Members’ respective payment card data security compliance programs (if applicable) and (iii) not be disclosed to any third party except as expressly permitted in this Agreement or in writing by the Disclosing Party, and only if such third party is bound by confidentiality obligations applicable to such Confidential Information that are in form and substance similar to the provisions of this Section A.6.
Added
p. 32
A.6.4 Personal Information In the event that Vendor receives Personal Information from PCI SSC or any Member or Scan Customer in the course of providing Services or otherwise in connection with this Agreement, in addition to the obligations set forth elsewhere in this Agreement, Vendor will at all times during the Term (as defined in Section A.9.1) maintain such data protection handling practices as may be required by PCI SSC from time to time, including without limitation, as a minimum, physical, electronic and procedural safeguards designed: (i) to maintain the security and confidentiality of such Personal Information (including, without limitation, encrypting such Personal Information in accordance with applicable Participating Payment Brand guidelines, if any); (ii) to protect against any anticipated threats or hazards to the security or integrity of such information; and (iii) to protect against unauthorized access to or use of such information that could result in substantial harm …
Added
p. 33
A.7 Indemnification and Limitation of Liability A.7.1 Indemnification Vendor shall defend, indemnify, and hold harmless PCI SSC and its Members, and their respective subsidiaries, and all affiliates, subsidiaries, directors, officers, employees, agents, representatives, independent contractors, attorneys, successors, and assigns of any of the foregoing (collectively, including without limitation, PCI SSC and its Members, “Indemnified Parties”) from and against any and all claims, losses, liabilities, damages, suits, actions, government proceedings, taxes, penalties or interest, associated auditing and legal expenses and other costs (including without limitation, reasonable attorney’s fees and related costs) that arise or result from any claim by any third party with respect to Vendor’s (i) breach of its agreements, representations or warranties contained in this Agreement; (ii) participation in any PCI SSC Program or use of any PCI Materials or PCI SSC Program-related information (a) in violation of this Agreement or (b) in violation of any applicable law, rule …
Added
p. 35
(d) EXCEPT FOR DAMAGES CAUSED BY THE GROSS NEGLIGENCE OR WILLFUL MISCONDUCT OF A PARTY, AND EXCEPT FOR THE OBLIGATIONS OF VENDOR UNDER SECTIONS A.5 OR A.6, IN NO EVENT SHALL EITHER PARTY OR ANY MEMBER BE LIABLE TO THE OTHER FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT OR SPECIAL DAMAGES, HOWEVER CAUSED, WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY DOES NOT APPLY TO INDEMNIFICATION OWED TO AN INDEMNIFIED PARTY PURSUANT TO THIS SECTION A.7.
Added
p. 36
A.9 Term and Termination A.9.1 Term This Agreement shall commence as of the Effective Date and, unless earlier terminated in accordance with this Section A.9, continue for an initial term of one (1) year (the “Initial Term”) and thereafter, for additional subsequent terms of one year (each a “Renewal Term” and together with the Initial Term, the “Term”), subject to Vendor’s successful completion of all applicable requalification requirements for each Renewal Term.
A.9.2 Termination by Vendor Vendor may terminate this Agreement at any time upon thirty (30) days’ written notice to PCI SSC. Notwithstanding Section A.10.1 below, any notice or other written communication (including by electronic mail) from Vendor pursuant to which or to the effect that Vendor requests, notifies, elects, opts, chooses, decides or otherwise indicates its desire to cease participation in the ASV Program, be removed from the ASV List or terminate this Agreement shall be deemed to constitute …
A.9.2 Termination by Vendor Vendor may terminate this Agreement at any time upon thirty (30) days’ written notice to PCI SSC. Notwithstanding Section A.10.1 below, any notice or other written communication (including by electronic mail) from Vendor pursuant to which or to the effect that Vendor requests, notifies, elects, opts, chooses, decides or otherwise indicates its desire to cease participation in the ASV Program, be removed from the ASV List or terminate this Agreement shall be deemed to constitute …
Added
p. 37
A.9.4 Effect of Termination Upon any termination or expiration of this Agreement: (i) Vendor’s qualification as an ASV Company shall automatically terminate, and Vendor and each of its ASV scan solutions will be removed from the ASV List and/or the corresponding listing(s) thereupon may be annotated as PCI SSC deems appropriate; (ii) Vendor shall immediately cease all advertising and promotion of its qualification and/or status as an ASV Company, and the listing(s) of Vendor and its ASV scan solutions on the ASV List, and ensure that it and its employees do not state or imply that any employee of Vendor is an “ASV Employee,” an “ASV” or otherwise qualified by PCI SSC in connection with the ASV Program; (iii) Vendor shall immediately cease soliciting for and performing all PCI Scanning Services, provided that Vendor shall complete any and all PCI Scanning Services contracted with Scan Customers prior to such expiration …
Added
p. 38
(b) In the event of any Revocation: (i) Vendor and each of its ASV scan solutions will be removed from the ASV List and/or the corresponding listing(s) thereupon may be annotated as PCI SSC deems appropriate, (ii) Vendor must comply with Section A.9.4 above in the manner otherwise required if this Agreement had been terminated as of the effective date of such Revocation, (iii) Vendor will have a period of thirty (30) days from the date Vendor is given notice of the corresponding Violation to submit its written request for appeal to the ASV Program Manager; (iv) Vendor shall, within fifteen (15) days of such Revocation, in a manner acceptable to PCI SSC, provide notice of such Revocation to those of its Scan Customers with which Vendor is then engaged to perform PCI Scanning Services and, if applicable, of any conditions, restrictions or requirements of such Revocation that may impact …
Added
p. 41
A.10.5 Assignment Vendor may not assign this Agreement, or assign, delegate or subcontract any of its rights and/or obligations under this Agreement (including but not limited to by subcontracting any of the foregoing to a related party or affiliate), without the prior written consent of PCI SSC, which consent PCI SSC may grant or withhold in its absolute discretion.
A.10.6 Independent Contractors The parties to this Agreement are independent contractors and neither party shall hold itself out to be, nor shall anything in this Agreement be construed to constitute either party as the agent, representative, employee, partner, or joint venture of the other. Neither party may bind or obligate the other without the other party’s prior written consent.
A.10.8 Counterparts This Agreement may be signed in two or more counterparts, any or all of which may be executed by exchange of facsimile and/or electronic transmission, each of which shall be deemed an …
A.10.6 Independent Contractors The parties to this Agreement are independent contractors and neither party shall hold itself out to be, nor shall anything in this Agreement be construed to constitute either party as the agent, representative, employee, partner, or joint venture of the other. Neither party may bind or obligate the other without the other party’s prior written consent.
A.10.8 Counterparts This Agreement may be signed in two or more counterparts, any or all of which may be executed by exchange of facsimile and/or electronic transmission, each of which shall be deemed an …
Added
p. 45
Secondary Contact Name: Job Title:
Added
p. 45
Applicant ASV Company (the “Company”) Information
• Section 1 Company Name:
• Section 1 Company Name:
Added
p. 45
Primary Contact Name: Job Title:
QA Contact Name: Job Title:
The Company hereby acknowledges and agrees that in order to participate as an ASV Company in the ASV Program, it must satisfy all of the requirements specified in the ASV Qualification Requirements and supporting documents.
