Document Comparison
QSA_Program_Guide_v3.0.pdf
→
QSA_Program_Guide_v4.1.pdf
84% similar
34 → 38
Pages
12509 → 13292
Words
112
Content Changes
Content Changes
112 content changes. 45 administrative changes (dates, page numbers) hidden.
Added
p. 2
• Performed minor clarifications in language throughout.
• Performed minor clarifications in language throughout.
• Updated definitions according to PCI DSS version 4.0.
• Added guidance for conducting assessments remotely.
• Added requirement for completing PCI DSS v4.x Items Noted for Improvement: Instructions and Worksheet.
• Added Appendix E to further clarify QA Evidence Requirements.
• Removed section 3.1.1 and
• replaced with reference to the PCI SSC Assessor Requalification Policy
May 2024 4.1
• Removed requirement for PCI DSS v4.x Items Noted for Improvement (INFI) - Instructions and Worksheet
• Performed minor clarifications in language throughout.
• Updated definitions according to PCI DSS version 4.0.
• Added guidance for conducting assessments remotely.
• Added requirement for completing PCI DSS v4.x Items Noted for Improvement: Instructions and Worksheet.
• Added Appendix E to further clarify QA Evidence Requirements.
• Removed section 3.1.1 and
• replaced with reference to the PCI SSC Assessor Requalification Policy
May 2024 4.1
• Removed requirement for PCI DSS v4.x Items Noted for Improvement (INFI) - Instructions and Worksheet
Added
p. 5
Payment Card Industry Data Security Standard Requirements and Testing Procedures (“PCI DSS”) Consists of the 12 PCI DSS principal requirements, detailed security requirements, corresponding testing procedures, and other information pertinent to each requirement. The standard also provides detailed guidelines and best practices to assist entities to prepare for, conduct, and report the results of a PCI DSS Assessment.
PCI DSS Attestations of Compliance (AOCs) Forms for merchants and service providers to attest to the results of a PCI DSS Assessment, as documented in the Self- Assessment Questionnaire or Report on Compliance.
PCI DSS Attestations of Compliance (AOCs) Forms for merchants and service providers to attest to the results of a PCI DSS Assessment, as documented in the Self- Assessment Questionnaire or Report on Compliance.
Added
p. 6
PCI DSS Self-Assessment Questionnaires (SAQs) Reporting tools used to document self-assessment results from an entity’s PCI DSS Assessment.
Added
p. 7
Participating Payment Brand Also referred to as “payment brand.” A payment card brand that, as of the time in question, is then formally admitted as (or an affiliate of) a member of PCI SSC pursuant to its governing documents. At the time of writing, Participating Payment Brands include PCI SSC Founding Members and Strategic Members.
Added
p. 10
• Being present onsite at the assessed entity for the duration of each PCI DSS Assessment or perform remote assessment activities in accordance with applicable PCI SSC assessment guidance.
• Evaluating customized controls and deriving testing procedures to test those controls, as applicable.
• Evaluating customized controls and deriving testing procedures to test those controls, as applicable.
Added
p. 11
• Refer to Appendix C, “Eight Guiding Principles Validated by Four Criteria (Four Cs),” to understand PCI SSC’s baseline for QSA Assessor quality.
• Designing, implementing, and documenting effective customized controls, and providing sufficient customized control documentation to the QSA Assessor, as applicable.
• Designing, implementing, and documenting effective customized controls, and providing sufficient customized control documentation to the QSA Assessor, as applicable.
Added
p. 14
• Initiating or leading compliance discussions with payment brands or acquirers.
Added
p. 19
• QSA Employee certificates.
•entry page with expiration date, if applicable.
• Addresses for all QSA Program training locations throughout the year.
A QSA Company, through its QSA Employees (and assisting Associate QSA Employees, if applicable), is required to conduct PCI DSS Assessments in accordance with PCI DSS, which contains requirements, testing procedures, and guidance to ensure that the intent of each requirement is understood. QSA Employees must work only on those PCI SSC Assessments for which the QSA Employee is properly qualified by PCI SSC, having appropriate skills, including technology and language, and having an appropriate understanding of the Customer’s/Client’s business.
•entry page with expiration date, if applicable.
• Addresses for all QSA Program training locations throughout the year.
A QSA Company, through its QSA Employees (and assisting Associate QSA Employees, if applicable), is required to conduct PCI DSS Assessments in accordance with PCI DSS, which contains requirements, testing procedures, and guidance to ensure that the intent of each requirement is understood. QSA Employees must work only on those PCI SSC Assessments for which the QSA Employee is properly qualified by PCI SSC, having appropriate skills, including technology and language, and having an appropriate understanding of the Customer’s/Client’s business.
Added
p. 35
• Are all documents complete? Reporting, tick marks, and signatures are filled in, as appropriate.
Added
p. 37
All items created/collected for evidence should be appropriate, relevant, and clearly support the documented findings made by the QSA Employee.
• Examine: The QSA Employee critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.
• Observe: The QSA Employee watches an action or views something in the environment. Examples of observation subjects include personnel performing a task or process, system components performing a function or responding to input, environmental conditions, and physical controls.
• Interview: The QSA Employee converses with individual personnel. Interview objectives may include confirmation of whether an activity is performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.
