Document Comparison
Qualified_PIN_Assessor_(QPA)_Program_Guide_V1.0.pdf
→
Qualified_PIN_Assessor_(QPA)_Program_Guide_v1.2.pdf
40% similar
20 → 19
Pages
6482 → 6361
Words
57
Content Changes
Content Changes
57 content changes. 30 administrative changes (dates, page numbers) hidden.
Added
p. 2
September 2021 1.1 Removed requirement that QPAs must submit CPEs to PCI SSC Clarified requirement for QPAs to have appropriate skills for assessments Added requirement that QPAs must be trained on the version of the standard they are assessing Added guidance regarding remote assessments Added Appendix B to provide additional QA guidance Performed minor clarifications in language throughout
May 2025 1.2 Moved [previous] Terminology (Section 2) and Related Publications (Section 3) to Sections i and ii, respectively Updated or added the following to support PIN Service listings on the Website:
• Several terms and definitions in the Terminology section
• Roles and Responsibilities (Section 3)
• Term “Customers” changed to “PIN Service Providers” (Section 3.4)
• [new] Section 4.3.2, PIN Service Provider Portal
May 2025 1.2 Moved [previous] Terminology (Section 2) and Related Publications (Section 3) to Sections i and ii, respectively Updated or added the following to support PIN Service listings on the Website:
• Several terms and definitions in the Terminology section
• Roles and Responsibilities (Section 3)
• Term “Customers” changed to “PIN Service Providers” (Section 3.4)
• [new] Section 4.3.2, PIN Service Provider Portal
Added
p. 4
Table 1: Glossary of Terms Term Definition / Source / Document Reference Accepted, Acceptance Refer to definitions in VRA (for QPA Company submissions) and PSPRA (for direct Service Provider submissions) Good Standing Refer to the QPA Agreement List of PCI PIN Service Providers The authoritative list of PCI PIN Service Providers appearing on the Website Listing The information regarding a PIN Service Provider appearing on the applicable PIN Listing after Acceptance has occurred Participating Payment Brand Refer to the QPA Agreement.
PCI PIN Assessment Refer to the QPA Qualification Requirements.
PCI SSC Acronym for “Payment Card Industry Security Standards Council.” PIN Service Provider (or “Service Provider”) An entity whose PIN services have been assessed and validated as satisfying the requirements of the PCI PIN Standard. PIN Service Providers may, but are not required, to have their assessed and validated PIN service listed on the List of PCI PIN Service Providers. See Section …
PCI PIN Assessment Refer to the QPA Qualification Requirements.
PCI SSC Acronym for “Payment Card Industry Security Standards Council.” PIN Service Provider (or “Service Provider”) An entity whose PIN services have been assessed and validated as satisfying the requirements of the PCI PIN Standard. PIN Service Providers may, but are not required, to have their assessed and validated PIN service listed on the List of PCI PIN Service Providers. See Section …
Added
p. 5
QPA Program Refer to QPA Qualification Requirements.
QPA Qualification Requirements The then-current version of (or successor documents to) the Payment Card Industry (PCI) Qualification Requirements for Qualified PIN Assessors (QPA), as from time to time amended and made available on the Website QPA Requirements Refer to the QPA Qualification Requirements.
QPA Qualification Requirements The then-current version of (or successor documents to) the Payment Card Industry (PCI) Qualification Requirements for Qualified PIN Assessors (QPA), as from time to time amended and made available on the Website QPA Requirements Refer to the QPA Qualification Requirements.
Added
p. 6
PCI PIN Attestation of Compliance (PIN AOC) The form for QPA Companies, QPA Employees, and PIN Service Providers to attest to the results of a PCI PIN Assessment, as documented in the PIN Report on Compliance
PCI SSC Remote Assessment Guidelines and Procedures Detailed guidelines and procedures for performing PCI SSC Assessments remotely QPA Feedback Form Provides the PIN Service Provider an opportunity to offer feedback regarding the QPA and the PCI PIN Assessment process https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_ PIN_assessors_feedback PIN Service Provider Release Agreement (PSPRA) Available to PIN Service Providers in the Portal, the PSPRA establishes the terms and conditions under which PIN submissions made directly by PIN Service Providers are Accepted and included on the PCI PIN Services List.
Vendor Release Agreement (VRA) Available on the Website, the VRA establishes the terms and conditions under which PIN submissions made by QPA Companies are Accepted and included on the PCI PIN Services List.
PCI SSC Remote Assessment Guidelines and Procedures Detailed guidelines and procedures for performing PCI SSC Assessments remotely QPA Feedback Form Provides the PIN Service Provider an opportunity to offer feedback regarding the QPA and the PCI PIN Assessment process https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_ PIN_assessors_feedback PIN Service Provider Release Agreement (PSPRA) Available to PIN Service Providers in the Portal, the PSPRA establishes the terms and conditions under which PIN submissions made directly by PIN Service Providers are Accepted and included on the PCI PIN Services List.
Vendor Release Agreement (VRA) Available on the Website, the VRA establishes the terms and conditions under which PIN submissions made by QPA Companies are Accepted and included on the PCI PIN Services List.