ASV Company Business Requirements
• Section 2 The Company hereby acknowledges the minimum business requirements and related information that must be provided to PCI SSC regarding the Company’s business legitimacy, independence, and required insurance coverage pursuant to Section 2 of the ASV Qualification Requirements, and agrees to comply with such requirements.
Business Legitimacy
• 2.1.2 Provisions The Company certifies that it is a legal entity.
The Company certifies that it is providing to PCI SSC herewith a copy of its current formation document or equivalent (the “Business License”). Refer to the Documents Library on the Website
•Business License Requirements
•for more information.
Year of incorporation/formation of Company:
Location(s) of Company offices:
Describe any past or present allegations …
QA Contact Name: Job Title:
The Company hereby acknowledges and agrees that in order to participate as an ASV Company in the ASV Program, it must satisfy all of the requirements specified in the ASV Qualification Requirements and supporting documents.
ASV Company Business Requirements
• Section 2 The Company hereby acknowledges the minimum business requirements and related information that must be provided to PCI SSC regarding the Company’s business legitimacy, independence, and required insurance coverage pursuant to Section 2 of the ASV Qualification Requirements, and agrees to comply with such requirements.
Business Legitimacy
• 2.1.2 Provisions The Company certifies that it is a legal entity.
The Company certifies that it is providing to PCI SSC herewith a copy of its current formation document or equivalent (the “Business License”). Refer to the Documents Library on the Website
•Business License Requirements
•for more information.
Year of incorporation/formation of Company:
Location(s) of Company offices:
Describe any past or present allegations …
Added
p. 46
Independence
• 2.2.2 Provisions The Company hereby acknowledges and agrees that it must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing PCI SSC Assessments.
The Company hereby certifies that it has a code-of-conduct policy, and agrees to provide that policy to PCI SSC upon request.
The Company hereby agrees to adhere to all independence requirements as established by PCI SSC, including without limitation, all items listed in Section 2.2.1 of the ASV Qualification Requirements.
Below or attached hereto is a description of the Company’s practices for maintaining and assuring assessor independence, including but not limited to, the Company’s practices, organizational structures, separation of duties, rules, and employee education in place to prevent conflicts of interest.
Agrees to maintain and adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise …
• 2.2.2 Provisions The Company hereby acknowledges and agrees that it must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing PCI SSC Assessments.
The Company hereby certifies that it has a code-of-conduct policy, and agrees to provide that policy to PCI SSC upon request.
The Company hereby agrees to adhere to all independence requirements as established by PCI SSC, including without limitation, all items listed in Section 2.2.1 of the ASV Qualification Requirements.
Below or attached hereto is a description of the Company’s practices for maintaining and assuring assessor independence, including but not limited to, the Company’s practices, organizational structures, separation of duties, rules, and employee education in place to prevent conflicts of interest.
Agrees to maintain and adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise …
Added
p. 47
The Company hereby certifies to PCI SSC that, along with this application, the Company is providing to PCI SSC a proof-of-coverage statement demonstrating that its insurance coverage matches locally set insurance coverage requirements.
A copy of the Company’s bound insurance coverage is attached to this application.
Fees
• 2.4.1 Requirements The Company hereby agrees to pay all such fees upon invoice from PCI SSC (or as part of the ASV Employee training registration process, if applicable), and that any such fees invoiced by PCI SSC will be made payable to PCI SSC according to instructions provided on the corresponding invoice.
ASV Agreement
• 2.5.1 Requirements The Company hereby acknowledges and agrees that along with its completed application package it is providing to PCI SSC an ASV Agreement between PCI SSC and the Company, in unmodified form, signed by a duly authorized officer of the Company. (A copy of the ASV Agreement is attached to this …
A copy of the Company’s bound insurance coverage is attached to this application.
Fees
• 2.4.1 Requirements The Company hereby agrees to pay all such fees upon invoice from PCI SSC (or as part of the ASV Employee training registration process, if applicable), and that any such fees invoiced by PCI SSC will be made payable to PCI SSC according to instructions provided on the corresponding invoice.
ASV Agreement
• 2.5.1 Requirements The Company hereby acknowledges and agrees that along with its completed application package it is providing to PCI SSC an ASV Agreement between PCI SSC and the Company, in unmodified form, signed by a duly authorized officer of the Company. (A copy of the ASV Agreement is attached to this …
Added
p. 48
Client: From (date): To (date):
Client: From (date): To (date):
Contact name: Job title:
Contact name: Job title:
Contact phone number: E-mail address:
Contact phone number: E-mail address:
Description of security engagement:
Description of security engagement:
PCI SSC Code of Professional Responsibility
• 3.3.1 Requirement The Company hereby acknowledges and agrees that it has read and understands the PCI SSC Code of Professional Responsibility, and hereby agrees to advocate, continuously adhere to, and support the terms and provisions thereof.
ASV Administrative Requirements
• Section 4 The Company hereby acknowledges and agrees to the administrative requirements for ASV Companies set forth in the ASV Qualification Requirements, including company contacts, background checks, adherence to PCI DSS procedures, quality assurance, and protection of confidential and sensitive information.
Background Checks
• 4.2 The Company hereby agrees that its policies and hiring procedures must include performing background checks and satisfying the provisions in Section 4.2.2 (to the extent legally permitted within the applicable jurisdiction) when hiring each applicant …
Client: From (date): To (date):
Contact name: Job title:
Contact name: Job title:
Contact phone number: E-mail address:
Contact phone number: E-mail address:
Description of security engagement:
Description of security engagement:
PCI SSC Code of Professional Responsibility
• 3.3.1 Requirement The Company hereby acknowledges and agrees that it has read and understands the PCI SSC Code of Professional Responsibility, and hereby agrees to advocate, continuously adhere to, and support the terms and provisions thereof.
ASV Administrative Requirements
• Section 4 The Company hereby acknowledges and agrees to the administrative requirements for ASV Companies set forth in the ASV Qualification Requirements, including company contacts, background checks, adherence to PCI DSS procedures, quality assurance, and protection of confidential and sensitive information.
Background Checks
• 4.2 The Company hereby agrees that its policies and hiring procedures must include performing background checks and satisfying the provisions in Section 4.2.2 (to the extent legally permitted within the applicable jurisdiction) when hiring each applicant …
Added
p. 49
The Company hereby acknowledges and agrees that its internal quality assurance reviews must be performed by qualified personnel and must cover scan scope validation, assessment procedures performed, supporting documentation as applicable, evidence to support any exceptions, false-positives or compensating controls noted in the scan report, remediation recommendations, proper use of definitions, consistent findings, and documentation of results as applicable.
The Company hereby acknowledges and agrees that it must have and adhere a change management policy and processes for changes to the ASV scan solution.
The Company hereby acknowledges and agrees that it has and shall keep in place controls to maintain the integrity of its ASV scan solution. Each ASV scan solution must:
Be protected from unauthorized access Adhere to the ASV Company’s change management policy and processes for changes to the ASV scan solution Be monitored or able to produce alerts when changes are made Ensure the ASV …
The Company hereby acknowledges and agrees that it must have and adhere a change management policy and processes for changes to the ASV scan solution.