Requirements All evidence must include:
• The name of the entity the evidence relates to.
• The date the evidence was created⎯e.g., the date the screenshot was captured, or the date of the interview, or the date the …
• Examine: The QSA Employee critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.
• Observe: The QSA Employee watches an action or views something in the environment. Examples of observation subjects include personnel performing a task or process, system components performing a function or responding to input, environmental conditions, and physical controls.
• Interview: The QSA Employee converses with individual personnel. Interview objectives may include confirmation of whether an activity is performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.
Requirements All evidence must include:
• The name of the entity the evidence relates to.
• The date the evidence was created⎯e.g., the date the screenshot was captured, or the date of the interview, or the date the …
Added
p. 38
• Examine documentation:
Copy of document and/or specific text/details from the document that support how the requirement is met.
Document version and/or publication date, if applicable
Detailed description of the process (eyewitness account).
Results/conclusions from the process
• for example: reviewing removal of default logins, is there proof that the process actually is doing what is described?
• Examine system components:
System components are clearly and uniquely identified.
Configuration settings and values are clearly identified.
Note: Reviewing configurations in a system configuration standard is not sufficient.
Additional evidence requirements for compensating controls:
The QSA Employee must capture the testing performed to validate the compensating control. Captured evidence must:
• Be structured as one of the testing methods⎯i.e., Examine, Observe, Interview.
• Adhere to the evidence requirements for the respective test performed.
• Adhere to the evidence requirements for the respective test performed.
• Appropriately address the control. For example, if a technical control is in place, the test must …
Copy of document and/or specific text/details from the document that support how the requirement is met.
Document version and/or publication date, if applicable
Detailed description of the process (eyewitness account).
Results/conclusions from the process
• for example: reviewing removal of default logins, is there proof that the process actually is doing what is described?
• Examine system components:
System components are clearly and uniquely identified.
Configuration settings and values are clearly identified.
Note: Reviewing configurations in a system configuration standard is not sufficient.
Additional evidence requirements for compensating controls:
The QSA Employee must capture the testing performed to validate the compensating control. Captured evidence must:
• Be structured as one of the testing methods⎯i.e., Examine, Observe, Interview.
• Adhere to the evidence requirements for the respective test performed.
• Adhere to the evidence requirements for the respective test performed.
• Appropriately address the control. For example, if a technical control is in place, the test must …
Modified
p. 2
• Added Associate QSA
• Added Associate QSA Program.
Modified
p. 2
• Added Appendix A and B to provide sample criteria that QSA Companies are measured against during QSA Audits
• Added Appendices A and B to provide sample criteria that QSA Companies are measured against during QSA Audits.
Modified
p. 2
• Added requirement for QSA Annual QA
• Added requirement for QSA Annual QA Questionnaire.
Modified
p. 2
• Added Appendices C and D to provide additional QA guidance
• Added Appendices C and D to provide additional QA guidance.
Modified
p. 2
• Clarified requirement for QSAs to have appropriate skills for assessments
• Clarified requirement for QSAs to have appropriate skills for assessments.
Modified
p. 2
• Added requirement that QSAs must be trained on the version of the standard they are assessing
• Added requirement that QSAs must be trained on the version of the standard they are assessing.
Modified
p. 2
• Added ability for QSAs to opt into PCI ISA Program
• Added ability for QSAs to opt into PCI ISA Program.
Modified
p. 2
• Removed requirement that QSAs must submit CPEs to PCI SSC
• Removed requirement that QSAs must submit CPEs to PCI SSC.
Removed
p. 5
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures (“PCI DSS”) Lists the specific technical and operational security requirements and provides the assessment procedures used by assessors to validate PCI DSS compliance.
PCI SSC Information Supplements Intended to provide additional guidance on specific topics, including recommendations and best practices. They are not intended to replace or supersede PCI SSC Standards, rather
•as the name suggests
•to supplement existing information.
PCI SSC Information Supplements Intended to provide additional guidance on specific topics, including recommendations and best practices. They are not intended to replace or supersede PCI SSC Standards, rather
•as the name suggests
•to supplement existing information.
Modified
p. 5
Document name Description CPE Maintenance Guide Provides the number of CPEs required on an annual basis by assessors to remain certified.
Document name Description CPE Maintenance Guide Provides the number of CPEs required on an annual basis by Assessor-Employees to remain certified.
Modified
p. 5
PCI DSS Glossary of Terms, Abbreviations, and Acronyms (the “Glossary”) Lists and defines the specific terminology used in the PCI DSS.
PCI DSS Glossary of Terms, Abbreviations, and Acronyms (the “Glossary”) Appendix G, “Glossary of Terms, Abbreviations, and Acronyms,” to the PCI DSS.
Modified
p. 5
PCI SSC Programs Fee Schedule Lists the current fees for specific qualifications, tests, retests, training, and other services.
PCI SSC Programs Fee Schedule Current list of fees for specific PCI SSC qualifications, tests, retests, training, and other services, as available on the Website.
Modified
p. 5
PCI DSS Template for Report on Compliance (“ROC Reporting Template”) Provides detail on how to document the findings of a PCI DSS Assessment and includes the mandatory template for use in completing a Report on Compliance.