Added
p. 7
Establishing penalties and fees.
Establishing validation process requirements and who must validate.
Endorsing qualification criteria.
Establishing validation process requirements and who must validate.
Endorsing qualification criteria.
Added
p. 8
Maintains the List of PCI PIN Service Providers on the Website.
Added
p. 9
Submitting the PIN AOC to PCI SSC signed by both the QPA and PIN Service Provider, if applicable.
Added
p. 9
Complying with terms of the Vendor Release Agreement or PIN Service Provider Release Agreement, as applicable, including the adoption and implementation of Vulnerability Handling Policies (further described in the VRA and PSPRA) consistent with industry best practices.
Optionally, and if applicable (for PIN Service Providers choosing to be included on the List of PCI PIN Service Providers) submitting the PIN AOC to PCI SSC, signed by both the QPA and PIN Service Provider.
Optionally, and if applicable (for PIN Service Providers choosing to be included on the List of PCI PIN Service Providers) submitting the PIN AOC to PCI SSC, signed by both the QPA and PIN Service Provider.
Added
p. 11
For QPAs, the Portal includes the following:
Editable versions of the PIN reporting templates (PIN ROC and PIN AOC) Library of published PCI SSC Assessor Newsletters Recorded webinars QPA certificates in PDF format Primary Contact name, e-mail, and address Individual certifications
• i.e., CISSP, CISA, etc.
Requalification training approval page for all QPA Employees Insurance policies with respective expiration dates Complete list of all QPA Employees and their requalification dates Addresses for all QPA training locations throughout the year QPA Employees should check the Portal on a regular basis for new information and updates.
Editable versions of the PIN reporting templates (PIN ROC and PIN AOC) Library of published PCI SSC Assessor Newsletters Recorded webinars QPA certificates in PDF format Primary Contact name, e-mail, and address Individual certifications
• i.e., CISSP, CISA, etc.
Requalification training approval page for all QPA Employees Insurance policies with respective expiration dates Complete list of all QPA Employees and their requalification dates Addresses for all QPA training locations throughout the year QPA Employees should check the Portal on a regular basis for new information and updates.
Added
p. 12
Note: PIN Service Providers should consult with their network, acquirer, or Participating Payment Brands about their requirement for a PCI PIN Assessment.
By signing the PIN AOC, the PIN Service Provider is attesting that the information provided in the PIN AOC and accompanying PIN Report on Compliance is true and accurate. The date on the PIN AOC cannot predate the date on the PIN ROC.
By signing the PIN AOC, the PIN Service Provider is attesting that the information provided in the PIN AOC and accompanying PIN Report on Compliance is true and accurate. The date on the PIN AOC cannot predate the date on the PIN ROC.
Added
p. 13
1. The QPA may submit the completed PIN AOC to PCI SSC via the Portal, along with the PIN Service Provider-signed VRA (unless PCI SSC already has a copy of the current version of the VRA as available on the Website executed and on file from the PIN Service Provider); or
2. The PIN Service Provider may submit the PIN AOC to PCI SSC via the Portal (see Section 4.3.2) and accept the PIN Service Provider Release Agreement in the Portal when prompted.
2. The PIN Service Provider may submit the PIN AOC to PCI SSC via the Portal (see Section 4.3.2) and accept the PIN Service Provider Release Agreement in the Portal when prompted.
Added
p. 13
If the submission is complete and meets all applicable requirements (as documented in the QPA Program Guide and related program materials), PCI SSC will sign and return a copy of the PIN AOC to both the PIN Service Provider and the QPA Company via the Portal, and add the PIN Service Provider details to the List of PCI PIN Service Providers. PIN Service Listings are valid for 2 years from the signature date of the QPA Acknowledgement in Part 3c of the PIN AOC.
Note: There must be consistency between the information in materials submitted via the Portal, and the “Details” fields within the Portal. Incomplete or inconsistent submissions may result in a significant delay in the processing of requests for listing and/or may not be Accepted by PCI SSC.
Note: There must be consistency between the information in materials submitted via the Portal, and the “Details” fields within the Portal. Incomplete or inconsistent submissions may result in a significant delay in the processing of requests for listing and/or may not be Accepted by PCI SSC.
Added
p. 14
Company (PIN Service Provider) PCI PIN Standard Version Expiry Date Validated by (QPA Company) Reference # 5.4.4 Expired Listings When the expiry date of a Listing has passed, the Listing Expiry Date shall appear in orange bold text for up to 90 calendar days. When the expiry date of a Listing has passed 90 calendar days the date shall appear in red bold text to indicate the Listing was not revalidated prior to its expiry.