The Company hereby acknowledges and agrees that it has and shall keep in place controls to maintain the integrity of its ASV scan solution. Each ASV scan solution must:
Be protected from unauthorized access Adhere to the ASV Company’s change management policy and processes for changes to the ASV scan solution Be monitored or able to produce alerts when changes are made Ensure the ASV …
Added
p. 50
The Company agrees to make the foregoing materials and information available to PCI SSC upon request for a minimum of three (3) years.
The Company agrees to provide a copy of the foregoing evidence-retention policy and procedures to PCI SSC upon request.
By signing below, the undersigned hereby:
(a) Represents and certifies to PCI SSC that (s)he is an officer of the Company and is duly authorized to legally bind the Company to the terms of this ASV Company Application; and (b) Both individually and by and on behalf of the Company: (i) represents and certifies that the information provided in this ASV Company Application is true, correct, and complete, and (ii) acknowledges, accepts, agrees to, and makes the attestations and certifications set forth in (as the case may be) each of the statements checked (or otherwise marked) in this ASV Company Application above.
Legal Name of Applicant ASV Company Officer: Job Title:
The Company agrees to provide a copy of the foregoing evidence-retention policy and procedures to PCI SSC upon request.
By signing below, the undersigned hereby:
(a) Represents and certifies to PCI SSC that (s)he is an officer of the Company and is duly authorized to legally bind the Company to the terms of this ASV Company Application; and (b) Both individually and by and on behalf of the Company: (i) represents and certifies that the information provided in this ASV Company Application is true, correct, and complete, and (ii) acknowledges, accepts, agrees to, and makes the attestations and certifications set forth in (as the case may be) each of the statements checked (or otherwise marked) in this ASV Company Application above.
Legal Name of Applicant ASV Company Officer: Job Title:
Added
p. 51
Company Information Company Name:
Applicant Information Applicant Name: Job Title:
Applicant Information Applicant Name: Job Title:
Added
p. 51
From (date): To (date): Total time: Years Months Provide examples of the Applicant’s work and/or description of experience in the following areas of expertise.
Note: If the Applicant possesses a professional industry certification, they must have a minimum of one (1) year of experience in at least two (2) of the following areas. If the Applicant does not possess a professional industry certification, they must have a minimum of three (3) years’ experience in at least two of the following areas.
Examples of Applicant’s work and/or description of experience in network security (for example, implementation and administration of routers, access control lists, firewalls, intrusion prevention systems, etc.):
From (date): To (date): Total time: Years Months Examples of Applicant’s work and/or description of experience in application security (for example, secure software development, software QA testing and vulnerability assessment, OWASP, etc.):
From (date): To (date): Total time: Years Months Examples of Applicant’s work and/or description of …
Note: If the Applicant possesses a professional industry certification, they must have a minimum of one (1) year of experience in at least two (2) of the following areas. If the Applicant does not possess a professional industry certification, they must have a minimum of three (3) years’ experience in at least two of the following areas.
Examples of Applicant’s work and/or description of experience in network security (for example, implementation and administration of routers, access control lists, firewalls, intrusion prevention systems, etc.):
From (date): To (date): Total time: Years Months Examples of Applicant’s work and/or description of experience in application security (for example, secure software development, software QA testing and vulnerability assessment, OWASP, etc.):
From (date): To (date): Total time: Years Months Examples of Applicant’s work and/or description of …
Added
p. 52
Attach, copy/paste or upload Applicant’s Résumé or curriculum vitae (CV).
The Applicant hereby agrees to adhere to the ASV Company’s documented process for protection of confidential and sensitive information, which includes adequate physical, electronic, and procedural safeguards consistent with industry-accepted practices to protect confidential and sensitive information against any threats or unauthorized access during storage, processing, and/or communicating of this information.
The Applicant hereby acknowledges and agrees that they have read and understand the PCI SSC Code of Professional Responsibility, and hereby agrees to advocate, continuously adhere to, and support the terms and provisions thereof.
By signing below, I hereby acknowledge and agree that:
(a) The information provided above is true, accurate and complete; and (b) I have read and understand the ASV Qualification Requirements and will comply with the terms thereof Applicant Name:
Applicant signature Date
The Applicant hereby agrees to adhere to the ASV Company’s documented process for protection of confidential and sensitive information, which includes adequate physical, electronic, and procedural safeguards consistent with industry-accepted practices to protect confidential and sensitive information against any threats or unauthorized access during storage, processing, and/or communicating of this information.
The Applicant hereby acknowledges and agrees that they have read and understand the PCI SSC Code of Professional Responsibility, and hereby agrees to advocate, continuously adhere to, and support the terms and provisions thereof.
By signing below, I hereby acknowledge and agree that:
(a) The information provided above is true, accurate and complete; and (b) I have read and understand the ASV Qualification Requirements and will comply with the terms thereof Applicant Name:
Applicant signature Date
Modified
p. 4
Organizations recognized by PCI SSC to validate adherence to the PCI DSS by performing vulnerability scans of internet facing environments of merchants and service providers as part of the PCI SSC Approved Scanning Vendor Compliance Test Program (the “ASV Program”) are known as “Approved Scanning Vendor companies” (“ASV Companies,” as further described below).
Organizations recognized by PCI SSC to validate adherence to the PCI DSS by performing vulnerability scans of internet facing environments of merchants and service providers as part of the PCI SSC Approved Scanning Vendor Compliance Test Program (the “ASV Program”) are known as “Approved Scanning Vendor companies” or “ASV Companies” (defined below).
Modified
p. 4
PCI SSC provides a variety of tools to promote the compliance of internet-facing systems with the PCI DSS, including specific requirements for scans of merchants and service providers, and for periodic remote scanning services performed by ASV Companies as part of the ASV Program (“PCI Scanning Services,” as further described below).
PCI SSC provides a variety of tools to promote the compliance of internet-facing systems with the PCI DSS, including specific requirements for vulnerability scans of merchants and service providers, and for periodic remote testing, vulnerability scanning, and/or vulnerability assessment services performed by ASV Companies as part of the ASV Program (collectively, “PCI Scanning Services,” as more fully described below).
Modified
p. 4
Validation of these requirements by independent and qualified security companies is important to help ensure the effectiveness of the PCI DSS. The quality, reliability, and consistency of an ASV Company’s work are essential to ensure the protection of cardholder data.
Validation against these requirements by independent and qualified security companies is important to help ensure the effectiveness of the PCI DSS. The quality, reliability, and consistency of an ASV Company’s work are essential to ensure the protection of cardholder data.
Modified
p. 4
ASV Agreement The then current version of (or successor document to) the PCI ASV Compliance Test Agreement, the current version of which is attached as Appendix A to the ASV Qualification Requirements.
Term Meaning ASV Agreement The then current version of (or successor document to) the PCI ASV Compliance Test Agreement, the current version of which is attached as Appendix A to the ASV Qualification Requirements.
Modified
p. 4
ASV Company A data security firm that has been qualified, and continues to be qualified, by PCI SSC to use an ASV Scan Solution to determine compliance of their Scan Customers with the external vulnerability scanning requirement of PCI DSS Requirement 11.2.2 for ASV Program purposes.
