PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

qsa_validation_requirements.pdf QSA_Qualification_Requirements_v3_0.pdf
46% similar
45 → 60 Pages
16757 → 25328 Words
156 Content Changes

Content Changes

156 content changes. 94 administrative changes (dates, page numbers) hidden.

Added p. 2
February 2016 2.1 Updated Section 3.2.1 to clarify professional certification requirements.

December 2017 3.0

• Added Associate QSA Program

• Updated requirement for QSA Employees to include two Industry Certifications

• Clarified ‘in process’ certifications
Added p. 4
When implemented properly, PCI DSS requirements provide a well-aimed defense for merchants and service providers against data exposure and compromise. As a result, assessment of merchants and service providers for compliance with PCI DSS requirements has become increasingly critical in today’s environment and is key to the success of the PCI DSS.

Independent security organizations qualified by PCI SSC to validate an entity’s adherence to PCI DSS requirements are referred to as “Qualified Security Assessor Companies” or “QSA Companies.” Validation of PCI DSS requirements by QSA Companies is important to the effectiveness of the PCI DSS; and the quality, reliability, and consistency of a QSA Company’s work provides confidence that cardholder data is adequately protected. The proficiency with which a QSA Company conducts a PCI DSS Assessment can therefore have a tremendous impact on data protection and the consistent and proper application of PCI DSS measures and controls.

This document

•the QSA Qualification …
Added p. 5
PCI DSS Assessment The onsite review of an entity by a QSA Company to determine the entity’s compliance with the PCI DSS for QSA Program purposes.

PCI SSC Assessment With respect to a given QSA Company, any assessment performed for purposes of validating the compliance of any third party (or any third-party product, application, service or solution) with any PCI SSC standard for purposes of any PCI SSC Program.

PCI SSC Program The QSA Program and each other program offered by PCI SSC under which qualification as a QSA Company is a prerequisite.

PCI SSC Standard With respect to a given PCI SSC Program, the then-current version of (or successor document to) the corresponding security standards, requirements, and assessment procedures published by PCI SSC from time to time in connection with such PCI SSC Program and made available on the Website, including but not limited to any and all appendices, exhibits, schedules and …
Added p. 6
Website The then-current PCI SSC website (and its accompanying web pages), which is currently available at www.pcisecuritystandards.org.

To qualify as a QSA Company, QSA Employee, or Associate QSA Employee (Assessor- Employees), the candidate(s) must meet or exceed all applicable QSA Requirements, and the candidate QSA Company must execute the QSA Agreement with PCI SSC. Companies that qualify are identified on the QSA List in accordance with the QSA Agreement.

The requirements provided in this document serve as a qualification baseline and provide a transparent process for QSA Company and Assessor-Employee qualification and re-qualification. QSA Companies and Assessor Employees must adhere to all applicable requirements provided in this document and must provide all required provisions described in this document.
Added p. 6
To initiate the qualification process, the security company must sign the QSA Agreement in unmodified form and submit it to PCI SSC along with the company’s executed QSA Company Application (See Appendix C). Additionally, a QSA Employee Application (See Appendix D) must be completed for each company employee seeking QSA Employee qualification and submitted to PCI SSC.
Added p. 7
Section 5: QSA Ongoing Qualification outlines the annual re-qualification process.

Section 6. Assessor Quality Management describes PCI SSC’s assessor quality management process, including remediation and revocation.

Appendices: The appendices to the QSA Qualification Requirements include the QSA Agreement (Appendix A), insurance requirements (Appendix B), QSA Company (Appendix C), QSA Employee (Appendix D), Associate QSA Employee (Appendix E) application forms.
Added p. 7
§ PCI QSA Program Guide § ROC Reporting Template § PCI SSC Code of Professional Responsibility 1.6 QSA Company Application Process This document describes the information that must be provided to PCI SSC as part of the application and qualification process, as well as ongoing requalification requirements. Each outlined requirement is followed by the information (“Provision”) that must be submitted to document how the security company and employees meet or exceed the stated requirements.

Note: QSA Companies are authorized to perform PCI DSS Assessments and QSA- related duties only in the geographic region(s) or country(s) in which they have been qualified to perform services. Under no circumstances may QSA Companies perform PCI DSS Assessments

•or act as a QSA Company in any capacity

•outside of the qualified region(s). If QSA Program- related tasks must be performed outside of the qualified region it may be necessary to engage a QSA Company within that region …
Added p. 8
Note: PCI SSC reserves the right to reject any application from any applicant (company or employee) that PCI SSC determines has committed, within three (3) years prior to the application date, any conduct that may be considered a “Violation” (defined for purposes of Section 6.3 below or the QSA Agreement) if committed by a QSA Company or Assessor-Employee. The period of ineligibility will be a minimum of one (1) year, as determined by PCI SSC in a reasonable and non-discriminatory manner.
Added p. 9
§ Copy of current QSA Company (or candidate QSA Company) formation document or equivalent approved by PCI SSC (the “Business License”), including year of incorporation, and location(s) of offices (Refer to the Documents Library on the Website

• Business License Requirements for more information) § To the extent permitted by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the QSA Company, QSA Company candidate or any principal thereof, and any Assessor-Employee thereof, and the status and resolution § Written statements describing any past or present appeals or revocations of any qualification issued by PCI SSC to the QSA Company (or any predecessor entity or, unless prohibited by applicable law, any Assessor-Employee of any of the foregoing), and the current status and any resolution thereof 2.2 Independence 2.2.1 Requirement The QSA Company must adhere to professional and business ethics, perform its …
Added p. 10
• Application or network firewalls

• Database or other storage solutions

• Encryption solutions

• Security audit log solutions

• File integrity monitoring solutions

• Anti-virus solutions

• Vulnerability scanning services or solutions § When recommending remediation actions that include one of its own solutions or products, the QSA Company must also recommend other market options that exist.

§ The QSA Company must have separation of duties controls in place to ensure Assessor- Employees conducting or assisting with PCI SSC Assessments are independent and not subject to any conflict of interest.

§ The QSA Company must not misrepresent any requirement of the PCI DSS or any other PCI SSC Standard in connection with its promotion or sales of services to its clients, or state or imply that the PCI DSS or any other PCI SSC Standard requires usage of the QSA Company's products or services.

§ The QSA Company must notify its Assessor-Employees of the independence requirements provided for …
Added p. 11
QSA Company fees Include:

§ Regional qualification fees (vary by country or region) § Annual regional re-qualification fees for subsequent years (also vary by country or region) § Annual training fee for each Assessor-Employee (or candidate)

Note: All QSA Company fees are specified on the Website in the PCI SSC Programs Fee Schedule and are subject to change.

PCI SSC requires that a QSA Agreement between PCI SSC and the applicant QSA Company be signed by a duly authorized officer of the applicant QSA Company, and submitted to PCI SSC in unmodified form with the completed QSA Company application package.
Added p. 12
§ Be in Good Standing as a QSA Company; § Have been active as a QSA Company for at least two years; § Have at least one QSA Employee that qualifies as a Mentor (refer to Section 3.3.3 for Mentor requirements); and § Adhere to the requirements of the Mentor program. Refer to Section 3.3.3 for Mentor Requirements.

Note: A QSA Company must have at least one QSA Employee at all times. If a QSA Company has only Associate QSAs, contact the QSA Program Manager immediately via e-mail.

• The total number of employees on staff and the number of those performing security assessments § Brief description of other core business offerings
Added p. 13
§ Pass background checks required per Section 4.2.

§ Possess sufficient information security knowledge and experience to conduct technically complex security assessments.

§ Possess a minimum of one year of experience in each of the following information security disciplines (experience may be acquired concurrently•for example, if the role involved experience in multiple disciplines at the same time):

• Application security

• Information systems security

• Network security § Possess a minimum of one year of experience in each of the following audit/ assessment disciplines (experience may be acquired concurrently, for example, if the role involved experience in multiple disciplines at the same time):

• IT security auditing

• Information security risk assessment or risk management
Added p. 14
List A

• Information Security

• (ISC)2 Certified Information System Security Professional (CISSP)

• ISACA Certified Information Security Manager (CISM)

• Certified ISO 27001 Lead Implementer 1

Note: The requirement to possess at least one industry-recognized certification from each list is effective as of January 1, 2019 for new QSA Employees.

For QSA Employees qualified and added to the search tool prior to January 1, 2019, this requirement is effective July 1, 2019 (for example, upon annual requalification after June 30, 2019).

“In process” certifications, where the certification number has not yet been issued, do not meet the requirement.

• ISACA Certified Information Systems Auditor (CISA)

• GIAC Systems and Network Auditor (GSNA)

• Certified ISO 27001, Lead Auditor, Internal Auditor 1

• IRCA ISMS Auditor or higher (e.g., Auditor/Lead Auditor, Principal Auditor)

Note: “Provisional” auditor designations do not meet the requirement.

• IIA Certified Internal Auditor (CIA) § Possess knowledge about the PCI DSS and all applicable documents on the PCI SSC …
Added p. 14
To find out if your country has an accreditation body, visit the International Accreditation Forum (IAF) website at www.iaf.nu and use the IAF MLA signatories list to identify an accreditation body in your country or region.

To find a certification body, visit the International Organization for Standardization certification information page; the section titled “Choosing a certification body” will explain how to find a certification body. Verification of company's certification should be addressed to the certification organization in question. You may also wish to contact the ISO member in your country or the country concerned, as they may have a national database of certified companies.
Added p. 15
§ Pass background checks required per Section 4.2.

§ Adhere to the PCI SSC Code of Professional Responsibility.

If a QSA Company wishes to hire another company that is not an active QSA Company to perform any portion of the QSA Company services, such hiring is considered to be subcontracting and requires prior written consent by PCI SSC for each subcontracted worker. The QSA Company must also provide to PCI SSC proof-of-coverage statements covering all such subcontractors to demonstrate that insurance satisfying applicable insurance coverage requirements (see Appendix B) has been purchased and is maintained for all such subcontractors.
Added p. 15
§ A record of working experience and responsibilities outlined in Section 3.2.1 above, by completing and submitting Appendix D for each candidate QSA Employee, and; § Résumé or Curriculum Vitae (CV) of each candidate QSA Employee.
Added p. 15
§ Possess a university or college diploma OR possess a minimum of two years’ experience in an Information Security or IT-related field.

§ Attend annual QSA Employee training provided by PCI SSC, and legitimately pass, of his or her own accord without any unauthorized assistance, all examinations conducted as part of training. If an Associate QSA Employee fails to pass any exam in connection with such training, the Associate QSA Employee must no longer assist on any PCI SSC Assessment until successfully passing the exam.

§ Be an employee of the QSA Company (meaning this work cannot be subcontracted to non- employees)
Added p. 16
The following must be provided to PCI SSC for each individual to be considered for qualification as an Associate QSA Employee:

§ A record of educational accomplishments and/or working experience and responsibilities outlined in Section 3.3.1 above, by completing and submitting Appendix E for each candidate Associate QSA Employee; and § Résumé or Curriculum Vitae (CV) of each candidate Associate QSA Employee, describing the requirements above, with respective dates.
Added p. 16
§ The Mentor must be a QSA Employee who has been certified for at least three years and has led at least three PCI DSS assessments resulting in ROCs in the last three years for three different clients.