Note: PIN Service Providers should consider timing submissions to PCI SSC as close to completion of the relevant PCI PIN Assessment as possible in order to maximize the duration of their Listing, as the Listing will show as Expired on the Website 2 years after the date of the QPA Acknowledgement and signature in Part 3c of the PIN AOC; PCI SSC will not prorate the invoice to account for past-dated …
Note: PIN Service Providers should consider timing submissions to PCI SSC as close to completion of the relevant PCI PIN Assessment as possible in order to maximize the duration of their Listing, as the Listing will show as Expired on the Website 2 years after the date of the QPA Acknowledgement and signature in Part 3c of the PIN AOC; PCI SSC will not prorate the invoice to account for past-dated …
Added
p. 14
For each PCI PIN Assessment in which the PIN Service Provider wishes to have their QPA submit the AOC for Listing on the List of PCI PIN Service Providers, along with any required documents and materials, the PIN Service Provider must submit to the QPA a copy of the PIN Service Provider's signed Vendor Release Agreement on the then-current VRA form. The VRA must be delivered directly to PCI SSC by the QPA, along with the corresponding PIN AOC. Where the PIN Service Provider chooses to perform its own PIN AOC submission to the Portal, the PIN Service Provider agrees to the terms of the PSPRA in the Portal.
PCI SSC will not review any submission or update thereto without the then-current, signed or accepted, correct type of Release Agreement (based on method of submission) on file for the respective PIN Service Provider.
Where a VRA is required, so long as an …
PCI SSC will not review any submission or update thereto without the then-current, signed or accepted, correct type of Release Agreement (based on method of submission) on file for the respective PIN Service Provider.
Where a VRA is required, so long as an …
Added
p. 15
There are no annual recurring PCI SSC fees associated with the Acceptance of a PCI PIN Listing submission. Refer to the Programs Fee Schedule on the Website for more information. Program fees are non-refundable and are subject to change upon posting of revised fees on the Website.
• e.g., screenshots, configuration settings
• that were created and/or obtained during the PCI PIN Assessment. This information must be available upon request by PCI SSC and its affiliates. The QPA Company must also provide a copy of the evidence-retention policy and procedures to PCI SSC upon request.
Note: The PIN Service Provider pays all PCI PIN Assessment- related fees directly to the QPA Company (these fees are negotiated between the PIN Service Provider and the QPA Company).
• e.g., screenshots, configuration settings
• that were created and/or obtained during the PCI PIN Assessment. This information must be available upon request by PCI SSC and its affiliates. The QPA Company must also provide a copy of the evidence-retention policy and procedures to PCI SSC upon request.
Note: The PIN Service Provider pays all PCI PIN Assessment- related fees directly to the QPA Company (these fees are negotiated between the PIN Service Provider and the QPA Company).
Added
p. 16
Note: PCI SSC does not issue an official PCI seal, mark, or logo that companies are permitted to use when they achieve PCI PIN compliance. The PCI Security Standards Council logo is a registered trademark and may not be used without authorization. You may not use or encourage or enable others to use the phrases or marks: PCI Compliant, PCI Certified, PCI PIN Compliant, PCI PIN Certified, or PCI with a check mark, or any other mark or logo that states or implies compliance or conformance with any of the PCI SSC Standards.
• for example, "trading as" or Doing Business As (DBA) scenarios
• please contact the QPA Program Manager for the Assessor Name Change Request Form.
• and does not contradict
• the PCI SSC Code of Professional Responsibility.
• for example, "trading as" or Doing Business As (DBA) scenarios
• please contact the QPA Program Manager for the Assessor Name Change Request Form.
• and does not contradict
• the PCI SSC Code of Professional Responsibility.
Added
p. 19
Figure 1 shows the Eight Guiding Principles.
Figure 1: Eight Guiding Principles
PCI SSC reviews Assessor work product and stakeholder feedback with the expectation that the Assessor:
Has followed the requirements of the applicable PCI SSC Program as documented in applicable Program documentation (for example, Qualification Requirements, Program Guides, agreements, etc.), and Has acted in the best interests of the PIN Service Provider in an ethical manner that results in factual, documented, and defendable opinions.
Program participants must keep up with PCI SSC updates (including but not limited to updates to the QPA Qualification Requirements and QPA Program Guide, monthly PCI SSC Assessor Newsletter articles, published FAQs on the Website, and content from relevant PCI SSC webinars).
The Four Cs are useful measurements to evaluate the strength and quality of the Assessor’s approach and/or conclusions and can help the Assessor ensure that work can be defended in a meaningful way.
Figure 1: Eight Guiding Principles
PCI SSC reviews Assessor work product and stakeholder feedback with the expectation that the Assessor:
Has followed the requirements of the applicable PCI SSC Program as documented in applicable Program documentation (for example, Qualification Requirements, Program Guides, agreements, etc.), and Has acted in the best interests of the PIN Service Provider in an ethical manner that results in factual, documented, and defendable opinions.
Program participants must keep up with PCI SSC updates (including but not limited to updates to the QPA Qualification Requirements and QPA Program Guide, monthly PCI SSC Assessor Newsletter articles, published FAQs on the Website, and content from relevant PCI SSC webinars).
The Four Cs are useful measurements to evaluate the strength and quality of the Assessor’s approach and/or conclusions and can help the Assessor ensure that work can be defended in a meaningful way.