PCI DSS Report on Compliance Template (“ROC Template”) Provides detail on how to document the findings of a PCI DSS Assessment and includes the mandatory template for use in completing a Report on Compliance.
Removed
p. 6
PA-DSS Acronym for Payment Application Data Security Standard. Refer to the PCI DSS Glossary of Terms, Abbreviations, and Acronyms (Glossary).
Modified
p. 6 → 7
Mentor Refer to QSA Qualification Requirements.
Modified
p. 6 → 7
Mentor Manual The documentation required to be maintained by a QSA Company as part of its participation in the Associate QSA Program.
Removed
p. 7
Payment Application Refer to the PCI DSS Glossary of Terms, Abbreviations, and Acronyms (Glossary).
Participating Payment Brand Refer to QSA Agreement.
Participating Payment Brand Refer to QSA Agreement.
Modified
p. 8 → 9
• Managing compliance enforcement programs (requirements, mandates or dates for compliance)
• Managing compliance enforcement programs (requirements, mandates, or dates for compliance)
Modified
p. 8 → 9
• Responding to cardholder data compromises.
• Responding to cardholder data compromises 2.2 PCI Security Standards Council
Modified
p. 8 → 9
• Maintains the PCI SSC Standards and related validation requirements, programs and supporting documentation.
• Maintains the PCI SSC Standards and related validation requirements, programs, and supporting documentation.
Modified
p. 8 → 9
As part of the quality assurance (QA) process, PCI SSC assesses whether overall QSA Company operations appear to conform to PCI SSC‘s quality levels and qualification requirements. See Section 5, Assessor Quality Management Program for additional information.
As part of the quality assurance (QA) process, PCI SSC assesses whether overall QSA Company operations appear to conform to PCI SSC‘s quality levels and qualification requirements. See Section 5, “Assessor Quality Management Program,” for additional information.
Modified
p. 8 → 10
• added to the QSA List and, through its QSA Employees, is thereby authorized to validate adherence to the PCI DSS in accordance with applicable Program requirements. Prior to being
• added to the QSA List and, through its QSA Employees, is thereby authorized to validate adherence to PCI DSS in accordance with applicable Program requirements. Prior to being
Removed
p. 9
• Being on-site at assessed entity during the PCI DSS Assessment.
• Refer to Appendix C, Eight Guiding Principles Validated by Four Criteria (Four Cs) to understand PCI SSC’s baseline for assessor quality.
• Refer to Appendix C, Eight Guiding Principles Validated by Four Criteria (Four Cs) to understand PCI SSC’s baseline for assessor quality.
Modified
p. 9 → 10
• Performing PCI DSS Assessments in accordance with the PCI DSS, including but not limited to:
• Performing PCI DSS Assessments in accordance with PCI DSS, including but not limited to:
Modified
p. 9 → 10
• Evaluating compensating controls as applicable.
• Evaluating compensating controls, as applicable.
Modified
p. 9 → 10
• Effectively using the PCI DSS ROC Reporting Template to produce Reports on Compliance.
• Effectively using the PCI DSS ROC Template to produce Reports on Compliance.
Modified
p. 9 → 10
• Stating whether or not the assessed entity has achieved compliance with PCI DSS. PCI SSC does not approve ROCs from a technical perspective, but performs QA reviews on ROCs to ensure that the documentation of testing procedures performed is sufficient to support the results of the PCI DSS Assessment. See Section 5, Assessor Quality Management Program for additional information.
• Stating whether or not the assessed entity has achieved compliance with PCI DSS. PCI SSC does not approve ROCs from a technical perspective, but performs QA reviews on ROCs to ensure that the documentation of testing procedures performed and the results are sufficient
Modified
p. 10 → 11
• Maintaining compliance with the PCI DSS at all times.
• Maintaining compliance with PCI DSS at all times, as applicable to the entity’s environment.
Modified
p. 10 → 11
• Providing sufficient documentation to the QSA to support the PCI DSS Assessment.
• Providing sufficient documentation to the QSA Assessor to support the PCI DSS Assessment.
Modified
p. 10 → 11
• Providing related attestation (e.g., proper scoping and network segmentation).
• Providing related attestation⎯e.g., proper scoping and network segmentation.
Modified
p. 10 → 11
• Providing feedback on QSA performance in accordance with the QSA Feedback Form on the Website.
• Providing feedback on QSA Assessor or Company performance in accordance with the QSA Feedback Form on the Website.
Modified
p. 10 → 11
• Notifying their acquirer and/or Participating Payment Brands if they suspect or discover a cardholder data breach.
• Notifying their acquirer and/or Participating Payment Brands if they suspect or discover an account data breach.
Removed
p. 11
For example, a qualification date of 15 November 2020 will be updated to 15 November 2021 upon successful completion, regardless of whether the requalification was completed on 31 October 2020 or 25 November 2020.
Note: The QSA certification is a requirement for other program certifications such as PA-DSS and P2PE.
Note: The QSA certification is a requirement for other program certifications such as PA-DSS and P2PE.
Modified
p. 11 → 12
When a QSA Company has been active for at least two years, it is eligible to apply to join the Associate QSA Program and, accordingly, to apply to qualify eligible employees as Associate QSA Employees. For more information, see Section 3.2, Associate QSA Program.