§ A Mentor must have no more than three Associate QSA Employees assigned to them at one time.

§ The QSA Company will maintain a Mentor Manual that will clearly document the responsibilities of Mentors based on applicable PCI SSC Mentor requirements, including those set forth herein and in the QSA Program Guide.

Note: If a Mentor withdraws from the QSA Company’s Mentor program, affected Associate QSAs must be reassigned to another Mentor within 90 days. Notify the QSA Program Manager via e-mail if Associate QSAs cannot be reassigned within 90 days.

The QSA Company applying to join the Associate QSA program must provide a copy of its Mentor Manual for review by PCI SSC. Details …
Added p. 17
PCI SSC has adopted a Code of Professional Responsibility (the “Code”) to help ensure that QSA Companies and Assessor-Employees adhere to high standards of ethical and professional conduct. All QSA Companies and Assessor-Employees must advocate, adhere to, and support the Code (available on the Website).
Added p. 18
§ Job title § Phone number § Fax number § E-mail address 4.2 Background Checks 4.2.1 Requirement Each QSA Company must perform background checks that satisfy the provisions described below (to the extent legally permitted within the applicable jurisdiction) with respect to each applicant Assessor-Employee.

Minor offenses

•for example, misdemeanors or non-US equivalents

•are allowed; but major offenses

•for example, felonies or non-US equivalents

•automatically disqualify a candidate from qualifying as an Assessor-Employee. Upon request, each QSA Company must provide to PCI SSC the background check history for each Assessor-Employee (or candidate Assessor- Employee), to the extent legally permitted within the applicable jurisdiction.

Note: PCI SSC reserves the right to decline or reject any application or applicant Assessor- Employee.
Added p. 18
§ Attestation that its policies and hiring procedures include performing background checks: Examples of background checks include previous employment history, criminal record, credit history, and reference checks.
Added p. 19
• Verification of aliases (when applicable)

• Comprehensive country and (if applicable) state level review of records of any criminal activity such as felony (or non-US equivalent) convictions or outstanding warrants, within the past five years minimum

• Annual background checks consistent with this section for each of its Assessor- Employees for any change in criminal records, arrests or convictions 4.3 Internal Quality Assurance 4.3.1 Requirement § The QSA Company must adhere to all QSA Program quality assurance requirements described in this document or otherwise established by PCI SSC from time to time.

§ The QSA Company must maintain and adhere to a documented quality assurance process and manual, which includes all of the following:

• List of PCI SSC Programs in which the QSA Company participates

• A resource planning policy and process for PCI DSS Assessments which includes: onboarding requirements for Assessor-Employees, résumés and current skill sets for Assessor-Employees, and a process for …
Added p. 20
• Distribution and availability of the QA manual

• Evidence of annual review by the QA manual process owner

• Coverage of all activities relevant to the particular PCI SSC Program, and references to the corresponding PCI SSC Qualification Requirements for that program, and to other applicable PCI SSC Program documentation for information concerning other PCI SSC Program-specific requirements

• Requirement for all Assessor-Employees to regularly monitor the Website for updates, guidance and new publications relating to the QSA Program § The QSA Company must have qualified personnel (independent of the assessing and/or authoring QSA Employee) conduct a quality assurance review of assessment procedures performed, supporting documentation workpapers retained in accordance with QSA Company’s Workpaper Retention Policy, information documented in the ROC related to the appropriate selection of system components, sampling procedures, compensating controls, remediation recommendations, proper use of payment definitions, consistent findings, and thorough documentation of results.

§ The QSA Company must inform …
Added p. 21
§ Physical, electronic, and procedural safeguards including:

• Systems storing customer data do not reside on Internet accessible systems

• Strong encryption of customer data on portable devices such as laptops and removable media § A blank copy of the QSA Company’s confidentiality agreement(s) that each Assessor- Employee is required to sign 4.5 Evidence (Assessment Workpaper) Retention 4.5.1 Requirement § Assessment Results and Related Materials (defined in the QSA Agreement), including but not limited to PCI SSC Assessment workpapers and related materials, represent the evidence generated and/or gathered by a QSA Company to support the contents of each ROC or assessment report. Retention of Assessment Results and Related Materials is required and the Assessment Results and Related Materials relating to a given PCI SSC Assessment should represent all steps of the PCI SSC Assessment from end-to-end. Such Assessment Results and Related Materials may include screen captures, config files, interview notes, and a …
Added p. 22
§ A requirement that Assessment Results and Related Materials must be retained for at least three (3) years and must include all digital and hard copy evidence created and/or obtained by or on behalf of the QSA Company during each PCI SSC Assessment•including but not limited to: documentation reviewed (policies, processes, procedures, network and dataflow diagrams), case logs, meeting agendas and notes, evidence of onsite and offsite activities (including interview notes), screenshots, config files, results of any tests performed, and any other relevant information created and/or obtained.

§ Requirements ensuring that the QSA Company has confirmed that all Assessment Results and Related Materials relating to a given PCI SSC Assessment has in fact been retained in accordance with the procedures defined in the Workpaper Retention Policy, prior to releasing the final ROC or assessment report for that PCI SSC Assessment.

§ All Assessment Results and Related Materials must be made available to …
Added p. 22
The customer notification must be documented and retained in accordance with the QSA Company’s evidence-retention policy, along with a summary of the Incident and what actions
Added p. 23
No QSA Company or Assessor-Employee shall take any action after an Incident that is reasonably likely to diminish the integrity of, or otherwise interfere with or negatively affect the ability of a PFI to perform, any PFI Investigation (see the PCI Forensic Investigator (PFI) Program Guide for additional details).

Failure to provide such written notification to the customer or otherwise comply with any of the above (or any other) QSA Qualification Requirements constitutes a “Violation” (see Section 6.3 below) and may result in remediation, revocation, and/or termination of the QSA Agreement.
Added p. 23
§ Instructions and procedures for notifying customers of Incidents discovered during or in connection with the performance of any PCI SSC Assessment or other QSA Program- related services, and documenting those Incidents and related information in accordance with Section 4.6.1.

§ Retention requirement for all incident-related documentation, notices, and reports, with the same protections as those noted for work-paper retention in the QSA Company’s evidence- retention policy and procedures.
Added p. 24
Once an individual has met applicable QSA Requirements, PCI SSC will add the Assessor-Employee to the applicable Assessor-Employee search tool on the Website.

Only those QSA Companies and Assessor-Employees on the QSA List or in such search tool (as applicable) are recognized by PCI SSC to perform or support PCI DSS Assessments.

If, at any time, a QSA Company and/or Assessor-Employee does not meet the applicable QSA Requirements (including without limitation, payment or documentation requirements), PCI SSC reserves the right to immediately remove the QSA Company and/or Assessor-Employee from the respective list(s) or tool(s) on the Website, regardless of Remediation or Revocation. PCI SSC will notify the QSA Company of the removal in accordance with the QSA Agreement, typically via registered or overnight mail and/or e-mail. Refer to Sections 6.2 and 6.3 below for additional information relating to Remediation and Revocation.
Added p. 24
Additionally, each Assessor-Employee must be re-qualified by PCI SSC on an annual basis. The annual re-qualification date is based upon the Assessor-Employee’s previous qualification date. Re-qualification requires proof of CPEs as noted in Section 5.2.2, proof of training successfully completed, payment of annual training and re-qualification fees, and continued compliance with applicable QSA Requirements.

Negative feedback from QSA Company clients (merchants, service providers, etc.), PCI SSC, Participating Payment Brands, or others may impact QSA Company and/or Assessor-Employee eligibility for re-qualification.
Added p. 25
QSA Companies § Payment of annual fee for each region qualified

Note: PCI SSC may from time to time request that QSA Companies and/or Assessor-Employees submit additional information or materials in order to demonstrate adherence to applicable requirements or as part of the applicable qualification or re-qualification process.

QSA Employees § Proof of information systems audit training within the last 12 months in accordance with the current version of the PCI SSC CPE Maintenance Guide § Maintaining professional certification(s) as required per Section 3.2, “QSA Employee

• Skills and Experience.” PCI SSC reserves the right to request proof of current professional certifications at any time § Payment of annual re-qualification fees in accordance with the Website

• PCI SSC Programs Fee Schedule Associate QSA Employees § Proof of information-systems audit training within the last 12 months in accordance with the current version of the PCI SSC CPE Maintenance Guide § Payment of annual re-qualification …
Added p. 26
Once selected for audit by AQM, the QSA Company will be notified, typically via PCI SSC’s secure assessor web portal for the QSA Program (the “Portal”). The notification will specify the Assessment Results and Related Materials the QSA Company is expected to provide over the course of the audit, which may include but is not limited to internal QA manuals, documented processes such as the Workpaper Retention Policy, ROCs redacted in accordance with PCI SSC policy, and workpapers.

The AQM team will review the ROCs, supporting documentation and the QSA Company’s internal QA manual to determine whether the organization’s internal QA processes are sufficiently documented in line with the above requirements and that they are being followed.
Added p. 26
At the time of notification that the QSA Company qualifies for Remediation, AQM will provide the QSA Company with information on the requirements and procedures of the Remediation process and what it entails. Once AQM has gained sufficient assurance of quality improvement and the requirements of the Remediation Agreement have been fulfilled, Remediation ends, and the QSA Company’s listing on the Website returns to “In Good Standing” in black text. QSA Companies that fail to satisfy Remediation requirements may be revoked, and QSA Companies electing not to participate in Remediation when eligible will be revoked.

Note: The Remediation Statement on the Website affirms the Council’s position on Remediation, and any external queries about a QSA Company’s status will be directed to the QSA Company in question.
Added p. 27
§ Failure to meet applicable PCI SSC Program quality standards or comply with applicable QSA Requirements § Failure to pay applicable PCI SSC Program fees § Failure to meet applicable PCI SSC Program training requirements (annual or otherwise) § Failure to meet applicable PCI SSC Program continuing education requirements § Failure to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates § Failure to maintain applicable PCI SSC Program insurance requirements § Failure to comply with or validate compliance in accordance with applicable Program Qualification Requirements (defined in the QSA Agreement), PCI SSC Standards or program guides, or the terms of the QSA Agreement or supplements or addenda thereto § Failure to maintain physical, electronic, or procedural safeguards to protect confidential or sensitive information § Failure to report unauthorized access to any system storing confidential or sensitive information § Engaging in unprofessional or unethical …
Added p. 28
If the decision is made to revoke any PCI SSC Program qualification (including but not limited to QSA Company and/or Assessor-Employee qualification), notification will be provided in accordance with the QSA Agreement and will include information regarding the appeal process.

Appeals must be submitted within 30 days from the date of the notification to the QSA Program Manager by postal mail to the following address (e-mail submissions will not be accepted):

PCI SSC 401 Edgewater Place, Suite 600 Wakefield, MA 01880, USA In connection with revocation, the following will occur:

§ The QSA Company and/or Assessor-Employee (as applicable) name will be removed from the relevant QSA List and/or search tool (as applicable).

§ PCI SSC may notify third parties.