Removed
p. 4
PCI PIN Attestation of Compliance (PIN AOC) A form for Customers to attest to the results of a PCI PIN Assessment, as documented in the PIN Report on Compliance
QPA Feedback Form Gives the Customer an opportunity to offer feedback regarding the QPA and the PCI PIN Assessment process. https://www.pcisecuritystandards.org/assessors_and_solutions/q ualified_PIN_assessors_feedback 3 Updates to Documents and Security Requirements This Program Guide is expected to change as necessary to align with updates to the PCI PIN Standard and other PCI SSC Standards. Additionally, PCI SSC provides interim updates to the PCI community through a variety of means, including required QPA Employee training, e-mail bulletins and newsletters, frequently asked questions, and other communication methods.
QPA Feedback Form Gives the Customer an opportunity to offer feedback regarding the QPA and the PCI PIN Assessment process. https://www.pcisecuritystandards.org/assessors_and_solutions/q ualified_PIN_assessors_feedback 3 Updates to Documents and Security Requirements This Program Guide is expected to change as necessary to align with updates to the PCI PIN Standard and other PCI SSC Standards. Additionally, PCI SSC provides interim updates to the PCI community through a variety of means, including required QPA Employee training, e-mail bulletins and newsletters, frequently asked questions, and other communication methods.
Modified
p. 4 → 6
Document name Description Payment Card Industry PCI PIN Security Requirements and Testing Procedures (PCI PIN Standard) Lists the specific technical and operational security requirements and provides the assessment procedures used by assessors to validate PCI PIN compliance.
Table 2: Related Publications Document name Description Payment Card Industry PCI PIN Security Requirements and Testing Procedures (PCI PIN Standard) The specific technical and operational security requirements and assessment procedures used by QPA Companies and QPA Employees to validate compliance with the PCI PIN Standard
Modified
p. 4 → 6
PCI SSC Programs Fee Schedule Lists the current fees for specific qualifications, tests, retests, training, and other services.
PCI SSC Programs Fee Schedule Available on the Website, lists the current fees for specific qualifications, tests, retests, training, and other services
Modified
p. 4 → 6
PCI Qualification Requirements for Qualified PIN Assessors (QPAs) Defines the baseline set of requirements that must be met by a QPA Company and QPA Employees to perform their respective roles in connection with PCI PIN Assessments.
PCI Qualified PIN Assessor (QPA) Qualification Requirements Defines the baseline set of requirements that must be met by a QPA Company and QPA Employees to perform their respective roles in connection with PCI PIN Assessments
Modified
p. 4 → 6
PCI PIN Template for Report on Compliance (PIN ROC) Provides detail on how to document the findings of a PCI PIN Assessment and includes the mandatory template for use in completing a Report on Compliance.
PCI PIN Template for Report on Compliance (PIN ROC) Provides detail on how to document the findings of a PCI PIN Assessment and includes the mandatory template for use in completing a Report on Compliance
Removed
p. 5
Term Definition / Source / Document Reference Customer See Section 5.4 below Good Standing Refer to QPA Agreement Primary Contact Refer to QPA Agreement.
QPA Agreement The then-current version of (or successor document to) the Qualified PIN Assessor Agreement attached as Appendix A to the PCI PIN Assessor Qualification Requirements.
QPA Company A company that has been qualified, and continues to be qualified, by PCI SSC to perform PCI PIN Assessments.
QPA Employee An employee of a QPA Company who has been qualified, and continues to be qualified, by PCI SSC to perform PCI PIN Assessments QPA Requirements Refer to QPA Qualification Requirements.
QPA List The then-current list of QPA Companies published by PCI SSC on the Website.
QPA PM QPA Program Manager contact by e-mail: QPA@pcisecuritystandards.org.
QPA Qualification Requirements The then-current version of (or successor documents to) the Payment Card Industry (PCI) Qualification Requirements for Qualified PIN Assessors (QPA), as from time to time amended …
QPA Agreement The then-current version of (or successor document to) the Qualified PIN Assessor Agreement attached as Appendix A to the PCI PIN Assessor Qualification Requirements.
QPA Company A company that has been qualified, and continues to be qualified, by PCI SSC to perform PCI PIN Assessments.
QPA Employee An employee of a QPA Company who has been qualified, and continues to be qualified, by PCI SSC to perform PCI PIN Assessments QPA Requirements Refer to QPA Qualification Requirements.
QPA List The then-current list of QPA Companies published by PCI SSC on the Website.
QPA PM QPA Program Manager contact by e-mail: QPA@pcisecuritystandards.org.
QPA Qualification Requirements The then-current version of (or successor documents to) the Payment Card Industry (PCI) Qualification Requirements for Qualified PIN Assessors (QPA), as from time to time amended …
Modified
p. 6 → 7
Managing compliance enforcement programs (requirements, mandates or dates for compliance validation) Establishing penalties and fees Establishing validation process requirements and who must validate Endorsing qualification criteria Responding to PIN or key-related compromises.
Managing compliance enforcement programs (requirements, mandates or dates for compliance validation).