When a QSA Company has been active for at least two years, it is eligible to apply to join the Associate QSA Program and, accordingly, to apply to qualify eligible employees as Associate QSA Employees. For more information, see Section 3.2, “Associate QSA Program.” QSA Employees are qualified to perform PCI SSC Assessments only to the version(s) of the PCI SSC Standard(s) for which they have successfully completed training.
Modified
p. 11 → 12
Additionally, each Assessor-Employee (QSA Employee and Associate QSA Employee, as applicable) must be requalified by PCI SSC on an annual basis. The annual requalification date is based upon the Assessor-Employee’s previous qualification date. QSA Employee requalification requires proof of two active industry certificates. AQSA Employee requalification requires proof of applicable Continuing Professional Education (CPE). Both QSA Employees and AQSA Employees must adhere to all requirements in the QSA Qualification Requirements and the PCI SSC Assessor Requalification Policy, both available in …
Removed
p. 12
• Registration for requalification training must be completed (and approved, where applicable) prior to the Assessor-Employee’s qualification expiration date. A candidate who is not registered prior to that expiry date must re-enroll as a new candidate.
• A two-week grace period is provided beyond the candidate’s expiry date in order to complete requalification training; however, candidates are not considered qualified by PCI SSC during this grace period and will not be requalified until they have successfully completed requalification training.
• Access to the requalification course and exam will be granted only after payment is processed, and candidates will have access to the exam up to four weeks prior to and two weeks past their expiration date.
• If a candidate is enrolled for requalification training and fails to take the training within the defined period, payment will be forfeited in full and the individual will need to reapply as a new QSA Employee …
• A two-week grace period is provided beyond the candidate’s expiry date in order to complete requalification training; however, candidates are not considered qualified by PCI SSC during this grace period and will not be requalified until they have successfully completed requalification training.
• Access to the requalification course and exam will be granted only after payment is processed, and candidates will have access to the exam up to four weeks prior to and two weeks past their expiration date.
• If a candidate is enrolled for requalification training and fails to take the training within the defined period, payment will be forfeited in full and the individual will need to reapply as a new QSA Employee …
Modified
p. 12 → 13
An Associate QSA Employee is able to apply to become a QSA Employee once they meet the QSA Requirements and have obtained the necessary Industry Certification(s) as stated in Section 3.2 of the QSA Qualification Requirements. It is not necessary for an Associate QSA Employee to retake the QSA Employee training and exam in the same year they qualify as a QSA Employee. There is no requirement regarding how long an individual must be an Associate QSA Employee before applying …
An Associate QSA Employee may apply to become a QSA Employee once they meet the QSA Requirements and have obtained the necessary Industry Certification(s) as stated in Section 3.2 of the QSA Qualification Requirements. It is not necessary for an Associate QSA Employee to retake the QSA Employee training and exam in the same year they qualify as a QSA Employee. There is no requirement regarding how long an individual must be an Associate QSA Employee before applying to become …
Modified
p. 12 → 13
1. Is responsible for understanding the level of expertise of the Associate QSA Employee and their ability to perform any assigned part of the PCI DSS Assessment independently.
1. Understanding the level of expertise of the Associate QSA Employee and their ability to perform any assigned part of the PCI DSS Assessment independently.
Modified
p. 12 → 13
2. Is responsible to review all notes and/or evidence collected by the Associate QSA Employee.
2. Reviewing all notes and/or evidence collected by the Associate QSA Employee.
Modified
p. 12 → 13
3. Is responsible to make the actual compliance determination.
3. Making the actual compliance determination.
Modified
p. 13
• Gathering of evidence (e.g., documentation and screenshots)
• Gathering of evidence⎯e.g., documentation and screenshots
Modified
p. 13
• Detailing business descriptions
• Detailing business descriptions.
Modified
p. 13
• Identifying responsible people to be included in the ROC
• Identifying responsible people to be included in the ROC.
Modified
p. 13
• Gathering list of third parties and lists of acquirers or connected entities
• Gathering list of third parties and lists of acquirers or connected entities.
Modified
p. 13
• Preparing draft sections of a ROC related to requirements for which the Associate QSA Employee has gathered the evidence
• Preparing draft sections of a ROC related to requirements for which the Associate QSA Employee has gathered the evidence.
Modified
p. 13
• Conducting interviews (under QSA Employee supervision), either directly or through a review of notes taken
• Conducting interviews (under QSA Employee supervision), either directly or through a review of notes taken.
Modified
p. 13 → 14
• Reviewing documented evidence with specific criteria provided by a QSA Employee
• Reviewing documented evidence with specific criteria provided by a QSA Employee.
Modified
p. 13 → 14
• Following up on remediated findings with specific criteria provided by a QSA Employee
• Following up on remediated findings with specific criteria provided by a QSA Employee.
Modified
p. 13 → 14
• Conducting data center/site visits with specific criteria provided by a QSA Employee (not intended for independent assessment of client’s primary sites) An Associate QSA Employee is restricted from performing the following duties:
• Conducting data center/site visits with specific criteria provided by a QSA Employee (not intended for independent assessment of client’s primary sites).
Modified
p. 13 → 14
• Leading a PCI DSS assessment
• Leading a PCI DSS assessment.
Modified
p. 13 → 14
• Confirming PCI DSS compliance to Customers
• Confirming PCI-DSS compliance to Customers.