§ A company and/or individual (as applicable) the Qualification of which has been revoked can reapply after 180 days; provided however, that (i) if revoked in connection with Remediation, an election not to participate in Remediation …
Added p. 29
Regions Applying For (see the Website - PCI SSC Programs Fee Schedule):

Language(s) to be displayed on Listing:

Applicant QSA Company Officer Applicant Officer Name: Job Title:
Added p. 30
QSA acknowledges that data security practices exist within a rapidly changing environment and agrees to monitor the Website at least weekly for changes to the PCI DSS, other applicable PCI SSC Standards, QSA Qualification Requirements and other applicable Program Qualification Requirements (defined in Section A.3.4 below). QSA will incorporate all such changes into all PCI SSC Assessments initiated on or after the effective date of such changes. QSA acknowledges and agrees that any ROC or other required report regarding a PCI SSC Assessment that is not conducted in accordance with the applicable PCI SSC Standard(s) as in effect at the initiation date of such PCI SSC Assessment may be rejected.
Added p. 31
A.3.3 QSA Service Staffing QSA shall ensure that a QSA Employee that is fully qualified in accordance with all applicable provisions of the relevant Program Qualification Requirements supervises all aspects of each engagement to perform Services, including without limitation, being present onsite for the duration of each PCI SSC Assessment, reviewing the work product that supports QSA's PCI SSC Assessment procedures, and ensuring adherence to the applicable Program Qualification Requirements and PCI SSC Standards. Employees performing the following tasks must also be qualified as QSA Employees: scoping decisions, selection of systems and system components where sampling is employed (in accordance with the PCI DSS), evaluation of compensating controls and/or final report production and/or review. QSA hereby designates the individual identified as the “Primary Contact” in Section A.2 above as QSA’s primary point of contact and “Primary Contact” for purposes of the QSA Program, this Agreement and, unless otherwise specified in …
Added p. 32
QSA agrees to pay all applicable fees imposed by PCI SSC in connection with QSA’s and its Assessor-Employees’ participation in each PCI SSC Program in which QSA is a participant (collectively, "Fees"), in each case as and in the manner provided for in the applicable Program Qualification Requirements, the PCI SSC Programs Fee Schedule on the Website and/or the other applicable PCI SSC Program documentation. Such Fees may include, without limitation, initial processing fees, regional qualification fees, regional re-qualification fees, training fees, fees in connection with quality assurance and/or remediation, fees to cover administrative costs, re- listing, penalties and other costs, and other fees. QSA agrees to pay all such Fees as and when required by PCI SSC and that all Fees are nonrefundable (regardless of whether QSA's application is approved, QSA has been removed from the QSA List, this Agreement or any Addendum hereto has been terminated, or otherwise).

QSA …
Added p. 33
(b) In advertising or promoting its Services, so long as QSA is in Good Standing as a QSA Company, and if applicable, in Good Standing with respect to any other PCI SSC Program, QSA may make reference to the fact that QSA is listed in the relevant QSA List, provided that it may do so only during such times as QSA actually appears in such QSA List.

(c) Except as expressly authorized herein, QSA shall not use any PCI SSC trademark, service mark, certification mark, logo or other indicator of origin or source (each a “Mark”) without the prior written consent of PCI SSC in each instance. Without limitation of the foregoing, absent the prior written consent of PCI SSC in each instance and except as otherwise expressly authorized herein, QSA shall have no authority to make, and consequently shall not make, any statement that would constitute any implied or express …
Added p. 34
A.5.2 Uses of QSA Name and Designated Marks QSA grants PCI SSC and each Participating Payment Brand the right to use QSA's name and trademarks, as designated in writing by QSA, to list QSA on the relevant QSA List and to include reference to QSA in publications to Financial Institutions, Issuers, Merchants, Acquirers, Processors, and the public regarding applicable PCI SSC Programs. Neither PCI SSC nor any Participating Payment Brand shall be required to include any such reference in any materials or publicity regarding any PCI SSC Program. QSA warrants and represents that it has authority to grant to PCI SSC and its Participating Payment Brands the right to use its name and designated marks as contemplated by this Agreement.

A.5.4 Intellectual Property Rights (a) All Intellectual Property Rights, title and interest in and the PCI SSC Programs, the PCI DSS and all other PCI Materials, all materials QSA receives from …
Added p. 37
A.6.4 Personal Information In the event that QSA receives Personal Information from PCI SSC or any Member or QSA Company client in the course of providing Services or otherwise in connection with this Agreement, in addition to the obligations set forth elsewhere in this Agreement, QSA will at all times during the Term (as defined in Section A.9.1) maintain such data protection handling practices as may be required by PCI SSC from time to time, including without limitation, as a minimum, physical, electronic and procedural safeguards designed: (i) to maintain the security and confidentiality of such Personal Information (including, without limitation, encrypting such Personal Information in accordance with applicable Participating Payment Brand guidelines, if any); (ii) to protect against any anticipated threats or hazards to the security or integrity of such information; and (iii) to protect against unauthorized access to or use of such information that could result in substantial …
Added p. 39
(b) PCI SSC MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT, INCLUDING WITHOUT LIMITATION, ANY PCI SSC PROGRAM, THE PCI MATERIALS OR ANY MATERIALS OR SERVICES PROVIDED UNDER OR IN CONNECTION WITH THIS AGREEMENT OR ANY PCI SSC PROGRAM. PCI SSC SPECIFICALLY DISCLAIMS, AND QSA EXPRESSLY WAIVES, ALL REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THIS AGREEMENT, EACH PCI SSC PROGRAM, THE PCI MATERIALS, ANY MATERIALS OR SERVICES PROVIDED UNDER OR IN CONNECTION WITH THIS AGREEMENT OR ANY PCI SSC PROGRAM, OR OTHERWISE, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. WITHOUT LIMITATION OF THE FOREGOING, PCI SSC SPECIFICALLY DISCLAIMS, AND QSA EXPRESSLY WAIVES, ALL REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THE PCI MATERIALS AND ANY INTELLECTUAL PROPERTY RIGHTS SUBSISTING THEREIN OR IN ANY PART THEREOF, INCLUDING BUT NOT LIMITED TO …
Added p. 40
A.8 Independence; Representations and Warranties QSA agrees to comply with all applicable Program Qualification Requirements, including without limitation, all requirements and provisions regarding independence, and hereby warrants and represents that QSA is now, and shall at all times during the Term, remain in compliance with all such Program Qualification Requirements. QSA represents and warrants that by entering into this Agreement it will not breach any obligation to any third party. QSA represents and warrants that it will comply with all applicable laws, ordinances, rules, and regulations in any way pertaining to this Agreement or its performance of the Services or its obligations under this Agreement.
Added p. 41
A.9.2 Termination by QSA QSA may terminate this Agreement or any Addendum at any time upon thirty (30) days’ written notice to PCI SSC. Notwithstanding Section A.10.1 below, any notice or other written communication (including by electronic mail) from QSA pursuant to which or to the effect that QSA requests, notifies, elects, opts, chooses, decides or otherwise indicates its desire to cease participation in any PCI SSC Program, be removed from any QSA List or terminate this Agreement or any Addendum shall be deemed to constitute notice of termination of this Agreement or the corresponding Addendum (as applicable), and the corresponding Qualification(s), by QSA pursuant to this Section, and thereafter, notwithstanding the thirty (30) day notice period provided for in the preceding sentence and without any further action by QSA, PCI SSC may immediately remove QSA from the applicable QSA List(s) and may terminate this Agreement or applicable Addendum effective …
Added p. 42
A.9.5 Revocation (a) Without limiting the rights of PCI SSC as set forth elsewhere in this Agreement, in the event that PCI SSC determines in its sole but reasonable discretion that QSA meets any condition for revocation of any Qualification as established by PCI SSC from time to time with respect to any PCI SSC Program (satisfaction of any such condition, a “Violation”), including without limitation, any of the conditions identified as or described as examples of Violations herein or in any applicable Program Qualification Requirements or Addendum, PCI SSC may, effective immediately upon notice of such Violation to QSA, revoke such Qualification from QSA (“Revocation”), and such revoked Qualification shall be subject to reinstatement pending a successful appeal in accordance with Section A.9.5(b) below and the applicable terms (if any) of the corresponding Addendum and PCI SSC policies and procedures.
Added p. 43
(c) All Revocation appeal proceedings will be conducted in accordance with such procedures as

PCI SSC may establish from time to time for the applicable PCI SSC Program, PCI SSC will review all relevant evidence submitted by QSA and each complainant (if any) in connection with therewith, and PCI SSC shall determine whether termination of any Qualification provided to QSA by PCI SSC (including without limitation, Qualification as a QSA Company) is warranted or, in the alternative, no action, or specified remedial actions shall be required. All determinations of PCI SSC regarding Revocation and any related termination or appeals shall be final and binding upon QSA. If PCI SSC determines that termination is warranted, then effective immediately and automatically upon such determination, such Qualification and this Agreement and/or the applicable Addendum shall terminate. If PCI SSC determines that such termination is not warranted, the Revocation shall be lifted, the applicable Qualification …
Added p. 44
(b) Notwithstanding anything to the contrary in Section A.6 of this Agreement, in order to assist in ensuring the reliability and accuracy of QSA's PCI SSC Assessments, QSA hereby agrees to comply with all quality assurance procedures and requirements established or imposed by PCI SSC from time to time in connection with each PCI SSC Program in which QSA is a participant (including but not limited to conditions and requirements imposed in connection with remediation, revocation or any other Qualification status) and that, within 15 days of any written request by PCI SSC, QSA hereby agrees to provide to PCI SSC such Assessment Results and Related Materials (defined below) as PCI SSC may reasonably request with respect to any QSA Company client for which QSA has performed a PCI SSC Assessment. Each agreement between QSA and each of its QSA Company clients (each a “Client Agreement”) shall include such provisions …
Added p. 45
A.10.4 Entire Agreement; Modification; Waivers The parties agree that this Agreement, including the QSA Qualification Requirements and any other documents, addenda, supplements, amendments, appendices, exhibits, schedules or other materials incorporated herein by reference (each of which is hereby incorporated into and made a part of this Agreement by this reference), is the exclusive statement of the agreement between the parties with respect to the subject matter hereof, which supersedes and merges all prior proposals, understandings and all other agreements, oral or written, between the parties with respect to such subject matter (including without limitation, if applicable, each prior Qualified Security Assessor (QSA) Agreement between QSA and PCI SSC). This Agreement may be
Added p. 46
A.10.9 Conflict In the event of any express conflict or inconsistency between the terms and provisions of this Agreement and terms and provisions of the QSA Qualification Requirements, this Agreement shall control. In the event of any express conflict or inconsistency between the terms and provisions of this Agreement and the terms and provisions of any Addendum or the Program Qualification Requirements or policies of PCI SSC with respect to any Related PCI SSC Program in which QSA is a then participant, the conflicting or inconsistent terms and provisions of such Addendum, Program Qualification Requirements or policy shall control, but only to the extent necessary to resolve such conflict or inconsistency with respect to QSA's participation in such Related PCI SSC Program. Any and all disputes or disagreements regarding any such conflict or inconsistency shall be resolved by PCI SSC in its sole but reasonable discretion, and all determinations of …
Added p. 48
§ COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non-owned autos subject to minimum limits of $1,000,000 per accident § CRIME/FIDELITY BOND including first-party employee dishonesty, robbery, fraud, theft, forgery, alteration, mysterious disappearance and destruction. Coverage must also include third-party employee dishonesty, i.e., coverage for claims made by the QSA Company’s client against the QSA Company for theft committed by the QSA Company’s employees. The minimum limit shall be $1,000,000 each loss and annual aggregate. The policy Coverage Territory must include the entire Region(s) in which the QSA Company is qualified to operate.
Added p. 50
Applicant QSA Company (the “Company”) Information

• Section 1 Company Name:

Primary Contact Name: Job Title:
Added p. 50
QA Contact Name: Job Title:

Secondary Contact Name: Job Title:

The Company acknowledges and agrees that in order to participate as a QSA Company in the QSA Program, it must satisfy all of the requirements specified in the QSA Qualification Requirements and supporting documents QSA Company Business Requirements

• Section 2 The Company acknowledges the minimum business requirements and related information that must be provided to PCI SSC regarding the Company’s business legitimacy, independence, and required insurance coverage pursuant to Section 2 of the QSA Qualification Requirements, and agrees to comply with such requirements.