ASV Company A data security company that has been qualified, and continues to be qualified, by PCI SSC to use an ASV scan solution of such company appearing on the ASV List to determine compliance of its Scan Customers with the external vulnerability scanning requirement of PCI DSS Requirement 11.2.2 for ASV Program purposes.
Removed
p. 5
ASV Scan Solution A set of security services, tool(s) and processes offered by an ASV Company to validate compliance of a Scan Customer with the external vulnerability scanning requirement of PCI DSS Requirement 11.2.2 for ASV Program purposes, including without limitation, all corresponding ASV Company scanning procedures, scanning tool(s), scan reports, processes for exchanging information between the ASV Company and the Scan Customer, and processes used by the applicable ASV Company and its ASV Employees to:
• Operate the ASV Scan Solution
• Submit the scan report to the Scan Customer and
• Review and interpret scan results, as needed.
ASV Validation Lab A third party testing facility designated by PCI SSC for purposes of evaluating and determining whether ASV Scan Solutions perform in accordance with the ASV Program Guide.
• Operate the ASV Scan Solution
• Submit the scan report to the Scan Customer and
• Review and interpret scan results, as needed.
ASV Validation Lab A third party testing facility designated by PCI SSC for purposes of evaluating and determining whether ASV Scan Solutions perform in accordance with the ASV Program Guide.
Modified
p. 5
ASV List The then current list of ASV Companies published by PCI SSC on the Website.
ASV List The then-current list of ASV Companies and corresponding ASV scan solutions published by PCI SSC on the Website.
Modified
p. 5
ASV Requirements With respect to a given ASV Company or ASV Employee, the requirements and obligations thereof pursuant to the ASV Qualification Requirements, the ASV Agreement, the ASV Program Guide, each addendum, supplement, and other agreement entered into between such ASV Company or ASV Employee and PCI SSC, and any and all other policies, procedures, requirements or obligations imposed, mandated, provided for or otherwise established by PCI SSC from time to time in connection with any PCI SSC program in …
ASV Requirements With respect to a given ASV Company or ASV Employee, the requirements and obligations thereof pursuant to the ASV Qualification Requirements, the ASV Agreement, the ASV Program Guide, each addendum, supplement, and other agreement entered into between such ASV Company or ASV Employee and PCI SSC, and any and all other policies, procedures, requirements or obligations imposed, mandated, provided for or otherwise established by PCI SSC from time to time in connection with any PCI SSC program in …
Removed
p. 6
Scan Customer A merchant, service provider that undergoes a quarterly external vulnerability scan performed by an ASV Company for purposes of validating such Scan Customer’s compliance with the external vulnerability scanning requirement of PCI DSS Requirement 11.2.2 for ASV Program purposes.
Removed
p. 6
All ASV Companies appear on the ASV List. If a security company is not on this list, its work product is not recognized by PCI SSC. ASV Companies and ASV Employees must re-qualify annually.
The ASV Qualification Requirements are incorporated into the ASV Agreement. To initiate the qualification process, the security company must sign the ASV Agreement in unmodified form and submit it to PCI SSC. One provision of the ASV Agreement requires the company to warrant that
• to the best of its ability
• the information provided to PCI SSC to support the ASV application process is accurate and complete as of the date of its submission.
The ASV Qualification Requirements are incorporated into the ASV Agreement. To initiate the qualification process, the security company must sign the ASV Agreement in unmodified form and submit it to PCI SSC. One provision of the ASV Agreement requires the company to warrant that
• to the best of its ability
• the information provided to PCI SSC to support the ASV application process is accurate and complete as of the date of its submission.
Modified
p. 6
Website The then-current PCI SSC Web site (and its accompanying Web pages), which is currently available at http://www.pcisecuritystandards.org.
Website The then-current PCI SSC website (and its accompanying web pages), which is currently available at www.pcisecuritystandards.org.
Modified
p. 6
To be qualified as an ASV Company by PCI SSC, the ASV Company and its ASV Employees and ASV Scan Solution(s) must meet or exceed all applicable ASV Requirements, and the ASV Company must execute the ASV Agreement with PCI SSC. Companies that qualify are identified on PCI SSC’s ASV List on the PCI SSC’s Website in accordance with the ASV Agreement.
To be qualified as an ASV Company by PCI SSC, the ASV Company, its ASV Employees and ASV scan solution(s) must meet or exceed all applicable ASV Requirements, and the ASV Company must execute and have in full force and effect an ASV Agreement with PCI SSC. Companies that qualify are identified on the ASV List subject to and in accordance with the ASV Agreement.
Modified
p. 6
The requirements defined in this document serve as a qualification baseline, and provide a transparent process for ASV Company and ASV Employee qualification and re-qualification for ASV Program purposes. Among other things, the ASV Company and ASV Employees must adhere to all requirements in these ASV Qualification Requirements, and must provide all of the required provisions described herein.
The requirements defined in this document serve as a qualification baseline, and provide a transparent process for ASV Company and ASV Employee qualification and requalification for ASV Program purposes. Among other things, the ASV Company and ASV Employees must adhere to all requirements in these ASV Qualification Requirements, and must provide all of the required provisions described herein.
Modified
p. 6 → 7
Section 1: Introduction offers a high level overview of the ASV application process.
Section 1: Introduction offers a high-level overview of the ASV Program application process.
Removed
p. 7
Section 5: ASV Qualification Maintenance briefly outlines the yearly re-qualification process, as well as remediation and revocation procedures if there is a breach of the ASV Agreement.
Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS) Payment Card Industry (PCI) Approved Scanning Vendors Program Guide 1.6 ASV Application Process In addition to explaining the requirements that an ASV Company and its ASV Employees must meet to be recognized by PCI SSC to perform PCI Scanning Services, this document describes the information that must be provided to PCI SSC as part of the application and qualification process. Each outlined requirement is followed by the information that must be submitted to document that the security company meets or exceeds the stated requirements. To facilitate preparation of the application package, refer to Appendix B: “ASV Application Process Checklist.” All application materials and the signed ASV Agreement must be …
Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS) Payment Card Industry (PCI) Approved Scanning Vendors Program Guide 1.6 ASV Application Process In addition to explaining the requirements that an ASV Company and its ASV Employees must meet to be recognized by PCI SSC to perform PCI Scanning Services, this document describes the information that must be provided to PCI SSC as part of the application and qualification process. Each outlined requirement is followed by the information that must be submitted to document that the security company meets or exceeds the stated requirements. To facilitate preparation of the application package, refer to Appendix B: “ASV Application Process Checklist.” All application materials and the signed ASV Agreement must be …
Modified
p. 7 → 8
All application packages must include a signed ASV Agreement and the required documentation. Applicants should send the completed packages by mail to the following address:
All application packages must include a signed ASV Agreement and the required documentation. Completed application packages must be submitted either by e-mail to the ASV Program Manager at asv@pcisecuritystandards.org or via postal mail to the following address:
Modified
p. 7 → 8
PCI SSC 401 Edgewater Place, Suite 600 Wakefield, MA 01880 Phone number: 1-781-876-8855 E-mail submissions will not be accepted.