Modified
p. 6 → 8
PCI SSC is the standards body that maintains the PCI SSC Standards and supporting programs and documentation. In relation to the QPA Program, PCI SSC:
PCI SSC is the standards body that maintains the PCI SSC Standards and supports programs and documentation. In relation to the QPA Program, PCI SSC:
Modified
p. 6 → 8
Assesses QPA Company compliance with PCI SSC‘s quality levels and qualification requirements. See the QPA Qualification Requirements for additional information.
Removed
p. 7
• Being on-site at assessed entity during the PCI PIN Assessment.
Modified
p. 7 → 8
The “Primary Contact” (defined in the QPA Agreement) at the QPA Company is the liaison between PCI SSC and the QPA Company.
The “Primary Contact” (defined in the QPA Agreement) at the QPA Company is the liaison between PCI SSC and the QPA Company. See Section 4.2 for additional details.
Modified
p. 7 → 8
Adhering to the QPA Qualification Requirements and this Program Guide.
Adhering to the QPA Qualification Requirements and this QPA Program Guide.
Modified
p. 7 → 8
• Selecting employees, facilities, systems, and system components accurately representing the assessed environment if sampling is employed.
• Selecting employees, systems, and system components that accurately represent the assessed environment if sampling is employed.
Modified
p. 7 → 8
• Effectively using the PCI PIN Reporting Template to produce PCI PIN Reports on Compliance. (PIN ROC)
• Effectively using the PCI PIN Reporting Template to produce PIN ROC
Modified
p. 7 → 9
• Stating whether or not the assessed entity has achieved compliance with PCI PIN Standard. PCI SSC does not approve PIN ROCs from a technical perspective, but performs QA reviews on PIN ROCs to ensure that the documentation of testing procedures performed is sufficient to support the results of the PCI PIN Assessment. See Section 8, “Assessor Quality Management,” for additional information.
• Stating assessed entity compliance with PCI PIN Standard. PCI SSC does not approve PIN ROCs from a technical perspective, but performs QA reviews on PIN ROCs to ensure that the documentation of testing procedures performed is sufficient to support the results of the PCI PIN Assessment. See the QPA Qualification Requirements for additional information. See Appendix B, Eight Guiding Principles Validated by Four Criteria (Four Cs), to understand PCI SSC’s baseline for assessor quality.
Modified
p. 8 → 9
Maintaining compliance with the PCI PIN Standard at all times.
Maintaining compliance with the PCI PIN Standard.
Modified
p. 8 → 9
Submitting required compliance materials to Participating Payment Brands, Networks and Acquiring Entities as directed.
Submitting required compliance materials to Participating Payment Brands, Networks, and Acquiring Entities as directed.
Removed
p. 9
In order to achieve qualification as a QPA Company, the candidate company and at least one of its employees must satisfy all QPA Requirements (defined in the QPA Qualification Requirements) applicable to QPA Companies and QPA Employees. All such QPA Companies are then identified on the QPA List on the Website, and all such QPA Employees are added to the Website’s search tool.
Only those QPA Companies and QPA Employees qualified by PCI SSC and included in the QPA List or Website search tool (as applicable) are recognized by PCI SSC to perform PCI PIN Assessments.
Only those QPA Companies and QPA Employees qualified by PCI SSC and included in the QPA List or Website search tool (as applicable) are recognized by PCI SSC to perform PCI PIN Assessments.
Removed
p. 9
Each QPA Employee must be requalified by PCI SSC on an annual basis. The annual requalification date is based upon the QPA Employee’s previous qualification date. QPA Employee requalification requires successful completion of requalification training and payment of annual training fees.
For example, a one-year requalification for a certification with a current qualification date of 15 November 2018 will be changed to 15 November 2019 upon successful completion regardless of whether the requalification was completed on 31 October 2018 or 25 November 2018.
Note: Negative feedback from Customers, PCI SSC, Participating Payment Brands, or others may impact the QPA Company’s and/or QPA Employee’s eligibility for requalification.
For example, a one-year requalification for a certification with a current qualification date of 15 November 2018 will be changed to 15 November 2019 upon successful completion regardless of whether the requalification was completed on 31 October 2018 or 25 November 2018.
Note: Negative feedback from Customers, PCI SSC, Participating Payment Brands, or others may impact the QPA Company’s and/or QPA Employee’s eligibility for requalification.
Removed
p. 9
Registration for requalification training must be completed (and approved, where applicable) prior to the QPA Employee’s qualification expiration date. A candidate who is not registered prior to that expiry date must re-enroll as a new candidate.
A two-week grace period is provided beyond the candidate’s expiry date in order to complete requalification training; however, candidates will not be qualified by PCI SSC during this time and will not be requalified until the requalification exam is successfully completed.
Access to the course and requalification exam will be granted only after payment is processed, and candidates will have access to the exam at most four weeks prior and two weeks past their expiration date.
A two-week grace period is provided beyond the candidate’s expiry date in order to complete requalification training; however, candidates will not be qualified by PCI SSC during this time and will not be requalified until the requalification exam is successfully completed.