Business Legitimacy

• 2.1.2 Provisions The Company certifies that it is a legal entity.

The Company certifies that it is providing to PCI SSC herewith a copy of its current formation document or equivalent (the “Business License”). (Refer to the Documents Library on the Website

• Business License Requirements for more information.) Year of incorporation/formation of Company:

Location(s) of Company offices:

Describe any past or …
Added p. 51
The Company hereby certifies that it has a code-of-conduct policy, and agrees to provide that policy to PCI SSC upon request.

The Company hereby agrees to adhere to all independence requirements as established by PCI SSC, including without limitation, all items listed in Section 2.2.1 of the QSA Qualification Requirements.

Below or attached hereto are (a) a description of the Company’s practices for maintaining and assuring assessor independence, including but not limited to, the Company’s practices, organizational structures, separation of duties, rules, and employee education in place to prevent conflicts of interest, and (b) copies of all written Company policies relating to any of the foregoing.

• Agrees to maintain and adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing PCI SSC Assessments.

• Agrees to maintain and adhere to a code-of-conduct policy, and provide the policy to PCI …
Added p. 52
The Company hereby acknowledges and agrees to adhere to all requirements for insurance coverage required by PCI SSC, including without limitation the requirements in Appendix B, “Insurance Coverage,” which includes details of required insurance coverage.

The Company hereby certifies to PCI SSC that, along with this application, the Company is providing to PCI SSC a proof-of-coverage statement demonstrating that its insurance coverage matches locally set insurance coverage requirements.

The Company hereby agrees not to subcontract or assign any portion of the QSA services without first (a) obtaining the prior written consent of PCI SSC (see Section 3.2.1) and (b) providing to PCI SSC proof-of- coverage statements covering all such subcontractors and demonstrating that such insurance satisfies all applicable PCI SSC insurance coverage requirements (see Appendix B).

A copy of the Company’s bound insurance coverage is attached to this application.

Fees

• 2.4.1 Requirements The Company acknowledges that it will be charged an application processing fee, …
Added p. 53
Engagement 2 (if applicable): Years: Months:

Engagement 3 (if applicable): Years: Months:

Specialization and Company Details Immediately below is a description of the Company’s relevant areas of specialization within information security (for example, network security, database and application security, and incident response), demonstrating at least one area of specialization:

Total number of Company employees on staff:

The number of QSA Employees expected to perform PCI DSS Assessments:

Note: Associate QSA Employees are not QSA Employees and therefore should not be included.

Describe any additional evidence of a dedicated security practice within the Company:

Describe other core business offerings:

Describe the size and types of market segments in which the applicant QSA Company tends to focus, such as Fortune 500, financial industry, insurance industry, or small-to-medium sized businesses:

Languages supported by the applicant QSA Company:

Provide two client references from security engagements within the last 12 months:

Client: From (date): To (date):

Client: From (date): To (date):

Contact name: Job title:

Contact name: Job title:

Contact …
Added p. 54
Background Checks

• 4.2.2 Provisions The Company agrees that its policies and hiring procedures must include performing background checks and satisfying the provisions in Section 4.2.2 (to the extent legally permitted within the applicable jurisdiction) when hiring each applicant Assessor-Employee.

The Company hereby attests that its policies and hiring procedures include performing background checks in full accordance with Section 4.2.

The Company hereby attests that it successfully completes background checks for each candidate Assessor-Employee in accordance with the provisions of Section 4.2.2 Below is a summary description of the Company’s personnel background check policies:

The Company’s personnel background check policies and procedures include the following (to the extent legally permitted within the applicable jurisdiction):

Verification of aliases (when applicable) Reviewing records of any criminal activity, such as felony (or non-US equivalent) convictions or outstanding Annually review records of any criminal activity, such as felony (or non-US equivalent) convictions or outstanding warrants Minor offenses (for example, …
Added p. 55
At all times maintain and adhere to the internal quality assurance requirements as described in Section 4.3.1 of the QSA Qualification Requirements.

Provide to PCI SSC, upon request and from time to time, a complete copy of the Company’s quality assurance manual, in accordance with the QSA Qualification Requirements and supporting documentation.

Permit PCI SSC, upon request from time to time, to conduct audits of the Company and/or to conduct site visits.

Inform each Company PCI SSC Assessment client of the QSA Feedback Form (available on the Website), upon commencement of the PCI DSS Assessment for that client.

Conduct all PCI DSS Assessments on-site at the applicable client’s facilities.

Protection of Confidential and Sensitive Information

• 4.4.2 Provisions The Company currently has and agrees to adhere to a documented process for protection of confidential and sensitive information, which includes adequate physical, electronic, and procedural safeguards consistent with industry-accepted practices to protect confidential and sensitive information against …
Added p. 56
(a) Represents and certifies to PCI SSC that (s)he is an officer of the Company and is duly authorized to legally bind the Company to the terms of this QSA Company Application; and (b) Both individually and by and on behalf of the Company: (i) represents and certifies that the information provided in this QSA Company Application is true, correct, and complete; and (ii) acknowledges, accepts, agrees to, and makes the attestations and certifications set forth in (as the case may be) each of the statements checked (or otherwise marked) in this QSA Company Application above.

Legal Name of Applicant QSA Company Officer: Title:

Duly authorized officer signature á Date á
Added p. 57
Company Information Company Name:

Candidate Information Name: Job Title:

QSA Employee Skills, Experience and Education Provide examples of the Candidate’s work and/or description of experience in the following areas of expertise (requires at least one year in each area):

Examples of work and/or description of experience in network security (for example, administration of firewalls, intrusion prevention systems, etc.):

From (date): To (date): Total time: Years Months Examples of work and/or description of experience in application security:

From (date): To (date): Total time: Years Months Examples of work and/or description of experience in systems integration and security:

From (date): To (date): Total time: Years Months Examples of work and/or description of experience in auditing information systems and processes:

From (date): To (date): Total time: Years Months Examples of work and/or description of experience in information security risk assessment or risk management:

From (date): To (date): Total time: Years Months
Added p. 58
(ISC)2 CISSP Certification number: Expiry date:

ISACA CISM Certification number: Expiry date:

ISACA CISA Certification number: Expiry date:

SANS GIAC/GSNA Certification number: Expiry date:

IRCA Auditor Certification number: Expiry date:

IIA CIA Certification number: Expiry date:

ISO 27001, Lead Auditor/Implementer, Internal Auditor Certification number:

Accredited certification body:

NOTE: “In process” certifications, where the certification number has not yet been issued, do not meet the requirement.

By signing below, I hereby acknowledge and agree that:

(a) The information provided above is true, accurate and complete; (b) I have read and understand the QSA Qualification Requirements and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.

Candidate signature á Date á
Added p. 59
Company Information Company Name:

Candidate Information Name: Job Title:

From (date): To (date): Total time: Years Months

Associate QSA Employee Skills, Experience and Education Provide description and examples of the Candidate’s educational and/or experience in the following areas of expertise (requires a degree/diploma or at least 2 years of experience) Description of education related to information security:

From (date): To (date): Total time: Years Months Description of education related to information technology:

From (date): To (date): Total time: Years Months Examples of work and/or description of experience in information security:

From (date): To (date): Total time: Years Months Examples of work and/or description of experience in information technology:
Added p. 60
(a) The information provided above is true, accurate and complete; (b) I have read and understand the QSA Qualification Requirements and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.

Candidate signature á Date á

(a) The QSA Company sponsoring this Candidate is in Good Standing with the PCI Council and has been a QSA Company for at least 2 years.

(b) I have reviewed the Mentor requirements in the QSA Program Guide and have the required resources to support this candidate in their development with a Mentor.

Primary Contact Primary Contact signature á Date á Candidate Associate QSA Employee Application Acknowledgement By signing below, I hereby acknowledge and agree that:
Modified p. 1
Payment Card Industry (PCI) Data Security Standard Validation Requirements For Qualified Security Assessors (QSA) Version 1.2
Payment Card Industry (PCI) Data Security Standard Qualification Requirements For Qualified Security Assessors (QSA) Version 3.0
Removed p. 4
Key to the success of the PCI DSS is merchant and service provider compliance. When implemented appropriately, PCI DSS requirements provide a well-aimed defense against data exposure and compromise. As a result, on-site PCI DSS assessments performed by Qualified Security Assessors (“Assessments”) have become increasingly critical in today’s environment. The proficiency with which a QSA conducts an Assessment can have a tremendous impact on the consistent and proper application of PCI measures and controls. The current version of these Payment Card Industry (PCI) Data Security Standard Validation Requirements for Qualified Security Assessors (the “QSA Validation Requirements”), as available through the Website, describes the necessary qualifications a QSA must have to be recognized by the PCI SSC to perform Assessments.

Members of the payment card industry also adopted the Payment Application Data Security Standard (the "PA-DSS"), a set of requirements derived from and closely related to the PCI DSS, but intended to …
Removed p. 4
"Payment Application Qualified Security Assessor" or “PA-QSA” means a QSA company that provides services to payment application vendors in order to validate such vendors' payment applications as adhering to the requirements of the PA-DSS and that has satisfied and continues to satisfy all requirements applicable to PA-QSAs, as described in the QSA Validation Requirements•Supplement for Payment Application Qualified Security Assessors (PA-QSA).

"PA-DSS Assessment" means assessment of vendor payment applications in accordance with the PA-DSS Security Audit Procedures in order to establish vendor compliance with the PA-DSS.

“Principal QSA” and “Associate QSA” are used to refer to those QSA companies that have satisfied additional qualification requirements where needed to support PCI DSS adoption in certain global markets, as described in further detail in QSA Validation Requirements•Supplement for Principal-Associate Qualified Security Assessors.
Removed p. 5
“Qualified Security Assessor” or “QSA” refers to a company that has satisfied and continues to satisfy all requirements set forth in these QSA Validation Requirements.

To qualify as a QSA by PCI SSC, a company must meet or exceed the requirements described in the QSA Validation Requirements and execute the QSA Agreement (see Appendix A) with PCI SSC and comply with its terms.

The requirements defined in the QSA Validation Requirements serve as a validation baseline for PCI SSC and provide a transparent process for QSA qualification and re-qualification across the payment industry.
Removed p. 5
All QSAs and PA-QSAs will be identified on PCI SSC’s list of QSAs on the Website (the “QSA List”) in accordance with the QSA Agreement. If a company is not on the QSA List, its work product is not recognized by PCI SSC. All QSAs must re-qualify annually.