PCI SSC 401 Edgewater Place, Suite 600 Wakefield, MA 01880 Phone number: 1-781-876-8855
Removed
p. 9
The ASV Company must fully disclose in a separate document and attach to the scan report if they perform PCI Scanning Services to customers who use any security-related devices or security-related applications that have been developed or manufactured by the ASV Company, or to which the ASV Company owns the rights, or that the ASV Company has configured or manages, including the following:
• Application or network firewalls
• Application or network firewalls
Modified
p. 9
Copy of current ASV Company organizational document or equivalent approved by PCI SSC (the “Business License”), including year of incorporation and location(s) of offices (see the Website
• Business License Requirements) Written statements describing any past or present allegations or convictions of any fraudulent or criminal activity involving the ASV Company(and ASV principals), and the status and resolution 2.2 Independence 2.2.1 Requirement The ASV Company must adhere to professional and business ethics, perform its duties with objectivity, and …
• Business License Requirements) Written statements describing any past or present allegations or convictions of any fraudulent or criminal activity involving the ASV Company
Copy of current ASV Company (or applicant, as applicable) organizational document or equivalent approved by PCI SSC (the “Business License”), including year of incorporation and location(s) of offices (see the Website
• Business License Requirements) Written statements describing any past or present allegations or convictions of any fraudulent or criminal activity involving the ASV Company (or applicant, as applicable) or any of its principals, and the status and resolution thereof 2.2 Independence 2.2.1 Requirement Each ASV Company must adhere …
• Business License Requirements) Written statements describing any past or present allegations or convictions of any fraudulent or criminal activity involving the ASV Company (or applicant, as applicable) or any of its principals, and the status and resolution thereof 2.2 Independence 2.2.1 Requirement Each ASV Company must adhere …
Modified
p. 9
Each ASV Company (and applicant, as applicable) must have a code of conduct policy, and provide this code of conduct policy to PCI SSC upon request.
Modified
p. 9
Each ASV Company must adhere to all independence requirements as established by PCI SSC, including without limitation, the following:
Modified
p. 9
The ASV Company must (and will) not have offered, been offered, provided or received any gift, gratuity, service, or other inducement to any employee of PCI SSC, or to any Scan Customer, in order to enter into the ASV Agreement or any agreement with any Scan Customer, or to provide ASV-related services.
The ASV Company and its employees must (and will) not have offered, been offered, provided or received any gift, gratuity, service, or other inducement to any employee of PCI SSC, or to any actual or proposed Scan Customer, in order to enter into the ASV Agreement or any agreement with such Scan Customer, or to provide any ASV Program-related services.
Removed
p. 10
• Database or other encryption solutions
• Security audit log solutions
• File integrity monitoring solutions
• Anti-virus solutions The ASV Company must have an internal separation of duties between the scanning service they provide and any managed security services provided to Scan Customers.
• Security audit log solutions
• File integrity monitoring solutions
• Anti-virus solutions The ASV Company must have an internal separation of duties between the scanning service they provide and any managed security services provided to Scan Customers.
Removed
p. 10
ASV Company customer uses products or applications developed or manufactured by the ASV Company.
ASV Company customer uses products or applications managed or configured by the ASV Company.
The description must include details with respect to compliance with the independence requirements described in Section 2.2.1 above.
ASV Company customer uses products or applications managed or configured by the ASV Company.
The description must include details with respect to compliance with the independence requirements described in Section 2.2.1 above.
Modified
p. 10
The ASV Company agrees that when the ASV Company recommends remediation actions which include one of its own solutions or products, the ASV Company will also recommend other market options that exist.
The ASV Company agrees that when the ASV Company recommends remediation actions that include one of its own solutions or products, the ASV Company will also recommend other market options that exist.
Modified
p. 10
The ASV Company agrees that it will not use its status as a “listed ASV” to market services unnecessary to bring ASV Company subjects into compliance with the PCI DSS.
The ASV Company agrees that it will not use its status as an ASV Company to market services unnecessary to bring Scan Customers into compliance with the PCI DSS or any other PCI SSC Standard.
Modified
p. 10
The ASV Company must not, and agrees that it will not, misrepresent requirements of the PCI DSS in connection with its promotion or sales of services to ASV Company clients, or state or imply that the PCI DSS requires use of the ASV Company's products or services.
The ASV Company must not, and agrees that it will not, misrepresent any requirement of the PCI DSS or any other PCI SSC Standard in connection with its promotion or sales of services to actual or proposed Scan Customers, or state or imply that the PCI DSS or any other PCI SSC Standard requires use of the ASV Company's products or services.
Modified
p. 10
The ASV Company must adhere to all requirements for insurance coverage required by PCI SSC, including without limitation, the requirements in Appendix C
• Insurance Coverage, which includes details of required insurance coverage.
•
The ASV Company must adhere to all requirements for insurance coverage required by PCI SSC, including without limitation the requirements in Appendix B: Insurance Coverage, which includes details of required insurance coverage.
Removed
p. 11
The Initial Test for New Solution fee, which must be paid in full within 30 days of notification.
An annual ASV re-qualification test fee for subsequent years.
For each ASV Employee, a fee for PCI SSC training. This is an annual fee.
PCI SSC requires that all agreements between PCI SSC and the ASV Company (including the ASV Agreement) be signed by a duly authorized officer of the ASV Company, submitted in unmodified form to PCI SSC, and submitted with the completed ASV application package.
An annual ASV re-qualification test fee for subsequent years.
For each ASV Employee, a fee for PCI SSC training. This is an annual fee.
PCI SSC requires that all agreements between PCI SSC and the ASV Company (including the ASV Agreement) be signed by a duly authorized officer of the ASV Company, submitted in unmodified form to PCI SSC, and submitted with the completed ASV application package.
Modified
p. 11
Note: All of the fees described herein (“ASV Program Fees”) are specified on the Website • see PCI SSC Programs Fee Schedule and are subject to change.
Note: All ASV Program Fees are specified on the Website (see PCI SSC Programs Fee Schedule) and are subject to change.
Removed
p. 12
ASV Company’s experience and knowledge with information security vulnerability assessment engagements and penetration testing, preferably related to payment systems Description of the ASV Company’s relevant areas of specialization within information security (for example, network security, database and application security, and incident response) Evidence of a dedicated security practice, such as:
Modified
p. 12
Have a dedicated security practice that includes staff with specific job functions that support the information security/vulnerability scanning practice.
Removed
p. 13
• Possess a minimum of three (3) years of information security experience as follows: o A minimum of one (1) year in vulnerability scanning and/or penetration testing o At least two (2) years in any two of the following areas of expertise (with a minimum of one year in each discipline):
Removed
p. 13
• Possess ONE of the following: o A current industry-recognized security certification: CISA, CISM, CISSP o An additional two (2) years of information security experience, in at least two of the following areas of expertise, with a minimum of one year in each discipline:
Network security Application security System security IT security auditing IT security risk assessment 3.2.2 Provisions
Note: This section is intended to draw out specific experience from the Candidate (defined below). The Candidate must provide examples (including the timeframe) of how their work experience meets the ASV Program requirements. This section is intended to measure the Candidate’s skills against the required skills.
A current copy of the Candidate’s Résumé or Curriculum Vitae :
Network security Application security System security IT security auditing IT security risk assessment 3.2.2 Provisions
Note: This section is intended to draw out specific experience from the Candidate (defined below). The Candidate must provide examples (including the timeframe) of how their work experience meets the ASV Program requirements. This section is intended to measure the Candidate’s skills against the required skills.
A current copy of the Candidate’s Résumé or Curriculum Vitae :
Removed
p. 14
• Years of experience related to payment industry and responsibilities
• A description of a minimum of three (3) years of information security experience as follows: o A description of a minimum of one (1) year in vulnerability scanning and/or penetration testing o A description of at least two (2) years in any two of the following areas of expertise (with a minimum of one year in each discipline):
• ONE of the following: o A copy of a current industry-recognized security certification: CISA, CISM, CISSP o A description of an additional two (2) years of information security experience, in at least two of the following areas of expertise, with a minimum of one year in each discipline:
• A description of a minimum of three (3) years of information security experience as follows: o A description of a minimum of one (1) year in vulnerability scanning and/or penetration testing o A description of at least two (2) years in any two of the following areas of expertise (with a minimum of one year in each discipline):
• ONE of the following: o A copy of a current industry-recognized security certification: CISA, CISM, CISSP o A description of an additional two (2) years of information security experience, in at least two of the following areas of expertise, with a minimum of one year in each discipline:
Modified
p. 15
Name Job Title Address Phone number Fax number E-mail address 4.2 Background Checks 4.2.1 Requirements The ASV Company must perform a background check satisfying the Minimum Background Check Requirements (described below) when hiring each ASV Employee, to the extent legally permitted within the applicable jurisdiction.
Name Job Title Address Phone number Fax number E-mail address 4.2 Background Checks 4.2.1 Requirement Each ASV Company must perform background checks that satisfy the provisions described below (to the extent legally permitted within the applicable jurisdiction) with respect to each applicant ASV Employee.
Modified
p. 15
Upon request, the ASV Company must provide to PCI SSC the background check history for each ASV Employee, to the extent legally permitted within the applicable jurisdiction.
Major offenses
•for example, felonies or non-US equivalents
•may disqualify an applicant from qualifying as an ASV Employee. Minor offenses
•such as misdemeanors or non-US equivalents
•are allowed. Upon request, each ASV Company must provide to PCI SSC the background check history for each ASV Employee (or applicant ASV Employee), to the extent legally permitted within the applicable jurisdiction.
•for example, felonies or non-US equivalents
•may disqualify an applicant from qualifying as an ASV Employee. Minor offenses
•such as misdemeanors or non-US equivalents
•are allowed. Upon request, each ASV Company must provide to PCI SSC the background check history for each ASV Employee (or applicant ASV Employee), to the extent legally permitted within the applicable jurisdiction.
Modified
p. 15 → 18
Each ASV Company must adhere to all requirements to protect sensitive and confidential information, as required by PCI SSC.
Removed
p. 16
Verification of aliases (when applicable) Review of records of any criminal activity, arrests, or convictions, updated annually Misdemeanors and non-US equivalents are allowed, but felonies and non-US equivalents automatically disqualify an employee from consideration as an ASV Employee 4.3 Adherence to PCI Procedures 4.3.1 Requirements The ASV report must follow the procedures documented in the ASV Program Guide An officer of the ASV Company must sign the ASV Agreement, which includes a statement that the ASV Company will adhere to all ASV Requirements 4.4 Quality Assurance 4.4.1 Requirements The ASV Company must have an implemented quality assurance process, documented in a quality assurance manual that includes a description of the controls for quality assurance reviewing of processes and documentation and controls to maintain the integrity of the scanning tools.
The ASV Company must adhere to all PCI SSC quality assurance requirements.
The ASV Company …
The ASV Company must adhere to all PCI SSC quality assurance requirements.
The ASV Company …
Removed
p. 16
The ASV Company’s executed ASV Agreement, which includes a statement that the ASV Company has developed and implemented, and will adhere to, a quality assurance process and manual A description of the contents of the ASV Company’s quality assurance process, to confirm the procedures fully document the PCI Scanning Services and the review process for generation of the report requirements contained in the ASV Program Guide, including at least the following:
Removed
p. 17
• Requirement that ASV Employees must adhere to the ASV Program Guide
• Requirement that the ASV Company has controls to maintain the integrity of their ASV Scan Solution tool(s). ASV Scan Solutions must: o Be protected from unauthorized access o Adhere to the ASV Company’s change management policy and processes for changes to the ASV Scan Solution o Be monitored or able to produce an alert when changes are made o Ensure the ASV Company’s systems cannot be used to gain unauthorized access to a Scan Customer’s environment 4.5 Protection of Confidential and Sensitive Information 4.5.1 Requirements The ASV Company must maintain adequate physical, electronic, and procedural safeguards consistent with industry-accepted practices to protect sensitive and confidential information against any threats or unauthorized access during storage, processing, and/or communicating of this information.
The ASV Company must adhere to all requirements to protect sensitive and confidential information, as required by PCI SSC.
The …
• Requirement that the ASV Company has controls to maintain the integrity of their ASV Scan Solution tool(s). ASV Scan Solutions must: o Be protected from unauthorized access o Adhere to the ASV Company’s change management policy and processes for changes to the ASV Scan Solution o Be monitored or able to produce an alert when changes are made o Ensure the ASV Company’s systems cannot be used to gain unauthorized access to a Scan Customer’s environment 4.5 Protection of Confidential and Sensitive Information 4.5.1 Requirements The ASV Company must maintain adequate physical, electronic, and procedural safeguards consistent with industry-accepted practices to protect sensitive and confidential information against any threats or unauthorized access during storage, processing, and/or communicating of this information.
The ASV Company must adhere to all requirements to protect sensitive and confidential information, as required by PCI SSC.
The …
Removed
p. 17
Description of the ASV Company’s confidential and sensitive data protection handling practices, including physical, electronic, and procedural safeguards, including at least the following:
Systems storing customer data do not reside on Internet accessible systems Protection of systems storing customer data by adequate network and application layer controls including a firewall and IDS/IPS The following physical and logical access controls:
Systems storing customer data do not reside on Internet accessible systems Protection of systems storing customer data by adequate network and application layer controls including a firewall and IDS/IPS The following physical and logical access controls:
Removed
p. 18
The ASV Company must adhere to all requirements to protect sensitive and confidential information, as required by PCI SSC.
This information must be available upon request by PCI SSC and its Affiliates for a minimum of three (3) years.
This information must be available upon request by PCI SSC and its Affiliates for a minimum of three (3) years.
Modified
p. 18
Each ASV Company (or applicant) must provide a copy of its evidence-retention policy and procedures to PCI SSC upon request.
Removed
p. 19
In the event a company does not meet the requirements in this document, PCI SSC will notify the company.
The company will have 30 days from the date of notification to appeal the decision. Appeals must be addressed to PCI SSC General Manager. If a company’s appeal is denied, its name will not be placed on the ASV List.
PCI SSC reserves the right to perform random on-site audits of the ASV Company.
The company will have 30 days from the date of notification to appeal the decision. Appeals must be addressed to PCI SSC General Manager. If a company’s appeal is denied, its name will not be placed on the ASV List.
PCI SSC reserves the right to perform random on-site audits of the ASV Company.
Removed
p. 19
Proof of information systems vulnerability assessment training within the last 12 months to support professional certifications (even if the employee does not have professional certifications), of a minimum 20 hours per year and 120 hours over the rolling three year period. This is in addition to training provided by PCI SSC.
Payment of annual re-qualification fees (fees can be found on the Website
• PCI SSC Programs Fee Schedule).
Payment of annual re-qualification fees (fees can be found on the Website
• PCI SSC Programs Fee Schedule).
Modified
p. 19 → 15
PCI SSC reserves the right to perform random site audits of the ASV Company.
Note: PCI SSC reserves the right to decline or reject any application or applicant ASV Employee.
Removed
p. 20
Issues such as failure to submit annual re-qualification fees, failure to meet annual training requirements, failure to meet Continuing Education (CE) requirements or failure to pass the annual ASV Lab Scan Test requirement within 30 days after the re-qualification date will result in remediation. ASV Companies who fail to meet such requirements will remain in remediation until the issue is resolved or until 60 days past the re-qualification date.
ASV Companies who are unable to resolve their issues 60 days past the re-qualification date may be removed from the ASV List. ASV Companies that have been removed from the ASV List in connection with remediation will receive an e-mail notifying them that they are no longer an ASV Company and are not recognized by PCI SSC to perform PCI Scanning Services. ASV Companies that are removed from the ASV List as part of the remediation process (for any reason other than …
ASV Companies who are unable to resolve their issues 60 days past the re-qualification date may be removed from the ASV List. ASV Companies that have been removed from the ASV List in connection with remediation will receive an e-mail notifying them that they are no longer an ASV Company and are not recognized by PCI SSC to perform PCI Scanning Services. ASV Companies that are removed from the ASV List as part of the remediation process (for any reason other than …
Removed
p. 21
The ASV Company fails to validate compliance in accordance with the ASV Program Guide.
The ASV Company violates any provision regarding non-disclosure of confidential materials.
The ASV Company fails to maintain physical, electronic, and procedural safeguards to protect confidential and sensitive information and/or fails to report unauthorized access to systems storing confidential and sensitive information.
The ASV Company engages in unprofessional or unethical business conduct.
The ASV Company fails to provide quality services, based on customer feedback or evaluation by PCI SSC or its Affiliates.
The ASV Company fails to satisfy any other ASV Requirement.
When ASV Company qualification is revoked, the ASV Company will have 30 days from the date of notification to appeal the revocation. Appeals must be addressed to the PCI SSC General Manager.
If an ASV Company’s appeal is denied, the following will result:
The ASV Company’s name will be removed from the ASV List.
PCI SSC …
The ASV Company violates any provision regarding non-disclosure of confidential materials.
The ASV Company fails to maintain physical, electronic, and procedural safeguards to protect confidential and sensitive information and/or fails to report unauthorized access to systems storing confidential and sensitive information.
The ASV Company engages in unprofessional or unethical business conduct.
The ASV Company fails to provide quality services, based on customer feedback or evaluation by PCI SSC or its Affiliates.
The ASV Company fails to satisfy any other ASV Requirement.
When ASV Company qualification is revoked, the ASV Company will have 30 days from the date of notification to appeal the revocation. Appeals must be addressed to the PCI SSC General Manager.
If an ASV Company’s appeal is denied, the following will result:
The ASV Company’s name will be removed from the ASV List.
PCI SSC …
Removed
p. 22
PCI SSC and Vendor are hereinafter each referred to as a "Party" and collectively as the “Parties”.
A. PCI SSC is an international consortium of payment systems companies, established by its founding Members to maintain, develop and support the implementation of standards relating to payment account security.
B. PCI SSC offers a global security solution called the PCI SSC Approved Scanning Vendor Compliance Test Program ("ASV Program"), which provides security compliance solution vendors with the ability to provide PCI Scanning Services (defined in the ASV Qualification Requirements) to deploy security compliance programs to assist their Scan Customer to better protect against illegitimate network intrusions and account data compromises (collectively, "Vendor Services").
C. PCI SSC publishes the PCI DSS (defined below).
D. Vendor is the provider of one or more ASV Scan Solutions that it believes are compliant with the PCI DSS.
E. PCI SSC is willing to assist and to check whether such ASV Scan …
A. PCI SSC is an international consortium of payment systems companies, established by its founding Members to maintain, develop and support the implementation of standards relating to payment account security.
B. PCI SSC offers a global security solution called the PCI SSC Approved Scanning Vendor Compliance Test Program ("ASV Program"), which provides security compliance solution vendors with the ability to provide PCI Scanning Services (defined in the ASV Qualification Requirements) to deploy security compliance programs to assist their Scan Customer to better protect against illegitimate network intrusions and account data compromises (collectively, "Vendor Services").
C. PCI SSC publishes the PCI DSS (defined below).
D. Vendor is the provider of one or more ASV Scan Solutions that it believes are compliant with the PCI DSS.
E. PCI SSC is willing to assist and to check whether such ASV Scan …
Removed
p. 24
Sections 1 to 14 Schedule 1: Compliance Notification (sample) 2 Vendor Services and obligations 2.1 Subject to the terms and conditions of this Agreement, while Vendor is in Good Standing (defined below) or as otherwise expressly approved by PCI SSC in writing, PCI SSC hereby approves Vendor to perform Vendor Services for Scan Customers in accordance with the ASV Program using those of Vendor’s ASV Scan Solutions that appear on PCI SSC's then current published registry of validated ASV Scan Solutions. Vendor shall provide all reasonable assistance as well as accurate information and documentation to PCI SSC and its agents as may be needed for the purpose of Testing and the ASV Program.
Removed
p. 28
(a) As long as Vendor is in Good Standing (as defined below) as an ASV Company, PCI SSC may, at its sole discretion, display the identification of Vendor and each ASV Scan Solution of Vendor that has been qualified by PCI SSC for ASV Program Purposes, together with information as to such qualification, in the ASV List (defined in the ASV Qualification Requirements). Vendor shall provide all requested information necessary to ensure to PCI SSC's satisfaction that the identification and information provided on the ASV List are accurate. Vendor shall be deemed to be in "Good Standing" as an ASV Company as long as this Agreement is in full force and effect, Vendor has been approved as an ASV Company and such approval has not been revoked, a Vendor ASV Scan Solution has successfully completed the Testing phase of the ASV Program and is in compliance with the PCI DSS, …
Modified
p. 28
(b) If Vendor is in Good Standing and PCI SSC issues a Compliance Notification (in the form set out in Schedule 1) confirming that a given ASV Scan Solution is deemed compliant with the PCI DSS and that PCI SSC has approved Vendor as an ASV Company, Vendor may disclose and advertise the same and the existence of such Compliance Notification, in accordance with the terms of such Compliance Notification. In the event that Vendor is no longer in Good …
(b) So long as Vendor is in Good Standing (or in compliance with Remediation) as an ASV Company and PCI SSC has issued a then effective Compliance Notification (in the form set out in Schedule 1) confirming that a given ASV scan solution of Vendor is deemed compliant with the PCI DSS and that PCI SSC has approved Vendor as an ASV Company, Vendor may disclose and advertise the same and the existence of such Compliance Notification, in accordance with …
Modified
p. 29 → 31
(b) Except with regard to Personal Information, such confidentiality obligation shall not apply to information which: (i) is in the public domain or is publicly available or becomes publicly available otherwise than through a breach of this Agreement; (ii) has been lawfully obtained by the Receiving Party from a third party; (iii) is known to the Receiving Party prior to disclosure by the Disclosing Party without confidentiality restriction; or (iv) is independently developed by a member of the Receiving Party's …
(b) Except with regard to Personal Information, such confidentiality obligation shall not apply to information which: (i) is in the public domain or is publicly available or becomes publicly available otherwise than through a breach of this Agreement; (ii) has been lawfully obtained by the Receiving Party from a third party; (iii) is known to the Receiving Party prior to disclosure by the Disclosing Party without confidentiality restriction; or (iv) is independently developed by a member of the Receiving Party’s …
Removed
p. 33
(b) All Revocation appeal proceedings will be conducted in accordance with such procedures as PCI SSC may establish from time to time, PCI SSC will review all relevant evidence submitted by Vendor and each complainant (if any) in connection with therewith, and PCI SSC shall determine whether termination of Vendor's qualification as an ASV Company is warranted or, in the alternative, no action, or specified remedial actions shall be required of Vendor. All determinations of PCI SSC regarding Revocation and any related appeals shall be final and binding upon Vendor. If PCI SSC determines that termination is warranted, this Agreement shall terminate effective immediately upon such determination. If PCI SSC determines that no action is required of Vendor, the Revocation shall be lifted and Vendor shall be reinstated on the ASV List. If PCI SSC determines that remedial action is required, PCI SSC may establish a date by which such …
Removed
p. 38
For PCI SSC Use Only:
PCI SSC Officer Signature
PCI SSC Officer Signature
Modified
p. 38 → 23
Primary Contact Name: Job Title:
Modified
p. 38 → 23
Direct Telephone Number: Fax:
Direct Telephone Number: E-mail:
Modified
p. 38 → 23
Country: Postal Code:
State/Province: Country: Postal Code:
Modified
p. 38 → 23
Vendor’s Officer Signature Date Job Title:
Modified
p. 38 → 23
Vendor Company Officer Vendor Officer Name: Job Title:
Modified
p. 39 → 42
<Name of the solution> Successful completion of the abovementioned Testing at this date indicates that the abovementioned ASV Scan Solution (whose configuration is identified in the appendix below) complies with the current PCI DSS and that you have completed all applicable ASV Company requirements as of the date of this letter.
<Name of the solution> Successful completion of the abovementioned Testing at this date indicates that the abovementioned ASV scan solution (whose configuration is identified in the appendix below) complies with the current PCI DSS and that you have completed all applicable ASV Company requirements as of the date of this letter.
Modified
p. 39 → 42
Even though you have been approved as an ASV Company and the abovementioned ASV Scan Solution has successfully completed PCI SSC Testing and is deemed to be compliant with the PCI DSS at this date, all rights and remedies resulting from your presenting yourself as an ASV Company or your sale, licensing, distribution or use of the abovementioned ASV Scan Solution shall be provided by your organization and not by PCI SSC.
Even though you have been approved as an ASV Company and the abovementioned ASV scan solution has successfully completed PCI SSC Testing and is deemed to be compliant with the PCI DSS at this date, all rights and remedies resulting from your presenting yourself as an ASV Company or your sale, licensing, distribution, or use of the abovementioned ASV scan solution shall be provided by your organization and not by PCI SSC.
Modified
p. 39 → 42
Subject to your compliance with the terms and conditions of the Agreement, you are entitled to advertise your status as a "PCI SSC-Approved Scanning Vendor" and that the abovementioned ASV Scan Solution has "successfully completed PCI SSC ASV Compliance Testing" and/or that such ASV Scan Solution is "ASV Program compliant".
Subject to your compliance with the terms and conditions of the Agreement, you are entitled to advertise your status as a “PCI SSC-Approved Scanning Vendor” and that the abovementioned ASV scan solution has “successfully completed PCI SSC ASV Compliance Testing” and/or that such ASV scan solution is “ASV Program compliant”.
Modified
p. 39 → 42
If you wish to provide for any other statements or announcements public or not, whether in writing or not, you must request PCI SSC's prior written approval.
If you wish to provide for any other statements or announcements public or not, whether in writing or not, you must request PCI SSC’s prior written approval.
Modified
p. 39 → 42
Your ASV Company status, and that of the abovementioned ASV Scan Solution, is effective upon dispatch of this Compliance Notification and shall remain valid as provided in the Agreement.
Your ASV Company status, and that of the abovementioned ASV scan solution, is effective upon dispatch of this Compliance Notification and shall remain valid as provided in the Agreement.
Modified
p. 39 → 42
Because ASV Company status is subject to various limitations, including certain events of termination, you and any third parties should confirm that such compliance status is current and has not been terminated by referring to the list of ASV Companies published on the PCI SSC web site at http://www.pcisecuritystandards.org.
Because ASV Company status is subject to various limitations, including certain events of termination, you and any third parties should confirm that such compliance status is current and has not been terminated by referring to the list of ASV Companies published on the PCI SSC web site at www.pcisecuritystandards.org.
Removed
p. 41
ASV Business Requirements Requirement Information/Documentation Needed Legitimate Business Entity Copy of business license Year of incorporation Location(s) of office(s) Written statement describing any past or present allegations or convictions of any fraudulent or criminal activity involving the security company and its principles Independence Company signature on the ASV Agreement Description of company’s practices to maintain independence Insurance Coverage Company signature on the ASV Agreement Proof of insurance coverage that meets PCI SSC requirements, as per Appendix C, including:
• Commercial General Liability; and
• Commercial General Liability; and
Removed
p. 43
• Examples of work or a description of a minimum of one (1) year in vulnerability scanning and/or penetration testing
• Examples of work or a description of at least two (2) years in any two of the following areas of expertise (with a minimum of one year in each discipline):
Network security Application security System security IT security auditing IT security risk assessment ONE of the following:
• A copy of a current industry-recognized security certification: CISA, CISM, CISSP
• Examples of work or a description of an additional two (2) years of information security experience, in at least two of the following areas of expertise, with a minimum of one year in each discipline:
Note: This section is intended to draw out specific experience from the Candidate. The Candidate must provide examples (including the timeframe) of how their work experience meets the ASV Program requirements. This section is …
• Examples of work or a description of at least two (2) years in any two of the following areas of expertise (with a minimum of one year in each discipline):
Network security Application security System security IT security auditing IT security risk assessment ONE of the following:
• A copy of a current industry-recognized security certification: CISA, CISM, CISSP
• Examples of work or a description of an additional two (2) years of information security experience, in at least two of the following areas of expertise, with a minimum of one year in each discipline:
Note: This section is intended to draw out specific experience from the Candidate. The Candidate must provide examples (including the timeframe) of how their work experience meets the ASV Program requirements. This section is …