Modified
p. 13 → 14
• Signing Attestations of Compliance (AOCs)
• Signing Attestations of Compliance (AOCs).
Modified
p. 13 → 14
• Validating the scope of a PCI DSS Assessment
• Validating the scope of a PCI DSS Assessment.
Modified
p. 13 → 14
• Selection of systems and systems components where sampling is used
• Selecting systems and systems components where sampling is used.
Modified
p. 13 → 14
• Evaluating compensating controls
• Evaluating compensating controls.
Modified
p. 13 → 14
• Evaluating customized controls
• Evaluating customized controls.
Modified
p. 14 → 15
• For recording QSAC-specific content such as contingency plan(s) for when mentors leave, and internal audit processes
• For recording QSAC-specific content such as contingency plan(s) for when mentors leave, and internal audit processes.
Modified
p. 14 → 16
• To be completed at onboarding with the Mentor and Associate QSA Employee and updated at least once every 90 calendar days to reflect the Associate QSA Employee’s quarterly progress and
• To be completed at onboarding with the Mentor and Associate QSA Employee and updated at least once every 90 calendar days to reflect the Associate QSA Employee’s quarterly progress; and
Modified
p. 15 → 16
The Associate QSA Employee is ultimately responsible for ensuring the completion, retention and delivery to relevant parties of the AQSA Skills Summary, AQSA Engagement Summary and AQSA Development Tracking Log. The Lead QSA must maintain a copy of the completed AQSA Engagement Summary in the workpapers for each PCI DSS Assessment. If more than one AQSA is assisting on a PCI DSS Assessment, an AQSA Engagement Summary must be completed for each Associate QSA Employee. Similarly, the Lead QSA must …
The Associate QSA Employee is ultimately responsible for ensuring the completion, retention, and delivery to relevant parties of the AQSA Skills Summary, AQSA Engagement Summary, and AQSA Development Tracking Log. The Lead QSA must maintain a copy of the completed AQSA Engagement Summary in the workpapers for each PCI DSS Assessment. If more than one AQSA is assisting on a PCI DSS Assessment, an AQSA Engagement Summary must be completed for each Associate QSA Employee. Similarly, the Lead QSA must …
Modified
p. 16 → 17
For example, if a Merchant is headquartered in the USA and has satellite offices in-scope for PCI DSS located in Singapore, the QSA Company must be qualified in both USA and Asia Pacific regions before they are permitted to perform QSA Services for the merchant.
• For example, if a Merchant is headquartered in the USA and has satellite offices in-scope for PCI DSS located in Singapore, the QSA Company must be qualified in both USA and Asia Pacific regions before they are permitted to perform QSA Services for the merchant.
Modified
p. 16 → 17
• If QSA Services must be performed outside of the qualified region or country it may be necessary to engage a QSA Company qualified for that region or country to perform the related tasks. Refer to 3.5.2, Subcontracting.
• If QSA Services must be performed outside of the qualified region or country, it may be necessary to engage a QSA Company qualified for that region or country to perform the related tasks. Refer to 3.5.2, “Subcontracting.”
Modified
p. 16 → 17
• To add or remove a region or country, contact the PCI SSC QSA Program Manager. Additional regions or countries will appear on the QSA List on the Website pending receipt of payment fees and evidence of insurance.
• To add or remove a region or country, contact the PCI SSC QSA Program Manager. Additional regions or countries will appear on the QSA List on the Website pending receipt of fee payment and evidence of insurance.
Modified
p. 17 → 18
Products Completed Operations Advertising Injury Personal Injury Contractual Liability Insurance
Modified
p. 17 → 18
Notices from PCI SSC to the Primary Contact may be communicated via the Portal, e-mail, registered mail or any other method permitted by the QSA Agreement.
Notices from PCI SSC to the Primary Contact may be communicated via the Portal, e-mail, registered mail, or any other method permitted by the QSA Agreement.
Modified
p. 18 → 19
• Library of published Assessor Newsletters
• Library of published Assessor Newsletters.
Modified
p. 18 → 19
• Annual CPE entry and requalification training page
• Annual CPE entry and requalification training page.
Modified
p. 18 → 19
• Primary Contact name, e-mail, and address
• Primary Contact name, e-mail, and address.
Modified
p. 18 → 19
Along with the items noted above, the Primary Contact has access to:
Modified
p. 18 → 19
• Employee CPE approval page
• Employee CPE approval page.
Modified
p. 18 → 19
• Requalification training approval page for all Assessor-Employees
• Requalification training approval page for all Assessor-Employees.
Modified
p. 18 → 19
• Insurance policies with respective expiration dates
• Insurance policies with respective expiration dates.
Modified
p. 18 → 19
• Business Regions and the expiration date for each
• Business Regions and the expiration date for each.
Modified
p. 18 → 19
• Complete list of all QSAs and respective expiration dates
• Complete list of all QSA Companies and QSA Employees and respective expiration dates.
Modified
p. 18 → 19
Each Assessor-Employee and Primary Contact is responsible for checking the Portal on a regular basis for new information and updates.