QSA Validation Requirements are incorporated into the QSA Agreement. To initiate the qualification process, the security company must sign the QSA Agreement in unmodified form and submit it to PCI SSC.
Modified p. 5
“QSA employee” refers to an individual who is employed by a QSA company and who has satisfied and continues to satisfy all QSA Requirements applicable to those of the QSA’s employees who will conduct Assessments, as described in further detail herein.
QSA Employee An individual who is employed by a QSA Company and satisfies and continues to satisfy all QSA Requirements applicable to QSA Employees.
Removed p. 6
Section 5: QSA Initial Qualification and Annual Maintenance briefly outlines the yearly re-qualification process, as well as revocation procedures if there is a breach of the QSA Agreement.

Appendices: The appendices to the QSA Validation Requirements include the QSA Agreement and several helpful checklists, feedback forms, and detailed fee requirements.
Removed p. 6
 Payment Card Industry (PCI) Data Security Standard Security Audit Procedures (“PCI DSS Security Audit Procedures”)  PA-DSS Security Audit Procedures QSA Validation Requirements for Principal and Associate QSAs and PA-QSAs can be found in the following two documents, also available through the Website:

 QSA Validation Requirements

•Supplement for Principal-Associate Qualified Security Assessors  QSA Validation Requirements

•Supplement for Payment Application Qualified Security Assessors (PA-QSA)
Modified p. 6
Section 1: Introduction offers a high-level overview of the QSA applications process.
Section 1: Introduction offers a high-level overview of the QSA Program application process.
Modified p. 6
Section 2: QSA Business Requirements covers minimum business requirements that must be demonstrated to PCI SSC by the security company. This section outlines information and items that must be provided to prove business stability, independence, and insurance coverage. QSA fees and agreements are also covered.
Section 2: QSA Company Business Requirements covers minimum business requirements that must be demonstrated to PCI SSC by the security company. This section outlines information and items that must be provided to prove business stability, independence, and insurance coverage.
Modified p. 6 → 7
Section 4: QSA Administrative Requirements focuses on the logistics of doing business as a PCI DSS QSA, including background checks, adherence to PCI DSS procedures, quality assurance, and protection of confidential and sensitive information.
Section 4: QSA Company Administrative Requirements describes standards for operating as a QSA Company, including background checks, adherence to PCI SSC procedures, quality assurance, and protection of confidential and sensitive information.
Removed p. 7
Applications must indicate which geographic region(s)

•see Appendix D

• QSA Fees for list of region(s) or country(s)

•the QSA is applying for, and include all relevant application fees for each applicable region or country.

All application packages must include a signed QSA Agreement and all other required documentation. Applicants should send their completed application packages by mail to the following address:

Important Note: PCI SSC reserves the right to reject any application from any applicant (company or individual) that PCI SSC determines has committed, within two (2) years prior to the application date, any conduct that would have been considered a “Violation” (defined in Section 5.2 below) if committed by a QSA company or QSA employee. The period of ineligibility will be a minimum of one (1) year, as determined by PCI SSC in a reasonable and non-discriminatory manner, in light of the circumstances.

PCI SSC, in an effort to maintain the integrity of the …
Modified p. 7
To facilitate preparation of the application package, refer to Appendix B: QSA • New Application Process Checklist. All application materials and the signed QSA Agreement must be submitted in English. The QSA Agreement is binding in English even if the QSA Agreement was translated and reviewed in another language. All other documentation provided by the QSA in a language other than English must be accompanied by a certified English translation (examples include business licenses and insurance certificates).
To facilitate preparation of the application package, refer to Appendix C: “QSA Company Application,” Appendix D, “QSA Employee Application,” and Appendix E, “Associate QSA Employee Application.” All application materials and the signed QSA Agreement must be submitted in English. The QSA Agreement is binding in English even if the QSA Agreement was translated and reviewed in another language. All other documentation provided by the QSA Company (or candidate) in a language other than English must be accompanied by a certified …
Modified p. 7 → 8
PCI SSC 401 Edgewater Place, Suite 600 Wakefield, MA 01880 Phone number: 1-781-876-8855 E-mail submissions will not be accepted.
PCI SSC 401 Edgewater Place, Suite 600 Wakefield, MA 01880, USA Phone number: 1-781-876-8855
Removed p. 8
 Copy of Business license or equivalent, including year of incorporation, and location(s) of offices  Written statements describing any past or present allegations or convictions of any fraudulent or criminal activity involving the QSA (and QSA principles), and the status and resolution 2.2 Independence 2.2.1 Requirement The QSA must adhere to professional and business ethics, perform all duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing Assessments.

 The QSA has not offered or provided (and will not offer or provide) any gift, gratuity, service, or other inducement to any employee of PCI SSC or any QSA subject or agency involved in retaining the QSA to enter into the QSA Agreement or to provide QSA-related services.
Modified p. 8 → 9
The QSA must have a code of conduct policy, and provide the policy to PCI SSC upon request.
The QSA Company must have a code-of-conduct policy, and provide the policy to PCI SSC upon request. The QSA Company’s code-of-conduct policy must support

•and never contradict

•the PCI SSC Code of Professional Responsibility.
Modified p. 8 → 9
The QSA must adhere to all independence requirements in this section, as required by PCI SSC, including without limitation, the following (collectively, the “Specified Independence Requirements”).
The QSA Company must adhere to all independence requirements as established by PCI SSC, including without limitation, the following:
Modified p. 8 → 9
The QSA will not undertake to perform Assessments of entities that it controls or with which it is under common control or in which it holds any investment.
§ The QSA Company will not undertake to perform any PCI SSC Assessment of any entity that it controls, is controlled by, is under common control with, or in which it holds any investment.
Modified p. 8 → 10
The QSA must fully disclose in the Report on Compliance if they assess customers who use any security-related devices or security-related applications that have been developed or manufactured by the QSA, or to which the QSA owns the rights, or that the QSA has configured or manages, including the following:
§ The QSA Company must fully disclose in the Report on Compliance if it assesses any customer that uses any security-related device or security-related application developed or manufactured by the QSA Company, or to which the QSA Company owns the rights, or that the QSA Company has configured or manages, including but not limited to the following:
Modified p. 8 → 10
 Application or Network Firewalls  Intrusion Detection/Prevention Systems
Intrusion detection/prevention systems
Removed p. 9
 The QSA must not, and agrees that it will not, misrepresent requirements of the PCI DSS in connection with its promotion or sales of services to QSA clients, or state or imply that the PCI DSS requires usage of the QSA's products or services.
Removed p. 9
 The QSA customer uses products or applications developed or manufactured by the QSA company.

 The QSA customer uses products or applications managed or configured by the QSA company.

 The description must include details with respect to compliance with the Specified Independence Requirements called out in Section 2.1 above.
Modified p. 9 → 10
The QSA agrees that it will not use its status as a “listed QSA” to market services unnecessary to bring QSA subjects into compliance with the PCI DSS.
§ The QSA Company will not use its status as a “listed QSA” to market services unnecessary to bring QSA Company clients into compliance with the PCI DSS or any other PCI SSC Standard.
Modified p. 9 → 11
The QSA must adhere to all requirements for insurance coverage required by PCI SSC, including without limitation the requirements in Appendix E, Insurance Coverage, which includes details of required insurance coverage.
The QSA Company must adhere to all requirements for insurance coverage required by PCI SSC, including without limitation the requirements in Appendix B, “Insurance Coverage,” which includes details of required insurance coverage.
Removed p. 10
 The qualification fee, which must be paid in full within 30 days of notification. This fee may vary by location, as specified in Appendix D, QSA Fees.

Note: All fees are subject to change.

 An annual QSA re-qualification fee for subsequent years, also summarized by location in Appendix D, QSA Fees.  A training fee for each QSA employee to be qualified, for training sponsored by PCI SSC. This is an annual fee. See Appendix D, QSA Fees.

Additional fees apply for PA-QSA qualification and Principal-Associate QSA qualification; these are outlined in QSA Validation Requirements

•Supplement for Payment Application Qualified Security Assessors (PA-QSA), Appendix E, and QSA Validation Requirements

•Supplement for Principal-Associate Qualified Security Assessors, Appendix D, respectively.

PCI SSC requires that all agreements between PCI SSC and the QSA (including the QSA Agreement) be signed by a duly authorized officer of the QSA, submitted in unmodified form to PCI SSC, and mailed with …
Modified p. 10 → 11
The QSA Agreement requires that all QSAs and employees of the QSA comply with the requirements outlined in the QSA Validation Requirements.
The QSA Agreement requires, among other things, that the QSA Company and its Assessor- Employees comply with all applicable QSA Requirements.
Removed p. 11
 The number of all employees and the number of employees performing security assessments; and  For the number of employees performing security assessments, the percentage of time dedicated to such assessments  Brief description of core business offerings  Description of size and types of market segments in which the QSA tends to focus, such as Fortune 500, financial industry, insurance industry, or small-to-medium sized businesses  List of languages supported by the QSA  Two client references from security engagements within the last 12 months
Modified p. 11 → 12
The QSA must have a dedicated security practice that includes staff with specific job functions that support the security practice.
The QSA Company must have a dedicated information security practice that includes staff with specific job functions that support the information security practice.
Modified p. 11 → 12
 The QSA’s experience and knowledge with information security audit engagements, preferably related to payment systems, equal to at least one year or three separate audits Description of the QSA’s relevant areas of specialization within information security (for example, network security, database and application security, and incident response), demonstrating at least one area of specialization Evidence of a dedicated security practice, such as:
§ Description of the applicant QSA Company’s experience and knowledge with information security audit engagements, preferably related to payment systems, equal to at least one year or three separate audits § Description of the applicant QSA Company’s relevant areas of specialization within information security (for example, network security, database and application security, and incident response), demonstrating at least one area of specialization § Evidence of a dedicated security practice, such as:
Removed p. 12
 Performing the PCI DSS Assessment  Being on-site for the duration of the Assessment  Reviewing the work product that supports the audit procedures  Ensuring adherence to the PCI DSS Security Audit Procedures  Scoping decisions  Selecting systems and system components where sampling is employed  Evaluating compensating controls  Producing the final report 3.2.1 Requirement The QSA employee(s) performing or managing PCI DSS Assessments must:

 Have sufficient information security knowledge and experience to conduct technically complex security assessments  Possess industry-recognized security certification(s) or equivalent work experience  Be knowledgeable about the PCI DSS and the PCI DSS Security Audit Procedures  Attend annual training provided by PCI SSC, and legitimately pass, of his or her own accord without any unauthorized assistance, all examinations conducted as part of training. If a QSA employee fails to so pass any exam in connection with such training, the QSA …
Modified p. 12 → 15
Approved subcontractors shall not be permitted to include a company logo other than that of the responsible QSA or any reference to another company in the Report of Compliance or attestation documents while performing work on behalf of the QSA.
Note: Approved subcontractors shall not be permitted to include a company logo other than that of the responsible QSA Company or any reference to another company in the Report on Compliance or attestation documents while performing work on behalf of the QSA Company.
Removed p. 13
 Copy of Certified Information System Security Professional (CISSP) certificate and ID number  Copy of Certified Information Systems Auditor (CISA) certificate and ID number  Copy of Certified Information Security Manager (CISM) certificate and ID number If an employee does not satisfy any of the above education criteria or certificates, he or she must provide a description of a minimum of five years of relevant information security experience or proof of other recognized security certifications.
Removed p. 14
 Name  Title  Address  Phone number  Fax number  E-mail address 4.2 Background Checks 4.2.1 Requirement The QSA must perform a background check (as described in Subsection 4.2.2) on all QSA employees, if legally permitted within the applicable jurisdiction.