Access to the course and requalification exam will be granted only after payment is processed, and candidates will have access to the exam at most four weeks prior and two weeks past their expiration date.
Removed
p. 10
Each QPA Company must pay an annual QPA Company Fee in order to become and remain qualified as a QPA Company. All QPA Company Fees and QPA training fees are specified on the Website in the PCI SSC Programs Fee Schedule and are subject to change.
All fees must be paid in US dollars (USD) by check, by credit card, or by wire transfer to the PCI SSC bank account specified for such purpose on the lower half of the invoice.
The option for credit card payment is not offered on QPA Company fee invoices. However, the option can be added to the invoice upon request. A fee of 3% of the total invoice will be added for processing.
All fees must be paid in US dollars (USD) by check, by credit card, or by wire transfer to the PCI SSC bank account specified for such purpose on the lower half of the invoice.
The option for credit card payment is not offered on QPA Company fee invoices. However, the option can be added to the invoice upon request. A fee of 3% of the total invoice will be added for processing.
Removed
p. 10
Prior to qualification as a QPA Company and annually thereafter, the QPA Company is required to provide a certificate to PCI SSC from each insurance company as evidence that all required insurance is in force for each region with respect to which it operates. The certificates must state the applicable policy numbers, dates of expiration, and limits of liability.
Insurance must cover the following (or otherwise be acceptable to PCI SSC):
Insurance must cover the following (or otherwise be acceptable to PCI SSC):
Modified
p. 10
The QPA Company must also provide to PCI SSC proof of bound insurance coverage for all such subcontractors to demonstrate policies are in accordance with QPA Program insurance coverage requirements (see Appendix B of the QPA Qualification Requirements).
The QPA Company must also provide PCI SSC proof of bound insurance coverage for all such subcontractors to demonstrate policies are in accordance with QPA Program insurance coverage requirements (see Appendix B of the QPA Qualification Requirements).
Modified
p. 10
Note: To obtain PCI SSC's consent to the use of a given subcontractor, please contact the QPA Program Manager at QPA@pcisecuritystandards.org.
Note: To obtain PCI SSC's consent to the use of a given subcontractor, please contact the QPA Program Manager at pcipin@pcisecuritystandards.org.
Removed
p. 11
• Completed Operations
• Contractual Liability Insurance Commercial Automobile Insurance ($1,000,000 minimum limit) Crime/Fidelity Bond, both first and third party ($1,000,000 minimum for each loss and annual aggregate) Technology Errors and Omissions, Cyber-Risk, and Privacy Liability Insurance ($2,000,000 minimum for each loss and annual aggregate) 6.3 QPA Continuing Professional Education (CPE) To remain in Good Standing, all QPA Employees must provide proof of information systems security training within the last 12 months of the requalification date in accordance with the current version of the PCI SSC CPE Maintenance Guide.
A QPA employee must also earn a minimum of 20 CPE credits per year and a minimum of 120 CPE credits per rolling three-year period.
Link to Portal: https://programs.pcissc.org/ The Portal includes the following information:
• Contractual Liability Insurance Commercial Automobile Insurance ($1,000,000 minimum limit) Crime/Fidelity Bond, both first and third party ($1,000,000 minimum for each loss and annual aggregate) Technology Errors and Omissions, Cyber-Risk, and Privacy Liability Insurance ($2,000,000 minimum for each loss and annual aggregate) 6.3 QPA Continuing Professional Education (CPE) To remain in Good Standing, all QPA Employees must provide proof of information systems security training within the last 12 months of the requalification date in accordance with the current version of the PCI SSC CPE Maintenance Guide.
A QPA employee must also earn a minimum of 20 CPE credits per year and a minimum of 120 CPE credits per rolling three-year period.
Link to Portal: https://programs.pcissc.org/ The Portal includes the following information:
Modified
p. 11 → 10
Notices from PCI SSC to the designated Primary Contact may be communicated via the Portal, e- mail, registered mail or any other method permitted by the QPA Agreement.
Notices from PCI SSC to the Primary Contact may be communicated via the Portal, e-mail, registered mail, or any other method permitted by the QPA Agreement.
Removed
p. 12
Employee CPE approval page Requalification training approval page for all QPA Employees Insurance policies with respective expiration dates Complete list of all QPA Employees and their expiration dates Addresses for all QPA training locations throughout the year Check the Portal on a regular basis for new information and updates.
Modified
p. 12 → 11
• entry page with expiration date, if applicable View PIN AOC submissions submitted by the QPA Company, and PIN AOC submissions submitted by PIN Service Providers for which the QPA Company performed the Assessment Along with the items noted above, the QPA Primary Contact has access to:
Removed
p. 13
By signing the PIN AOC, the assessed entity is attesting that the information provided in the PIN AOC and accompanying PIN Report on Compliance is true and accurate. The date on the PIN AOC cannot predate the ROC.
Note: Customers should consult with their network, acquirer or Participating Payment Brands about their requirement for a PCI PIN Assessment.
Note: Customers should consult with their network, acquirer or Participating Payment Brands about their requirement for a PCI PIN Assessment.