Removed
p. 19
PCI DSS Assessments are required to be conducted by a QSA Company through its QSA Employees (and assisting Associate QSA Employees, if applicable) in accordance with the PCI DSS, which contains requirements, testing procedures, and guidance to ensure that the intent of each requirement is understood. QSA Employees must work only on those PCI SSC Assessments for which the QSA Employee is properly qualified by PCI SSC, having appropriate skills, including technology and language, and having an appropriate understanding of the Customer’s/Client’s business.
Modified
p. 19 → 20
The QSA Employee (with assistance of Associate QSA Employees if applicable) document in the ROC the results of the PCI DSS Assessment, including which portions of the PCI DSS Assessment were conducted onsite. The ROC must accurately represent the assessed environment and the security controls that were tested and validated by the QSA Employee (and if applicable, assisting Associate QSA Employees).
The QSA Employee (with assistance of Associate QSA Employees, if applicable) documents in the ROC the results of the PCI DSS Assessment, including any remote assessment activity. The ROC must accurately represent the assessed environment and the security controls that were tested and validated by the QSA Employee (and if applicable, assisting Associate QSA Employees).
Modified
p. 19 → 20
The intent of requiring a signature from a “duly authorized officer” is to ensure that the QSA Company is aware of and has formally signed off on the work being done and, accordingly, recognizes its obligations and responsibilities in connection with that work. Although the signatory’s job title need not include the term “officer,” the signatory must be formally authorized by the QSA Company to sign such documents on the QSA Company’s behalf and should be competent and knowledgeable regarding …
The intent of requiring a signature from a “duly authorized officer” is to ensure that the QSA Company is aware of and has formally signed off on the work being done and, accordingly, recognizes its obligations and responsibilities in connection with that work. A “duly authorized officer” must have authority to legally bind the company for purposes of the report. Although the signatory’s job title need not include the term “officer,” the signatory must be formally authorized by the QSA …
Modified
p. 19 → 21
The QSA Company must inform the applicable Customer when an Associate QSA Employee has been assigned to work in connection with the PCI DSS Assessment of that Customer, and what parts of the PCI DSS Assessment the Associate QSA Employee will be participating in.
The QSA Company must inform the applicable Customer when an Associate QSA Employee has been assigned to work in connection with the PCI DSS Assessment of that Customer, and in which parts of the PCI DSS Assessment the Associate QSA Employee will be participating.
Modified
p. 21 → 23
A “Satisfactory” finding indicates that the audit findings reasonably confirmed (1) the QSA Company/Employee’s on-going adherence to the current QSA Qualification Requirements; (2) that the QSA Company’s quality policy documentation is implemented and maintained according to the QSA Qualification Requirements; and (3) the QSA Company/Employee’s on- going general adherence to reporting requirements as evidenced by sampled ROCs.
A “Satisfactory” finding indicates that the audit findings reasonably confirmed (1) the QSA Company/Employee’s on-going adherence to the current QSA Qualification Requirements; (2) that the QSA Company’s quality policy documentation is implemented and maintained according to the QSA Qualification Requirements; and (3) the QSA Company/Employee’s on-going general adherence to reporting requirements as evidenced by sampled ROCs.
Modified
p. 22 → 24
A “Needs Improvement” finding indicates that there were minor findings and/or opportunities for improvement identified that assessors should address to ensure continued adherence with program documentation. Still, the audit findings reasonably confirmed (1) the QSA Company/Employee’s on-going adherence to the current QSA Qualification Requirements; (2) that the QSA Company’s quality policy documentation is implemented and maintained according to the QSA Qualification Requirements; and (3) the QSA Company/Employee’s on- going general adherence to reporting requirements as evidenced by sampled ROCs.
A “Needs Improvement” finding indicates that there were minor findings and/or opportunities for improvement identified that Assessor-Employees should address to ensure continued adherence with program documentation. Still, the audit findings reasonably confirmed (1) the QSA Company/Employee’s on-going adherence to the current QSA Qualification Requirements; (2) that the QSA Company’s quality policy documentation is implemented and maintained according to the QSA Qualification Requirements; and (3) the QSA Company/Employee’s on-going general adherence to reporting requirements as evidenced by sampled ROCs.
Modified
p. 22 → 24
An “Unsatisfactory” finding indicates that there were serious findings identified during the QSA Audit, including possible Violations. This finding will result in Remediation and/or Revocation, per the current QSA Qualification Requirements. Audit findings that result in an Unsatisfactory finding mean that AQM could not confirm one or more of the following: (1) the QSA Company/Employee’s on-going adherence to the current QSA Qualification Requirements; (2) that the QSA Company’s quality policy documentation is implemented and maintained according to the QSA Qualification …
An “Unsatisfactory” finding indicates that there were serious findings identified during the QSA Audit, including possible Violations. This finding will result in Remediation and/or Revocation, per the current QSA Qualification Requirements. Audit findings that result in an Unsatisfactory finding mean that AQM could not confirm one or more of the following: (1) the QSA Company/Employee’s on-going adherence to the current QSA Qualification Requirements; (2) that the QSA Company’s quality policy documentation is implemented and maintained according to the QSA Qualification …
Modified
p. 22 → 24
In addition to reviewing the QSA Company’s Mentor Manual upon initial entry into the Associate QSA Program, AQM will perform spot audits for QSA Companies participating in the Associate QSA Program. Refer to Appendix B for information regarding criteria against which QSA Companies participating in the Associate QSA Program are measured.