The QSA must adhere to all background check requirements as required by PCI SSC.

Upon request, the QSA must provide to PCI SSC the background check history for each QSA employee, when legally permitted within the applicable jurisdiction.

 A written statement that the QSA conducts background checks for each employee prior to submitting employee qualification requests to PCI SSC, and that each employee with respect to which qualification materials have been submitted has successfully passed the background check in accordance with the QSA’s policies and procedures (where legally permitted).

 Gathering of current photographs
Modified p. 14 → 19
A summary description of current QSA personnel background check policies and procedures, to confirm the procedures include at least (to the extent legally permissible in the applicable jurisdiction):
§ A summary description of current Assessor-Employee personnel background check policies and procedures, which must require and include the following:
Removed p. 15
 The QSA must prepare each ROC based on evidence obtained by following the PCI DSS Security Audit Procedures.
Removed p. 15
 The QSA must provide a QSA Feedback Form to their client at the completion of the audit. See Appendix C, Sample QSA Feedback Form.

 The QSA must adhere to all quality assurance requirements mandated by PCI SSC.

 PCI SSC reserves the right to conduct site visits and audit the QSA at the discretion of the PCI SSC.
Removed p. 15
 A description of the contents of the QSA quality assurance manual, to confirm the procedures fully document the PCI audit processes and the review process for generation of the ROC, including at least the following:
Modified p. 15 → 20
Upon request, the QSA must provide the quality assurance manual to PCI SSC.
§ Upon request, the QSA Company (or applicant) must provide a complete copy of the quality assurance manual to PCI SSC.
Removed p. 16
The QSA must adhere to all requirements to protect sensitive and confidential information, as required by PCI SSC.
Removed p. 16
 A description of the QSA’s confidential and sensitive data-protection handling practices, including at a minimum the following physical, electronic, and procedural safeguards:

• Encryption of customer data on consultants’ laptops  A description of requirements and processes used to ensure employee confidentiality of customer data, including a (blank) copy of confidentiality agreements required to be signed by employees The QSA must sign the QSA Agreement, which includes a statement that the QSA will adhere to the foregoing requirement.
Modified p. 16 → 20
The QSA must maintain the privacy and confidentiality of information obtained in the course of performing their duties under the QSA Agreement, unless (and to the extent) disclosure is required by legal authority.
The QSA Company must maintain the privacy and confidentiality of information obtained in the course of performing its duties and obligations as a QSA Company, unless (and to the extent) disclosure is required by legal authority.
Modified p. 16 → 21
 Systems storing customer data do not reside on Internet-accessible systems  Protection of systems storing customer data by adequate network and application-layer controls, including a firewall and IDS/IPS  The following physical and logical access controls:
Protection of systems storing customer data by network and application layer controls including technologies such as firewall(s) and IDS/IPS
Modified p. 16 → 21
• Restricting logical access to electronic files via role-based access control
• Restricting logical access to electronic files via least-privilege/role-based access control
Modified p. 16 → 21
Encryption of sensitive customer information when transmitted over the Internet either by e-mail or other means
Strong encryption of customer data when transmitted over public networks
Removed p. 17
 The QSA must adhere to all evidence-retention requirements, as required by PCI SSC.

 This information must be available upon request by PCI SSC and its Affiliates for a minimum of three (3) years.

 The QSA must provide a copy of the evidence-retention policy and procedures to PCI SSC upon request.
Removed p. 18
The QSA List and PA-QSA list are posted on the Website.

Those QSAs that have additionally qualified as Associate QSAs (per QSA Validation Requirements•Supplement for Principal-Associate Qualified Security Assessors)) will be identified as QSAs on the Website, with the Principal QSA noted as the primary contact.

Those QSAs that have additionally qualified to perform PA-DSS Assessments (per QSA Validation Requirements•Supplement for Payment Application Qualified Security Assessors (PA-QSA)) will be identified as PA-QSAs on the Website. Only those QSAs that have also qualified as PA-QSAs are authorized by PCI SSC to perform PA-DSS Assessments.

In the event a company does not meet the requirements specified in the QSA Validation Requirements, PCI SSC will notify the company.

The company will have 30 days from the date of notification to appeal the decision. Appeals must be addressed to the PCI SSC General Manager and follow the procedures outlined on https://pcisecuritystandards.org/.

If a company’s appeal is denied, its name …
Removed p. 18
PCI SSC reserves the right to perform random on-site audits of the QSA.
Removed p. 18
 Feedback from QSA clients (entities that were assessed), from PCI SSC, and from payment brand participants (see Appendix C, Sample QSA Feedback Form). Significant or excessive unsatisfactory feedback may be cause for revocation;
Removed p. 19
 The QSA (or any QSA employee thereof) fails to validate compliance in accordance with the PCI DSS Security Audit procedures and/or the PA-DSS Security Audit Procedures, as applicable.

 The QSA (or any QSA employee thereof) violates any provision or obligation regarding non-disclosure of confidential materials.

 The QSA (or any QSA employee thereof) fails to maintain physical, electronic, and procedural safeguards to protect confidential or sensitive information;  The QSA (or any QSA employee thereof) fails to report unauthorized access to any system storing confidential or sensitive information.

 The QSA (or any QSA employee thereof) engages in unprofessional or unethical business conduct.

 The QSA (or any QSA employee thereof) fails to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates.

 The QSA (or any QSA employee thereof) is determined to have cheated on any exam in connection with QSA or PA-QSA training, including without …
Modified p. 21 → 29
State/Province: Country: Postal Regions Applying For (see Appendix D):
State/Province: Country: Postal Code:
Modified p. 21 → 29
Primary Contact Name: Title:
Primary Contact Name: Job Title:
Modified p. 21 → 29
Secondary Contact Name: Title:
Secondary Contact Name: Job Title:
Modified p. 21 → 29
Applicant’s Officer Signature Date  Applicant Officer Name: Title:
Applicant’s Officer Signature á Date á Job Title:
Modified p. 21 → 29
PCI SSC Signature Date
PCI SSC Signature á Date á
Removed p. 22
PCI SSC hereby approves QSA to perform, in accordance with this Agreement and the QSA Validation Requirements (defined below), onsite reviews of the member Financial Institutions of Members ("Financial Institutions"), issuers of Member payment cards ("Issuers"), merchants authorized to accept Member cards in payment for goods or services ("Merchants"), acquirers of Merchant accounts (“Acquirers”) and data processing entities performing services for a Financial Institution, Issuer, Merchant or Acquirer ("Processors", and each Processor, Acquirer, Issuer, Merchant or Financial Institution, a "Subject"), to determine Subjects' compliance with the Payment Card Industry (PCI) Data Security Standard, as such Standard may be amended from time to time (the "PCI DSS", which is hereby incorporated into this Agreement), the current version of which is available for review on the PCI SSC web site at http://www.pcisecuritystandards.org (the "Website"), as part of the PCI Qualified Security Assessor Program ("QSA Program"). For purposes of this Agreement: (i) "Member" …
Removed p. 23
A.3.4 QSA Requirements QSA agrees to adhere to all QSA Requirements, including without limitation, the requirements stated in this Agreement and all requirements applicable to Qualified Security Assessors (as defined in the QSA Validation Requirements) stated in the QSA Validation Requirements. Without limiting the foregoing, QSA agrees to comply with all requirements regarding background checks as set forth in the QSA Validation Requirements and warrants that it has obtained all required consents to such background checks from each employee designated by QSA to PCI SSC to perform Services hereunder. Further, QSA warrants that, to the best of QSA's ability to determine, all information provided to PCI SSC in connection with this Agreement and QSA's participation in the QSA Program is and shall be accurate and complete as of the date such information is provided. Additionally, QSA acknowledges that PCI SSC may from time to time require QSA to provide a …
Removed p. 24
A.4.4 Training Fees Fees in the amount established by PCI SSC for training of QSA personnel will be due and payable within thirty (30) days after a QSA training session has been scheduled, and in any event, prior to such training session. QSA personnel will not be admitted to training sessions until applicable fees have been paid in full.

A.4.5 Additional Fees QSA acknowledges that additional Fees may apply, including without limitation, fees to cover administrative costs, re-listing on the QSA List, penalties and other costs, and that QSA will pay all such Fees as and when required.

A.4.6 Nonrefundable Fees All Fees paid by QSA pursuant to this Agreement are nonrefundable (regardless of whether QSA's application is approved, QSA has been removed from the QSA List, this Agreement has been terminated or otherwise).