Modified
p. 13 → 12
PCI PIN Assessments are required to be conducted by a QPA Company through its QPA Employees, if applicable, in accordance with the PCI PIN Standard, which contains requirements, testing procedures, and guidance to ensure that the intent of each requirement is understood.
PCI PIN Assessments are required to be conducted by a QPA Company through its QPA Employees, if applicable, in accordance with the PCI PIN Standard, which contains requirements, testing procedures, and guidance to ensure that the intent of each requirement is understood. Each QPA Employee must work only on those PCI SSC Assessments for which the QPA Employee is qualified by PCI SSC, has appropriate skills, including technology and language, and has an appropriate understanding of the PIN Service Provider’s …
Modified
p. 13 → 12
The QPA Employee will document in the PIN ROC the results of the PCI PIN Assessment, including which portions of the PCI PIN Assessment were conducted onsite. The ROC must accurately represent the assessed environment and the security controls evaluated by the QPA Employee.
The QPA Employee will document the results of the PCI PIN Assessment in the PIN ROC, including which portions of the PCI PIN Assessment were conducted onsite. The ROC must accurately represent the assessed environment, and the security controls tested and validated by the QPA Employee.
Removed
p. 14
If a Customer refuses to provide the QPA Company with the documentary evidence
•for example, because it contains information that is sensitive or confidential to the Customer
•the QPA Company and the Customer should work together to ensure that the evidence is retained securely at the Customer site and as required by the QPA Qualification Requirements, including being made available upon request by PCI SSC for a minimum of three (3) years from the date of PIN ROC completion. It is recommended that the QPA Company and the Customer have a formal agreement that outlines each party’s responsibilities in this matter, which agreement must be consistent with and comply with the disclosure requirements specified in the QPA Agreement.
Even if the actual, documented evidence is to be retained by the Customer, the QPA Company must keep records to identify the specific evidence that was used during the PCI PIN Assessment•for example, digital and/or …
•for example, because it contains information that is sensitive or confidential to the Customer
•the QPA Company and the Customer should work together to ensure that the evidence is retained securely at the Customer site and as required by the QPA Qualification Requirements, including being made available upon request by PCI SSC for a minimum of three (3) years from the date of PIN ROC completion. It is recommended that the QPA Company and the Customer have a formal agreement that outlines each party’s responsibilities in this matter, which agreement must be consistent with and comply with the disclosure requirements specified in the QPA Agreement.
Even if the actual, documented evidence is to be retained by the Customer, the QPA Company must keep records to identify the specific evidence that was used during the PCI PIN Assessment•for example, digital and/or …
Modified
p. 14 → 15
For details on what the QPA Company’s Evidence Retention Policy must include, please see Section 4.5 of the QPA Qualification Requirements document available on the Website.
For additional details on what the QPA Company’s Evidence Retention Policy must include, see Section 4.5 of the QPA Qualification Requirements document, available on the Website.
Removed
p. 15
A QPA Audit by the PCI SSC AQM team will result in a finding of:
Satisfactory
• A notification letter will be sent with specific opportunities for improvement listed. Mandatory call with AQM team to discuss.
A “Satisfactory” finding indicates that the audit findings reasonably confirmed (1) the QPA Company/Employee’s ongoing adherence to the current QPA Qualification Requirements; (2) that the QPA Company’s quality policy documentation is implemented and maintained according to the QPA Qualification Requirements; and (3) the QPA Company/Employee’s ongoing general adherence to reporting requirements as evidenced by sampled PIN ROCs.
Needs Improvement
• A notification letter will be sent with specific opportunities for improvement listed. Mandatory call with AQM team to discuss.
A “Needs Improvement” finding indicates that there were minor findings and/or opportunities for improvement identified that assessors should address to ensure continued adherence with program documentation. Still, the audit findings reasonably confirmed (1) the QPA Company/Employee’s ongoing adherence to …
Satisfactory
• A notification letter will be sent with specific opportunities for improvement listed. Mandatory call with AQM team to discuss.
A “Satisfactory” finding indicates that the audit findings reasonably confirmed (1) the QPA Company/Employee’s ongoing adherence to the current QPA Qualification Requirements; (2) that the QPA Company’s quality policy documentation is implemented and maintained according to the QPA Qualification Requirements; and (3) the QPA Company/Employee’s ongoing general adherence to reporting requirements as evidenced by sampled PIN ROCs.
Needs Improvement
• A notification letter will be sent with specific opportunities for improvement listed. Mandatory call with AQM team to discuss.
A “Needs Improvement” finding indicates that there were minor findings and/or opportunities for improvement identified that assessors should address to ensure continued adherence with program documentation. Still, the audit findings reasonably confirmed (1) the QPA Company/Employee’s ongoing adherence to …
Removed
p. 16
PCI SSC has adopted a PCI SSC Code of Professional Responsibility (the “Code,” available on the Website) to help ensure that PCI SSC-qualified companies and individuals adhere to high standards of ethical and professional conduct. All PCI SSC-qualified companies and individuals must advocate, adhere to, and support the Code.