In addition to reviewing the QSA Company’s Mentor Manual upon initial entry into the Associate QSA Program, AQM will perform spot audits for QSA Companies participating in the Associate QSA Program. Refer to 0 for information regarding criteria against which QSA Companies participating in the Associate QSA Program are measured.
Modified
p. 23 → 25
Any Participating Payment Brand, acquiring bank, or other person or entity may submit QSA Feedback Forms to PCI SSC to provide feedback on a PCI DSS Assessment, QSA Company, or Assessor-Employee.
Any Participating Payment Brand, acquiring bank, or other person or entity may submit QSA Feedback Forms to PCI SSC to provide feedback on a PCI DSS Assessment, QSA Company, or Assessor- Employee.
Modified
p. 24 → 26
• Failure to maintain physical, electronic or procedural safeguards to protect the confidential and sensitive information.
• Failure to maintain physical, electronic, or procedural safeguards to protect confidential and sensitive information.
Modified
p. 24 → 26
Upon notification of pending QSA Company Revocation by PCI SSC, the QSA Company or Assessor-Employee will have 30 calendar days in which to appeal in writing to PCI SSC.
Upon notification of pending QSA Company Revocation by PCI SSC, the QSA Company or Assessor- Employee will have 30 calendar days in which to appeal in writing to PCI SSC.
Modified
p. 24 → 26
Note: Revocation of QSA Company or Assessor- Employee qualification results in automatic Revocation of all other PCI SSC qualifications that require QSA Company or Assessor-Employee qualification (e.g., PA-QSA, QSA(P2PE), PFI).
Note: Revocation of QSA Company or Assessor- Employee qualification results in automatic Revocation of all other PCI SSC qualifications that require QSA Company or Assessor-Employee qualification⎯e.g., 3DS Core, PFI.
Modified
p. 25 → 27
• If the new company is not an active QSA Company, the Assessor-Employee’s qualification will be inactive until employed by an active QSA Company. Inactive status does not suspend or modify requalification deadlines.
Modified
p. 25 → 27
• If the Assessor-Employee moves to an active QSA Company and is to be utilized by that QSA Company as an Assessor-Employee, the Primary Contact of the new QSA Company must notify the QSA Program Manager prior to permitting the Assessor-Employee to participate in any PCI DSS Assessment. The following information must be provided to the QSA Program Manager:
Modified
p. 26 → 28
QSA Employees and AQSA Employees may opt-into the PCI Professional (PCIP) Program. Refer to the instructions and form under the PCIP Program on the Website for details regarding how to apply.
QSA Employees and AQSA Employees may opt into the PCI Professional (PCIP) Program. Refer to the instructions and form under the PCIP Program on the Website for details regarding how to apply.
Modified
p. 26 → 28
Assessor-Employees are welcome to participate in SIGs along with Participating Payment Brands, other PCI SSC Members, Participating Organizations and ASV companies subject to any applicable SIG restrictions and eligibility requirements.
Assessor-Employees are welcome to participate in SIGs along with Participating Payment Brands, other PCI SSC Members, Participating Organizations, and ASV companies subject to any applicable SIG restrictions and eligibility requirements.
Modified
p. 29 → 31
AQSA Development Documentation/Evidence Retention 1 Associate QSA Employee is able to provide the completed AQSA Engagement Summary for a sample of PCI DSS Assessments in which the Associate QSA Employee participated.
AQSA Development Documentation/Evidence Retention 1 Associate QSA Employee can provide the completed AQSA Engagement Summary for a sample of PCI DSS Assessments in which the Associate QSA Employee participated.
Modified
p. 31 → 33
This appendix represents some best practices related to Assessor quality assurance and adherence to PCI SSC requirements. Section 4.3.1 of the QSA Qualification Requirements provides high-level requirements as to what a QSA Company’s internal quality assurance should include, but intentionally leaves many of the details of the implementation to the QSA Company to define. The following sections support QSA Companies as they plan their own quality processes and evaluate implementations.
This appendix represents some best practices related to QSA Assessor quality assurance and adherence to PCI SSC requirements. Section 4.3.1 of the QSA Qualification Requirements provides high-level requirements as to what a QSA Company’s internal quality assurance should include, but intentionally leaves many of the details of the implementation to the QSA Company to define. The following sections support QSA Companies as they plan their own quality processes and evaluate implementations.
Modified
p. 31 → 33
Documented Quality Assurance Process and Manual Without limiting any other QSA Requirements, to meet QSA Program expectations, assessor- employees must understand what is expected of them and have the resources to execute all required tasks. The details specified in Section 4.3.1 of the QSA Qualification Requirements ensure that QSA Companies have a documented quality assurance process and manual that is maintained and distributed to all Assessor-Employees.
Documented Quality Assurance Process and Manual Without limiting any other QSA Requirements, to meet QSA Program expectations, Assessor- Employees must understand what is expected of them and have the resources to execute all required tasks. The details specified in Section 4.3.1 of the QSA Qualification Requirements ensure that QSA Companies have a documented quality assurance process and manual that is maintained and distributed to all Assessor-Employees.
Modified
p. 31 → 33
• The PCI SSCs requirements are a base minimum, and it is often useful and/or necessary to go beyond the stated requirements to achieve a mature process. Merely restating the verbiage from the QSA Qualification Requirements is often inadequate to educate Assessor-Employees on how to actually meet the requirements from within the organization. For example, stating that there is a requirement “for independent quality review of QSA Company and Assessor- Employee work product” without a detailed process as to how …
• The PCI SSCs requirements are a base minimum, and it is often useful and/or necessary to go beyond the stated requirements to achieve a mature process. Merely restating the verbiage from the QSA Qualification Requirements is often inadequate to educate Assessor-Employees on how to actually meet the requirements from within the organization. For example, stating that there is a requirement “for independent quality review of QSA Company and Assessor-Employee work product” without a detailed process as to how to …
Modified
p. 32 → 34
• Keep in mind that quality is not something that only happens at the end of the PCI DSS Assessment when the ROC is being finalized―quality processes should be designed to ensure quality from start-to-finish. The language from the QSA Qualification Requirements above makes general reference to scope validation, and by the time the ROC is with a QA Reviewer, it is difficult to change course. Consider a process wherein there is a checkpoint early in the engagement where a …
• Keep in mind that quality is not something that only happens at the end of the PCI DSS Assessment when the ROC is being finalized―quality processes should be designed to ensure quality from start-to-finish. The language from the QSA Qualification Requirements above makes general reference to scope validation, and by the time the ROC is with a QA Reviewer, it is difficult to change course. Consider a process wherein there is a checkpoint early in the engagement where a …
Modified
p. 33 → 35
• Review for format, spelling, and/or grammar (as
• Review for format, spelling, and/or grammar (as applicable). Use of the ROC Reporting Template is mandatory and may be personalized consistent with the most recent version of the FAQs for use with the ROC Reporting Template document. While PCI SSC does not review ROCs and AOCs for spelling or grammar, these are professional documents, and excessive or egregious typos and misspellings may raise questions about accuracy and precision of reporting. QSA Companies may have their own style guides for …
Modified
p. 33 → 35
• Does the sampling rationale make sense in the context of factors, such as sample size vs. total population? If the QSA Company has a defined a sampling method, is the sampling present in the PCI DSS Assessment consistent with that method? If the QSA Employee is performing a subsequent year’s assessment, have samples other than those from previous years’ assessments been reviewed?
• Does the sampling rationale make sense in the context of factors, such as sample size vs. total population? If the QSA Company has a defined sampling method, is the sampling present in the PCI DSS Assessment consistent with that method? If the QSA Employee is performing a subsequent year’s assessment, have samples other than those from previous years’ assessments been reviewed?
Modified
p. 33 → 36
• If the QSA Company is performing a subsequent year’s assessment for an entity, even if a different QSA Employee is used, is the reporting different from the year before? Copying and pasting content from previous years’ assessments can raise suspicions about the quality of assessment. …
• If the QSA Company is performing a subsequent year’s assessment for an entity, even if a different QSA Employee is used, is the reporting different from the year before? Copying and pasting content from previous years’ assessments can raise suspicions about the quality of assessment. Copied information may no longer be valid, thus raising concerns that a new assessment has not been fully performed.
Modified
p. 34 → 36
Evaluation and Evolution of Quality Processes Evaluation of quality processes can take several forms, and the need for change and/or evolution of existing processes may be driven by various factors. For example, the need for change may be identified in the course of implementation. Process changes may be required in communications from PCI SSC, such as the Assessor Newsletter or published FAQs. Change may be required under the QSA Company’s documented process for periodic internal review to address the requirement …
Evaluation and Evolution of Quality Processes Evaluation of quality processes can take several forms, and the need for change and/or evolution of existing processes may be driven by various factors. For example, the need for change may be identified during implementation. Process changes may be required in communications from PCI SSC, such as the Assessor Newsletter or published FAQs. Change may be required under the QSA Company’s documented process for periodic internal review to address the requirement in Section 4.3.1 …
Modified
p. 34 → 36
• What activities do QA Reviewers do to calibrate their reporting expectations to ensure that a reviews by Reviewer X and Reviewer Y will generally result in the same findings? For example, do they periodically review the same reports to compile feedback and learn from each other’s findings?
• What activities do QA Reviewers do to calibrate their reporting expectations to ensure that reviews by Reviewer X and Reviewer Y will generally result in the same findings? For example, do they periodically review the same reports to compile feedback and learn from each other’s findings?
Modified
p. 34 → 36
• Is workpaper evidence retention occurring consistently with the QSA Company’s Workpaper Retention Policy? If the client has chosen to hold their evidence, has such evidence been made accessible on-demand? As part of the requirement in QSA Quality Requirements, Section 4.3.1, regarding periodic internal checks of the QSA Company’s QA Program to monitor effectiveness, it is expected that evidence is available upon request to PCI SSC to ensure on-going compliance with the requirement.
• Is workpaper evidence retention occurring consistently with the QSA Company’s Workpaper Retention Policy? If the client has chosen to hold their evidence, has such evidence been made accessible on-demand? As part of the requirement in QSA Quality Requirements, Section 4.3.1, regarding periodic internal checks of the QSA Company’s QA Program to monitor effectiveness, it is expected that evidence is available upon request to PCI SSC to ensure on-going compliance.