A.5 Advertising and Promotion; Intellectual Property A.5.1 QSA List and QSA Use of PCI SSC Materials and Marks (a) …
Removed p. 25
A.5.2 Uses of QSA Name and Designated Marks QSA grants PCI SSC and each Member the right to use QSA's name and trademarks, as designated in writing by QSA, to list QSA on the QSA List and to include reference to QSA in publications to Financial Institutions, Issuers, Merchants, Acquirers, Processors, and the public regarding the QSA Program. Neither PCI SSC nor any Member shall be required to include any such reference in any materials or publicity regarding the QSA Program. QSA warrants and represents that it has authority to grant to PCI SSC and its Members the right to use its name and designated marks as contemplated by this Agreement.
Modified p. 25 → 34
A.5.3 No Other Rights Granted Except as expressly stated in this Section A5, no rights to use any party's or Member’s marks or other Intellectual Property Rights (as defined below) are granted herein, and each party respectively reserves all of its rights therein. Without limitation of the foregoing, except as expressly provided in this Agreement, no rights are granted to QSA with respect to any Intellectual Property Rights in the PCI DSS, the PCI DSS Security Audit Procedures or any …
A.5.3 No Other Rights Granted Except as expressly stated in this Section A.5, no rights to use any party's or Member’s marks or other Intellectual Property Rights (as defined below) are granted herein, and each party respectively reserves all of its rights therein. Without limitation of the foregoing, except as expressly provided in this Agreement, no rights are granted to QSA with respect to any Intellectual Property Rights in the PCI DSS or any other PCI Materials.
Removed p. 26
(b) All right, title and interest in and to the Intellectual Property Rights in all materials generated by PCI SSC with respect to QSA are and at all times shall remain the property of PCI SSC. Subject to the provisions of Section A6, QSA may use and disclose such materials solely for the purposes expressly permitted by this Agreement. QSA shall not revise, abridge, modify or alter any such materials.
Modified p. 26 → 35
(c) QSA shall not during or at any time after the completion, expiry or termination of this Agreement in any way question or dispute PCI SSC's or its licensors’ (as applicable) Intellectual Property Rights in the QSA Program or any of the PCI Materials.
(c) QSA shall not during or at any time after the completion, expiry or termination of this Agreement in any way question or dispute PCI SSC's or its licensors’ (as applicable) Intellectual Property Rights in any PCI SSC Program or any of the PCI Materials.
Modified p. 26 → 35
(d) Except as otherwise expressly agreed by the parties, all Intellectual Property Rights, title and interest in and to the materials submitted by QSA to PCI SSC in connection with its performance under this Agreement are and at all times shall remain vested in QSA, or its licensors.
(d) Except as otherwise expressly agreed by the parties, as between PCI SSC and QSA, all Intellectual Property Rights, title and interest in and to the materials created by QSA and submitted by QSA to PCI SSC in connection with its performance under this Agreement are and at all times shall remain vested in QSA, or its licensors.
Modified p. 26 → 35
A.6 Confidentiality A.6.1 Definition of Confidential Information As used in this Agreement, “Confidential Information" means (i) all terms of this Agreement; (ii) any and all information designated in this Agreement as Confidential Information; (iii) any and all originals or copies of, any information that either party has identified in writing as confidential at the time of disclosure; and (iv) any and all Personal Information, proprietary information, merchant information, technical information or data, assessment reports, trade secrets or know-how, information concerning …
A.6 Confidentiality A.6.1 Definition of Confidential Information As used in this Agreement, “Confidential Information" means (i) all terms of this Agreement; (ii) any and all information designated in this Agreement as Confidential Information; (iii) any and all originals or copies of, any information that either party has identified in writing as confidential at the time of disclosure; and (iv) any and all Personal Information, proprietary information, merchant information, technical information or data, assessment reports, trade secrets or know- how, information …
Removed p. 27
A.6.2 General Restrictions (a) Each party (the "Receiving Party") agrees that all Confidential Information received from the other party (the "Disclosing Party") shall: (i) be treated as confidential; (ii) be disclosed only to those Members, officers, employees, legal advisers and accountants of the Receiving Party who have a need to know and be used solely as required in connection with (A) the performance of this Agreement and (B) the operation of such party's respective payment card data security compliance programs (if applicable) and (iii) not be disclosed to any third party except as expressly permitted in this Agreement or in writing by the Disclosing Party, and only if such third party is bound by confidentiality obligations applicable to such Confidential Information that are in form and substance similar to the provisions of this Section A6.
Modified p. 27 → 36
A.6.3 Subject Data To the extent any data or other information obtained by QSA relating to any Subject in the course of providing Services thereto may be subject to any confidentiality restrictions between QSA and such Subject, QSA must provide in each agreement containing such restrictions (and in the absence of any such agreement must agree with such Subject in writing) that (i) QSA may disclose each ROC, Attestation of Compliance and other related information to PCI SSC and/or its …
A.6.3 QSA Company Client Data To the extent any data or other information obtained by QSA relating to any QSA Company client in the course of providing Services thereto may be subject to any confidentiality restrictions between QSA and such QSA Company client, QSA shall provide in each agreement containing such restrictions (and in the absence of any such agreement must agree with such QSA Company client in writing) that (i) QSA may disclose each ROC, Attestation of Compliance and …
Removed p. 28
A.6.5 Return Upon termination of this Agreement or upon demand, QSA promptly shall return to PCI SSC all property and Confidential Information of PCI SSC and of all third parties to the extent provided or made available by PCI SSC; provided that such requirement shall not apply to electronic copies made as part of QSA’s standard computer back up practices. If agreed by PCI SSC, QSA may instead destroy all such materials and information and provide a certificate of destruction to PCI SSC, with sufficient detail regarding the items destroyed, destruction date, and assurance that all copies of such information and materials also were destroyed.

A.6.6 Remedies In the event of a breach of Section A6.2 by the Receiving Party, the Receiving Party acknowledges that the Disclosing Party will likely suffer irreparable damage that cannot be fully remedied by monetary damages. Therefore, in addition to any remedy that the Disclosing Party …
Modified p. 29 → 38
A.7.2 Indemnification Procedure QSA's indemnity obligations are contingent on the Indemnified Party's providing notice of the claim or liability to QSA, provided that the failure to provide any such notice shall not relieve QSA of such indemnity obligations except and to the extent such failure has materially and adversely affected QSA's ability to defend against such claim or liability. Upon receipt of such notice, QSA will be entitled to control, and will assume full responsibility for, the defense of such …
A.7.2 Indemnification Procedure QSA's indemnity obligations are contingent on the Indemnified Party's providing notice of the claim or liability to QSA, provided that the failure to provide any such notice shall not relieve QSA of such indemnity obligations except and to the extent such failure has materially and adversely affected QSA's ability to defend against such claim or liability. Upon receipt of such notice, QSA will be entitled to control, and will assume full responsibility for, the defense of such …
Modified p. 29 → 39
A.7.3 No Warranties; Limitation of Liability (a) PCI SSC PROVIDES THE PCI DSS, PCI DSS SECURITY AUDIT PROCEDURES, QSA PROGRAM, QSA VALIDATION REQUIREMENTS, WEBSITE AND ALL RELATED AND OTHER MATERIALS PROVIDED OR OTHERWISE MADE ACCESSIBLE IN CONNECTION WITH THE QSA PROGRAM (THE FOREGOING, COLLECTIVELY, THE "PCI MATERIALS") ON AN "AS IS" BASIS WITHOUT WARRANTY OF ANY KIND. QSA ASSUMES THE ENTIRE RISK AS TO RESULTS AND PERFORMANCE ARISING OUT
A.7.3 No Warranties; Limitation of Liability (a) PCI SSC PROVIDES THE PCI DSS, ALL OTHER PCI SSC STANDARDS, THE QSA PROGRAM, ALL OTHER PCI SSC PROGRAMS, THE QSA QUALIFICATION REQUIREMENTS, ALL OTHER PROGRAM QUALIFICATION REQUIREMENTS, THE WEBSITE AND ALL RELATED AND OTHER MATERIALS PROVIDED OR OTHERWISE MADE ACCESSIBLE BY PCI SSC IN CONNECTION WITH ANY PCI SSC PROGRAM (THE FOREGOING, COLLECTIVELY, THE "PCI MATERIALS") ON AN "AS IS" BASIS WITHOUT WARRANTY OF ANY KIND. QSA ASSUMES THE ENTIRE RISK AS …
Removed p. 30
(b) PCI SSC MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT, INCLUDING WITHOUT LIMITATION, THE PCI MATERIALS OR ANY MATERIALS OR SERVICES PROVIDED UNDER OR IN CONNECTION WITH THIS AGREEMENT OR THE QSA PROGRAM. PCI SSC SPECIFICALLY DISCLAIMS, AND QSA EXPRESSLY WAIVES, ALL REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THIS AGREEMENT, THE PCI MATERIALS, ANY MATERIALS OR SERVICES PROVIDED UNDER OR IN CONNECTION WITH THIS AGREEMENT OR THE QSA PROGRAM, OR OTHERWISE, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. WITHOUT LIMITATION OF THE FOREGOING, PCI SSC SPECIFICALLY DISCLAIMS, AND QSA EXPRESSLY WAIVES, ALL REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THE PCI MATERIALS AND ANY INTELLECTUAL PROPERTY RIGHTS SUBSISTING THEREIN OR IN ANY PART THEREOF, INCLUDING BUT NOT LIMITED TO ANY AND ALL EXPRESS OR IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, …
Modified p. 30 → 39
(c) In particular, without limiting the foregoing, QSA acknowledges and agrees that the accuracy, completeness, sequence or timeliness of the PCI Materials or any portion thereof cannot be guaranteed. In addition, PCI SSC makes no representation or warranty whatsoever, expressed or implied, and assumes no liability, and shall not be liable in any respect to QSA regarding (i) any delay or loss of use of any of the PCI Materials, or (ii) system performance and effects on or damages to …
(c) In particular, without limiting the foregoing, QSA acknowledges and agrees that the accuracy, completeness, sequence or timeliness of the PCI Materials or any portion thereof cannot be guaranteed. In addition, PCI SSC makes no representation or warranty whatsoever, expressed or implied, and assumes no liability, and shall not be liable in any respect to QSA regarding (i) any delay or loss of use of any of the PCI Materials, or (ii) system performance and effects on or damages to …
Modified p. 30 → 39
(d) EXCEPT FOR DAMAGES CAUSED BY THE GROSS NEGLIGENCE OR WILLFUL MISCONDUCT OF A PARTY, AND EXCEPT FOR THE OBLIGATIONS OF QSA UNDER SECTIONS A5 OR A6, IN NO EVENT SHALL EITHER PARTY OR ANY MEMBER BE LIABLE TO THE OTHER FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT OR SPECIAL DAMAGES, HOWEVER CAUSED, WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY DOES …
(d) EXCEPT FOR DAMAGES CAUSED BY THE GROSS NEGLIGENCE OR WILLFUL MISCONDUCT OF A PARTY, AND EXCEPT FOR THE OBLIGATIONS OF QSA UNDER SECTIONS A.5 OR A.6, IN NO EVENT SHALL EITHER PARTY OR ANY MEMBER BE LIABLE TO THE OTHER FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT OR SPECIAL DAMAGES, HOWEVER CAUSED, WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF
Modified p. 30 → 40
(e) PCI SSC shall be liable vis-à-vis QSA only for any direct damage incurred by QSA as a result of PCI SSC's gross negligence (contractual or extra-contractual) under this Agreement provided PCI SSC's aggregate liability for such direct damage under and for the duration of this Agreement will never exceed the fees paid by QSA to PCI SSC under Section A4.
(e) PCI SSC shall be liable vis-à-vis QSA only for any direct damage incurred by QSA as a result of PCI SSC's gross negligence (contractual or extra-contractual) under this Agreement provided PCI SSC's aggregate liability for such direct damage under and for the duration of this Agreement will never exceed the fees paid by QSA to PCI SSC under Section A.4.
Modified p. 30 → 40
(f) Notwithstanding Section A7.3(d), PCI SSC shall not be liable vis-à-vis QSA for any other damage incurred by QSA under this Agreement, including but not limited to, loss of business, revenue, goodwill, anticipated savings or other commercial or economic loss of any kind arising in any way out of the use of the QSA Program (regardless of whether such damages are reasonably foreseeable or PCI SSC has been advised of the possibility of such damages), or for any loss that …
(f) Except as otherwise expressly provided in this Agreement, neither PCI SSC nor any Participating Payment Brand shall be liable vis-à-vis QSA for any other damage incurred by QSA under this Agreement or in connection with any PCI SSC Program, including but not limited to, loss of business, revenue, goodwill, anticipated savings or other commercial or economic loss of any kind arising in any way out of the use of any PCI SSC Program (regardless of whether such damages are …
Removed p. 31
A.8 Independence; Representations and Warranties QSA agrees to comply with the QSA Validation Requirements, including without limitation, all requirements and provisions regarding independence, and hereby warrants and represents that QSA is now, and shall at all times during the Term, remain in compliance with the QSA Validation Requirements. QSA represents and warrants that by entering into this Agreement it will not breach any obligation to any third party. QSA represents and warrants that it will comply with all applicable laws, ordinances, rules, and regulations in any way pertaining to this Agreement or its performance of the Services or its obligations under this Agreement.

A.9 Term and Termination A.9.1 Term This Agreement shall commence as of the Effective Date and, unless earlier terminated in accordance with this Section A9, continue for an initial term of one (1) year (the "Initial Term") and thereafter, for additional subsequent terms of one year (each a …
Modified p. 31 → 41
PCI SSC may terminate this Agreement effective as of the end of the then current Term by providing QSA with written notice of its intent not to renew this Agreement at least sixty (60) days prior to the end of the then current Term. Additionally, PCI SSC may terminate this Agreement: (i) with written notice upon QSA's voluntary or involuntary bankruptcy, receivership, reorganization dissolution or liquidation under state or federal law that is not otherwise dismissed within thirty (30) days; …
PCI SSC may terminate this Agreement and/or any Addendum effective as of the end of the then- current Term by providing QSA with written notice of its intent to terminate or not to renew this Agreement (or such Addendum, as applicable) at least sixty (60) days prior to the end of the then- current Term. Additionally, PCI SSC may terminate this Agreement and/or any Addendum: (i) with written notice upon QSA's voluntary or involuntary bankruptcy, receivership, reorganization dissolution or liquidation …
Removed p. 32
A.9.4 Effect of Termination Upon any termination or expiration of this Agreement: (i) QSA will be removed from the QSA List; (ii) QSA shall immediately cease all advertising and promotion of its status as listed on the QSA List and all references to the PCI DSS and other PCI Materials; (iii) QSA shall immediately cease soliciting for any further Services and shall only complete Services contracted with Subjects prior to the notice of termination; (iv) QSA will deliver all outstanding ROCs within the time contracted with the Subject and shall remain responsible after termination for all of the obligations, representations and warranties hereunder with respect to all ROCs submitted prior to or after termination; (v) QSA shall return or destroy all PCI SSC and third party property and Confidential Information in accordance with the terms of Section A6 and (vi) PCI SSC may notify any of its Members and/or acquirers. …
Removed p. 33
(b) Notwithstanding anything to the contrary in Section A6 of this Agreement, in order to assist in ensuring the reliability and accuracy of QSA's Assessments, within 15 days of any written request by PCI SSC or any Member (each a “Requesting Organization”), QSA hereby agrees to provide to such Requesting Organization such Assessment results (including ROCs) as such Requesting Organization may reasonably request with respect to (i) if the Requesting Organization is a Member, any Subject for which QSA has performed an Assessment and that is a Financial Institution of such Member, an Issuer of such Member, a Merchant authorized to accept such Member's payment cards, an Acquirer of accounts of Merchants authorized to accept such Member's payment cards or a Processor performing services for such Member's Financial Institutions, Issuers, Merchants or Acquirers or (ii) if the Requesting Organization is PCI SSC, any Subject for which QSA has performed an …
Modified p. 34 → 46
A.10.5 Assignment QSA may not assign this Agreement, or assign or delegate its rights and obligations under this Agreement, including by subcontracting, without the prior written consent of PCI SSC, which consent PCI SSC may grant or withhold in its absolute discretion.
A.10.5 Assignment QSA may not assign this Agreement, or assign, delegate or subcontract any of its rights and/or obligations under this Agreement (including but not limited to by subcontracting any of the foregoing to a related party or affiliate), without the prior written consent of PCI SSC, which consent PCI SSC may grant or withhold in its absolute discretion.
Modified p. 34 → 46
A.10.8 Counterparts This Agreement may be signed in two or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.
A.10.8 Counterparts This Agreement may be signed in two or more counterparts, any or all of which may be executed by exchange of facsimile and/or electronic transmission, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.
Removed p. 36
Note: If your company is applying to become a Payment Application Qualified Security Assessor (PA-QSA), additional requirements are documented in QSA Validation Requirements•Supplement for Payment Application Qualified Security Assessors (PA-QSA). The requirements contained therein must be met in addition to those documented in this Appendix B.

Additionally, if your company is applying for a Principal-Associate QSA relationship, additional requirements are documented in QSA Validation Requirements•Supplement for Principal-Associate Qualified Security Assessors. The requirements contained therein must be met in addition to those documented in this Appendix B.

QSA Business Requirements Requirement Information/documentation Needed Business Legitimacy Copy of business license Year of incorporation Location(s) of office(s) Written statement describing any past or present allegations or convictions of any fraudulent or criminal activity involving the security company and its principles Independence Description of company’s practices to maintain auditor independence. Company signature on the Qualified Security Assessor (QSA) Agreement Insurance Coverage Company signature on the Qualified …
Removed p. 37
Education (subject, degrees, institutions) Area(s) of expertise Years of working experience and responsibilities Years of working experience related to payment industry and role (if any) Résumé or CV Copy of CISSP

• Certified Information System Security Professional certification and ID number, or Copy of CISA

• Certified Information Systems Auditor certification and ID number, or Copy of CISM

• Certified Information Security Manager and ID number, or A description of a minimum of five years’ information security experience
Removed p. 39
Information collected from the Feedback Form will be held in strict confidence and used for the sole purpose of improving the quality of service provided by the QSA.

This form can be obtained directly from the QSA during the audit, or can be found online in a useable format at www.pcisecuritystandards.org. The client, not the QSA, should submit this form to PCI SSC. Please send this completed form to PCI SSC at: compliance@pcisecuritystandards.org.

QSA Feedback Form Client (merchant or service provider) Qualified Security Assessor Company (QSA) Location of Assessment QSA employee who performed Assessment Street Name City Title State/ Province Country Postal Code Telephone
Removed p. 40
1. During the initial PCI engagement, the QSA explained the objectives, timing, and review process, and address your questions and concerns.

2. The QSA employee(s) understood your business and technical environment, as well as the cardholder data environment.

3. The QSA employee(s) had sufficient security and technical skills to effectively perform this assessment.

4. The QSA sufficiently understood the PCI Data Security Standard and the PCI DSS Security Audit Procedures.

5. The QSA effectively minimized interruptions to operations and schedules.

6. The QSA provided an accurate estimate for time and resources needed.

7. The QSA provided an accurate estimate for report delivery.

8. The QSA did not attempt to market their own products or services for your company to attain PCI compliance.

9. The QSA did not imply that use of a specific brand of commercial product or service was necessary to achieve compliance.

10. In situations where remediation was required, the QSA presented product and/or solution options that …
Removed p. 41
For each statement, please indicate the response that best reflects your experience and provide comments.
Removed p. 41
1. The QSA clearly understood how to notify your payment brand about compliance and non-compliance issues, and the status of merchants and service providers.

2. The QSA Client had a positive and professional experience with the QSA.

3. The QSA demonstrated sufficient understanding of the PCI Data Security Standard and the PCI DSS Security Audit Procedures.

4. The QSA appropriately documented the results related to their findings.

5. From your understanding, the QSA appropriately scoped the cardholder data environment.

6. The QSA evaluated all compensating controls were appropriate and all risks relevant to the original requirements were addressed.
Removed p. 42
All fee checks should be made payable to PCI SSC and mailed with the completed QSA application package. See Section 1.6 of this document for the mailing address.

Additional fees apply to QSAs who qualify as PA-QSAs or Principal or Associate QSAs.

The most current program fees are available at https://www.pcisecuritystandards.org/fees
Removed p. 43
Note: For QSAs to conduct work outside their home countries, the following is an additional insurance coverage requirement: The insurance provider must respond to claims on a global basis (and particularly respond to claims brought in the U.S. if applicable.

Note: Most insurance is not automatically written to respond to claims outside of the country and many specifically exclude claims from the U.S.

The following is a typical insurance clause and includes expected coverage:

Prior to the commencement of the Services under this agreement, the Security Assessor shall procure the following insurance coverage, at its own expense, with respect to the performance of such Services. Such insurance shall be issued by financially responsible and properly licensed insurance carriers in the jurisdictions where the Services are performed and rated at least A VIII by Best’s Rating Guide (or otherwise acceptable to PCI SSC) and with minimum limits as set forth below. Such insurance shall …
Modified p. 43 → 48
WORKERS’ COMPENSATION: Statutory Workers Compensation as required by applicable law and EMPLOYER’S LIABILITY with a limit of $1,000,000 COMMERCIAL GENERAL LIABILITY INSURANCE including PRODUCTS, COMPLETED OPERATIONS, ADVERTISING INJURY, PERSONAL INJURY and CONTRACTUAL LIABILITY INSURANCE with the following minimum limits for Bodily Injury and Property Damage on an Occurrence basis: $1,000,000 per occurrence and $2,000,000 annual aggregate. PCI SSC to be added as “Additional Insured.”  COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non-owned autos subject to …
§ WORKERS’ COMPENSATION: Statutory Workers Compensation as required by applicable law and § EMPLOYER’S LIABILITY with a limit of $1,000,000 § COMMERCIAL GENERAL LIABILITY INSURANCE including PRODUCTS, COMPLETED OPERATIONS, ADVERTISING INJURY, PERSONAL INJURY and CONTRACTUAL LIABILITY INSURANCE with the following minimum limits for Bodily Injury and Property Damage on an Occurrence basis: $1,000,000 per occurrence and $2,000,000 annual aggregate. PCI SSC to be added as “Additional Insured.” The policy Coverage Territory must include the entire Region(s) in which the QSA …
Modified p. 43 → 48
TECHNOLOGY ERRORS & OMISSIONS, CYBER-RISK and PRIVACY LIABILITY INSURANCE covering liabilities for financial loss resulting or arising from acts, errors or omissions in rendering computer or information technology Services, or from data damage/destruction/corruption, including without limitation, failure to protect privacy, unauthorized access, unauthorized use, virus transmission, denial of service and loss of income from network security failures in connection with the Services provided under this agreement with a minimum limit of two million dollars ($2,000,000) each claim and annual …
§ TECHNOLOGY ERRORS & OMISSIONS, CYBER-RISK and PRIVACY LIABILITY INSURANCE covering liabilities for financial loss resulting or arising from acts, errors or omissions in rendering computer or information technology Services, or from data damage/destruction/corruption, including without limitation, failure to protect privacy, unauthorized access, unauthorized use, virus transmission, denial of service and loss of income from network security failures in connection with the Services provided under this agreement with a minimum limit of two million dollars ($2,000,000) each claim and annual …
Modified p. 43 → 48
If any of the above insurance is written on a claims-made basis, then Security Assessor shall maintain such insurance for five (5) years after the termination of this agreement.
If any of the above insurance is written on a claims-made basis, then Security Assessor shall maintain such insurance for five (5) years after the termination of this agreement. The limits shown in the appendix may be written in other currencies, but should be the equivalent of the limits in US dollars shown here.
Modified p. 44 → 49
In the event that Security Assessor subcontracts or assigns any portion of the Services in this agreement, the Security Assessor shall require any such subcontractor to purchase and maintain insurance coverage and waiver of subrogation as required herein. WAIVER OF SUBROGATION: Security Assessor agrees to waive subrogation against PCI SSC for any injuries to its employees arising out of or in any way related to Security Assessor’s performance of the Service under this agreement. Further, Security Assessor agrees that it …
WAIVER OF SUBROGATION: Security Assessor agrees to waive subrogation against PCI SSC for any injuries to its employees arising out of or in any way related to Security Assessor’s performance of the Service under this agreement. Further, Security Assessor agrees that it shall ensure that the Workers’ Compensation/Employer’s Liability insurers agree to waive subrogation rights, in favor of PCI SSC, for any claims arising out of or in any way connected to Security Assessor’s performance of the Services under this …