QPA Companies and QPA Employees are prohibited from performing PCI PIN Assessments of entities that they control or are controlled by, and entities with which they are under common control or in which they hold any investment.
QPA Companies and QPA Employees must not enter into any contract that guarantees a compliant PIN ROC.
QPA Companies must fully disclose in the PIN Report on Compliance if they assess Customers who use any security-related devices or security-related applications that have been developed or manufactured by the QPA Company, or to which the QPA Company owns the rights, or that the QPA Company has configured or …
QPA Companies and QPA Employees are prohibited from performing PCI PIN Assessments of entities that they control or are controlled by, and entities with which they are under common control or in which they hold any investment.
QPA Companies and QPA Employees must not enter into any contract that guarantees a compliant PIN ROC.
QPA Companies must fully disclose in the PIN Report on Compliance if they assess Customers who use any security-related devices or security-related applications that have been developed or manufactured by the QPA Company, or to which the QPA Company owns the rights, or that the QPA Company has configured or …
Removed
p. 16
Any Participating Payment Brand, acquiring bank, or other person or entity may submit QPA Feedback Forms to PCI SSC to provide feedback on a PCI PIN Assessment, QPA Company, or QPA Employee.
Link to Feedback Form: https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_PIN_assessors_feedback
Note: QPA Employees are permitted to be employed by only one QPA Company at any given time.
Link to Feedback Form: https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_PIN_assessors_feedback
Note: QPA Employees are permitted to be employed by only one QPA Company at any given time.
Removed
p. 17
Remediation overview call and signed Remediation Agreement.
Remediation Period of at least 120 days.
QPA Company listing on the QPA List updated to “red” to notify merchants/service providers.
An AQM case manager assigned to the QPA Company to offer support as it works to bring its quality level to the expected baseline standard of quality.
The expectation of strong commitment from the QPA Company to achieve successful completion.
Fees for review of work.
Remediation Period of at least 120 days.
QPA Company listing on the QPA List updated to “red” to notify merchants/service providers.
An AQM case manager assigned to the QPA Company to offer support as it works to bring its quality level to the expected baseline standard of quality.
The expectation of strong commitment from the QPA Company to achieve successful completion.
Fees for review of work.
Removed
p. 17
Failure to perform PCI PIN Assessments in accordance with the PCI PIN Standard.
Violation of any provision regarding non-disclosure of confidential materials.
Failure to maintain at least one certified QPA Employee on staff.
Failure to maintain physical, electronic, and procedural safeguards to protect the confidential and sensitive information.
Unprofessional or unethical business conduct.
Failure to successfully complete any required PCI SSC training.
Cheating on any PCI SSC training exam.
Upon notification of pending QPA Company Revocation by PCI SSC, the QPA Company, or QPA Employee will have 30 days in which to appeal the ruling in writing to PCI SSC.
Revocation will result in removal of the QPA Company or QPA Employee from the QPA List or search engine, as applicable.
In the event of QPA Company Revocation, the QPA Company must immediately cease all advertising of its QPA Company qualification. It must also immediately cease soliciting for and performing all pending …
Violation of any provision regarding non-disclosure of confidential materials.
Failure to maintain at least one certified QPA Employee on staff.
Failure to maintain physical, electronic, and procedural safeguards to protect the confidential and sensitive information.
Unprofessional or unethical business conduct.
Failure to successfully complete any required PCI SSC training.
Cheating on any PCI SSC training exam.
Upon notification of pending QPA Company Revocation by PCI SSC, the QPA Company, or QPA Employee will have 30 days in which to appeal the ruling in writing to PCI SSC.
Revocation will result in removal of the QPA Company or QPA Employee from the QPA List or search engine, as applicable.
In the event of QPA Company Revocation, the QPA Company must immediately cease all advertising of its QPA Company qualification. It must also immediately cease soliciting for and performing all pending …
Modified
p. 18 → 16
1. If the new company is not an active QPA Company, the QPA Employee’s qualification will be inactive until employed by an active QPA Company. Inactive status does not suspend or modify requalification deadlines. A QPA Employee cannot requalify while its employer is not an active QPA Company.
1. If the new company is not an active QPA Company, the QPA Employee’s qualification will be inactive until employed by an active QPA Company. Inactive status does not suspend or modify requalification deadlines. A QPA Employee cannot requalify while their employer is not an active QPA Company.
Modified
p. 18 → 16
2. If the QPA Employee moves to an active QPA Company and is to be utilized by that QPA Company as a QPA Employee, the Primary Contact of the new QPA Company must notify the QPA Program Manager of the transfer. The QPA Employee must be listed under the new company on the PCI Website prior to participating in any PCI PIN Assessment. The following information should be supplied to the QPA Program Manager:
2. If the QPA Employee moves to an active QPA Company and is to be utilized by that QPA Company as a QPA Employee, the Primary Contact of the new QPA Company must notify the QPA Program Manager of the transfer. The QPA Employee must be listed under the new company on the PCI Website prior to participating in any PCI PIN Assessment. The following information must be provided to the QPA Program Manager: