Document Comparison
Card_Production_Security__Assessor_(CPSA)_Qualification_Requirements__v1.0_Apr__2019.pdf
→
CPSA_Qualification_Requirements_v1.2.pdf
87% similar
59 → 61
Pages
23824 → 24414
Words
166
Content Changes
Content Changes
166 content changes. 71 administrative changes (dates, page numbers) hidden.
Added
p. 2
March 2022 1.1 Added requirement for CPSAs to have appropriate skills for assessments Added requirement that CPSAs must be trained on the version of standard they are using Added requirement for periodic checks on QA process Added requirement that QA staff at CPSA Company is a CPSA or has CPSA Informational Training Removed requirements on the CPSA Legacy program Performed minor clarifications in language throughout
March 2024 1.2 Added requirement for annual QA Questionnaire in section 6.2 Changed "Information Training” references to “Knowledge Training” throughout
March 2024 1.2 Added requirement for annual QA Questionnaire in section 6.2 Changed "Information Training” references to “Knowledge Training” throughout
Added
p. 5
Term Meaning Assessor Portal (Portal) Web-based application made available to PCI SSC-qualified assessors to access PCI SSC program documentation and forms.
CPSA Annual QA Questionnaire The then-current version of the CPSA Annual QA Questionnaire form available on the Portal.
Card Production Security Requirements The set of security requirements as documented in the then-current Payment Card Industry (PCI) Card Production and Provisioning Logical Security Requirements and Payment Card Industry (PCI) Card Production and Provisioning Physical Security Requirements.
Payment Card Industry (PCI) Card Production and Provisioning Logical Security Requirements Payment Card Industry (PCI) Card Production and Provisioning Physical Security Requirements Payment Card Industry (PCI) Card Production Security Assessors (CPSA) Program Guide
CPSA Annual QA Questionnaire The then-current version of the CPSA Annual QA Questionnaire form available on the Portal.
Card Production Security Requirements The set of security requirements as documented in the then-current Payment Card Industry (PCI) Card Production and Provisioning Logical Security Requirements and Payment Card Industry (PCI) Card Production and Provisioning Physical Security Requirements.
Payment Card Industry (PCI) Card Production and Provisioning Logical Security Requirements Payment Card Industry (PCI) Card Production and Provisioning Physical Security Requirements Payment Card Industry (PCI) Card Production Security Assessors (CPSA) Program Guide
Added
p. 19
All quality-assurance reviews must be conducted by personnel that are either CPSA Employees or other personnel that have completed CPSA Knowledge Training. CPSA Knowledge Training must be completed initially and after every major update in the Card Production Security Requirements prior to reviewing submissions under the new release.
Upon request by PCI SSC, the CPSA Company must annually complete the CPSA Annual QA Questionnaire in the Portal for PCI SSC quality monitoring purposes.
− Protection of systems storing customer data by network and application layer controls including technologies such as firewall(s) and IDS/IPS − Restricting accesse.g., via locksto the physical office space − Restricting accesse.g., via locked file cabinetsto paper files − Restricting logical access to electronic files via least-privilege/role-based access control − Strong encryption of customer data when transmitted over public networks − Secure transport and storage of backup media − Strong encryption of customer data on portable devices …
Upon request by PCI SSC, the CPSA Company must annually complete the CPSA Annual QA Questionnaire in the Portal for PCI SSC quality monitoring purposes.
− Protection of systems storing customer data by network and application layer controls including technologies such as firewall(s) and IDS/IPS − Restricting accesse.g., via locksto the physical office space − Restricting accesse.g., via locked file cabinetsto paper files − Restricting logical access to electronic files via least-privilege/role-based access control − Strong encryption of customer data when transmitted over public networks − Secure transport and storage of backup media − Strong encryption of customer data on portable devices …
Added
p. 23
Only those CPSA Companies and CPSA Employees on the CPSA List are recognized by PCI SSC to perform or support PCI Card Production Assessments Each CPSA Company must ensure that each of its CPSA Employees only works on those PCI SSC program assessments for which the CPSA Employee is properly qualified by PCI SSC, having appropriate skills, including technology and language, and having an appropriate understanding of the client’s business.
A CPSA Employee must requalify on an annual basis by their requalification date for each CPSA program with which they have certification. In order to requalify:
(a) Complete at least three (3) Logical PCI Card Production Assessments for different facilities over the previous one-year period and complete PCI SSC computer-based CPSA Logical training course/exam (b) Successfully complete PCI SSC instructor-led CPSA Logical training course and exam.
(a) Complete at least three (3) Physical PCI Card Production Assessments for different facilities over the previous …
A CPSA Employee must requalify on an annual basis by their requalification date for each CPSA program with which they have certification. In order to requalify:
(a) Complete at least three (3) Logical PCI Card Production Assessments for different facilities over the previous one-year period and complete PCI SSC computer-based CPSA Logical training course/exam (b) Successfully complete PCI SSC instructor-led CPSA Logical training course and exam.
(a) Complete at least three (3) Physical PCI Card Production Assessments for different facilities over the previous …
Added
p. 24
Note: CPSA Employees that do not complete the required number of assessments must register and complete the PCI SSC CPSA Instructor-led training and exam prior to their requalification date to remain listed as an active assessor. PCI SSC CPSA Instructor-led training is subject to availability.
Added
p. 25
The AQM team will review the completed CPSA Annual QA Questionnaire to monitor the CPSA Company’s on-going adherence to program requirements and provide relevant feedback in the Portal.
Added
p. 26
Failure to meet applicable CPSA Program quality standards or comply with applicable CPSA Requirements Failure to pay applicable CPSA Program fees Failure to meet applicable CPSA Program training requirements (annual or otherwise) Failure to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates Failure to maintain applicable CPSA Program insurance requirements Failure to timely submit the CPSA Annual QA Questionnaire to PCI SSC in the Portal Failure to comply with or validate compliance in accordance with applicable CPSA Requirements, PCI Card Production Security Requirements or program guides, or the terms of the CPSA Agreement.
Added
p. 53
Internal Quality Assurance
• 4.3.2 Provisions The Company acknowledges and agrees that all quality-assurance reviews must be conducted by personnel qualified by PCI SSC as CPSA Employees or who have completed CPSA Knowledge Training.
The Company understands and agrees that it must annually provide to PCI SSC the completed CPSA Annual QA Questionnaire in the Portal upon request by PCI SSC.
• 4.3.2 Provisions The Company acknowledges and agrees that all quality-assurance reviews must be conducted by personnel qualified by PCI SSC as CPSA Employees or who have completed CPSA Knowledge Training.
The Company understands and agrees that it must annually provide to PCI SSC the completed CPSA Annual QA Questionnaire in the Portal upon request by PCI SSC.
Removed
p. 4
• The PCI Card Production and Provisioning Physical Security Requirements (“PCI Card Production Physical Security Standard”) addresses the physical security controls associating with card production activities such as:
Modified
p. 4
The PCI Card Production and Provisioning Logical Security Requirements (“PCI Card Production Logical Security Requirements”) addresses the logical security controls associated with card production and provisioning such as:
Modified
p. 4
− EMV data preparation − Pre-personalization − Card embossing − IC and magnetic-stripe personalization − PIN generation − PIN mailers − Card carriers − Distribution
− EMV data preparation − Pre-personalization − Card embossing − IC and magnetic-stripe personalization − PIN generation − PIN mailers − Card carriers − Distribution The PCI Card Production and Provisioning Physical Security Requirements (“PCI Card Production Physical Security Requirements”) addresses the physical security controls associated with card production activities such as:
Modified
p. 4
The PCI Card Production Logical Security Standard and PCI Card Production Physical Security Standard are maintained by PCI SSC and available through the Website.
The PCI Card Production Logical Security Requirements and PCI Card Production Physical Security Requirements are maintained by PCI SSC and available through the Website.
Modified
p. 5
Card Production Entity A company that performs card production and provisioning activities such as card manufacturing, chip imbedding, data preparation, pre- personalization, card embossing, integrated chip (IC) and magnetic- stripe personalization, PIN generation, PIN mailers, card carriers, and distribution.
Modified
p. 5
Card Production Security Assessor (CPSA) Employee An individual who is employed by a CPSA Company and satisfies and continues to satisfy all CPSA Requirements applicable to CPSA Employees. Card Production Security Assessor Employees may be qualified by PCI SSC to assess compliance against the PCI Card Production Logical Security Standard, the PCI Card Production Physical Standard, or both.
Card Production Security Assessor (CPSA) Employee An employee of a CPSA Company who has been qualified, and continues to be qualified, by PCI SSC to perform PCI Card Production Assessments.
Modified
p. 5
Card Production Security Assessor (CPSA) Program The program operated by PCI SSC in connection with which companies and their employees may achieve qualification by PCI SSC for purposes of performing assessments of compliance with the PCI Card Production Logical Security Standard and/or the PCI Card Production Physical Security Standard for purposes of such program, as further described herein and in the CPSA Program Guide.
Card Production Security Assessor (CPSA) Program The program operated by PCI SSC in connection with which companies and their employees may achieve qualification by PCI SSC for purposes of performing assessments of compliance with the PCI Card Production Logical Security Requirements and/or the PCI Card Production Physical Security Requirements for purposes of such program, as further described herein and in the CPSA Program Guide.
Modified
p. 6
CPSA Requirements With respect to a given CPSA Company or CPSA Employee, the applicable requirements and obligations thereof pursuant to the CPSA Qualification Requirements, the CPSA Program Guide, the CPSA Agreement, each addendum, supplement, or other agreement or attestation entered into between such CPSA Company or CPSA Employee and PCI SSC, and any and all other policies, procedures, requirements, validation or qualification requirements, or obligations imposed, mandated, provided for or otherwise established by PCI SSC from time to time in …
CPSA Requirements With respect to a given CPSA Company or CPSA Employee, the applicable requirements and obligations thereof pursuant to the CPSA Qualification Requirements, the CPSA Program Guide, the CPSA Agreement, each addendum, supplement, or other agreement or attestation entered into between such CPSA Company or CPSA Employee and PCI SSC, and any and all other policies, procedures, requirements, validation or qualification requirements, or obligations imposed, mandated, provided for, or otherwise established by PCI SSC from time to time in …
Modified
p. 6
Logical PCI Card Production Assessment Assessment of a Card Production Entity to validate compliance with the PCI Card Production Logical Security Standard for CPSA Program purposes.
Logical PCI Card Production Assessment Assessment of a Card Production Entity to validate compliance with the PCI Card Production Logical Security Requirements for CPSA Program purposes.
Modified
p. 6
PCI Card Production Standards The then-current versions of (or successor documents to) the PCI Card Production Logical Security Standard and the PCI Card Production Physical Security Standard, as from time to time amended and made available on the Website.
PCI Card Production Security Requirements The then-current versions of (or successor documents to) the PCI Card Production Logical Security Requirements and the PCI Card Production Physical Security Requirements, as from time to time amended and made available on the Website.
Modified
p. 6
Physical PCI Card Production Assessment Assessment of a Card Production Entity to validate compliance with the PCI Card Production Physical Security Standard for CPSA Program purposes.
Physical PCI Card Production Assessment Assessment of a Card Production Entity to validate compliance with the PCI Card Production Physical Security Requirements for CPSA Program purposes.
Removed
p. 7
• Payment Card Industry (PCI) Card Production and Provisioning Logical Security Requirements
• Payment Card Industry (PCI) Card Production and Provisioning Physical Security Requirements
• Payment Card Industry (PCI) Card Production and Provisioning Physical Security Requirements
Modified
p. 7 → 9
All company applications must include a signed CPSA Agreement (Appendix A) and a completed and signed application form for each candidate CPSA Employee (in accordance with Section 3.2.2 below), which can be found in Appendices D and E. The CPSA Agreement is binding in English even QSA Companies in Good Standing are deemed to satisfy many (but not all) of the CPSA Company requirements as indicated on the CPSA Company Application (Appendix C).
All company applications must include a signed CPSA Agreement (Appendix A) and a completed and signed application form for each candidate CPSA Employee (in accordance with Section 3.2.2 below), which can be found in Appendices D and E. The CPSA Agreement is binding in English even if the CPSA Agreement was translated and reviewed in another language. All other documentation provided by the CPSA Company (or candidate) in a language other than English must be accompanied by a certified English …
Modified
p. 8 → 9
Important Note: PCI SSC reserves the right to reject any application from any applicant (company or employee) that PCI SSC determines has committed, within two (2) years prior to the application date, any conduct that would have been considered a “Violation” for purposes of the CPSA Qualification Requirements or CPSA Agreement if committed by a CPSA Company or CPSA Employee. The period of ineligibility will be a minimum of one (1) year, as determined by PCI SSC in a reasonable …
Important Note: PCI SSC reserves the right to reject any application from any applicant (company or employee) that PCI SSC determines has committed, within three (3) years prior to the application date, any conduct that would have been considered a “Violation” for purposes of the CPSA Qualification Requirements or CPSA Agreement if committed by a CPSA Company or CPSA Employee. The period of ineligibility will be a minimum of one (1) year, as determined by PCI SSC in a reasonable …
Removed
p. 9
• To the extent permitted by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the CPSA Company, CPSA Company candidate or any principal thereof, and any CPSA Employee or CPSA Company candidate thereof, and the status and resolution
Modified
p. 9 → 10
Copy of current CPSA Company (or candidate CPSA Company) formation document or equivalent approved by PCI SSC (the “Business License”), including year of incorporation and list of location(s) of offices (Refer to PCI Business License Requirements in the Documents Library on the Website for more information.) To the extent permitted by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the CPSA Company, CPSA Company candidate or any …
Modified
p. 9 → 10
Written statements describing any past or present appeals or revocations of any qualification issued by PCI SSC to the CPSA Company (or any predecessor entity or, unless prohibited by applicable law, any CPSA Employee of any of the foregoing), and the current status and any resolution thereof.
Modified
p. 9 → 10
The CPSA Company will not undertake to perform any PCI Card Production Assessment of any entity that it controls, is controlled by, is under common control with, or in which it holds any investment.
Removed
p. 10
• The CPSA Company must not (and will not) have offered, been offered, been provided, or have accepted any gift, gratuity, service, or other inducement to any employee of PCI SSC or to any customer, in order to enter into the CPSA Agreement or any agreement with a customer, or to provide CPSA Company-related services.
• The CPSA Company must not recommend products or solutions for remediating findings but can make Card Production Entities aware of solutions that exist.
• The CPSA Company must not recommend products or solutions for remediating findings but can make Card Production Entities aware of solutions that exist.
Modified
p. 10 → 11
The CPSA Company must fully disclose in the Card Production ROC if it assesses any customer that uses any security-related device, application, product, or solution that is developed, manufactured, sold, resold, licensed, or otherwise made available to the applicable customer by the CPSA Company, or to which the CPSA Company owns the rights, or that the CPSA Company has configured or manages, including but not limited to the following:
Modified
p. 10 → 11
− Application or network firewalls − Intrusion detection/prevention systems − Database or other storage solutions − Encryption solutions − Security audit log solutions − File integrity monitoring solutions − Anti-virus solutions − Vulnerability scanning services or solutions − EMV Data Preparation Solutions − Personalization Equipment
− Application or network firewalls − Intrusion detection/prevention systems − Database or other storage solutions − Encryption solutions − Security audit log solutions − File integrity monitoring solutions − Anti-virus solutions − Vulnerability scanning services or solutions − EMV Data Preparation Solutions − Personalization Equipment The CPSA Company must not recommend products or solutions for remediating findings but can make Card Production Entities aware of solutions that exist.
Modified
p. 10 → 11
The CPSA Company must enforce separation of duties to ensure CPSA Employees conducting PCI Card Production Assessments are not subject to any conflict of interest.
Modified
p. 10 → 11
The CPSA Company will not use its status as a “listed CPSA Company” to market services unnecessary to bring CPSA Company clients into compliance with the PCI Card Production.
Modified
p. 10 → 11
The CPSA Company must not misrepresent any requirement of the PCI Card Production Security Requirements in connection with its promotion or sales of services to its clients, or state or imply that the PCI Card Production Security Requirements require usage of the CPSA Company's products or services.
Modified
p. 10 → 11
The CPSA Company must notify its CPSA Employees of the independence requirements provided for in this document, as well as CPSA Company’s independence policy, at least annually.
Removed
p. 11
• Annual training fee for each CPSA Employee (or candidate)
Modified
p. 11 → 12
CPSA Company fees Annual CPSA Company requalification fees for subsequent years Annual training fee for each CPSA Employee (or candidate)
Removed
p. 12
• Description of the applicant CPSA Company’s relevant areas of specialization within information security⎯for example, network security, database and application security, and incident response⎯demonstrating at least one area of specialization
• Evidence of a dedicated security practice, such as:
• Brief description of other core business offerings
• List of languages supported by the applicant CPSA Company
• Two client references from security engagements performed by the applicant CPSA Company within the last 12 months
• Evidence of a dedicated security practice, such as:
• Brief description of other core business offerings
• List of languages supported by the applicant CPSA Company
• Two client references from security engagements performed by the applicant CPSA Company within the last 12 months
Modified
p. 12 → 13
Description of the applicant CPSA Company’s experience and knowledge with information security audit engagements, preferably related to payment systems, equal to at least one year or three separate audits Description of the applicant CPSA Company’s relevant areas of specialization within information securityfor example, network security, database and application security, and incident responsedemonstrating at least one area of specialization Evidence of a dedicated security practice, such as:
Modified
p. 12 → 13
− The total number of employees on staff and the number of those performing security assessments
− The total number of employees on staff and the number of those performing security assessments Brief description of other core business offerings List of languages supported by the applicant CPSA Company Two client references from security engagements performed by the applicant CPSA Company within the last 12 months
Removed
p. 13
• Possess a minimum of five years of experience in network security and systems security. A working knowledge of application security is highly recommended.
Modified
p. 13 → 14
• Logical Controls or a Card Production Security Assessor
• Logical Controls, or a Card Production Security Assessor
Modified
p. 13 → 14
• Logical Controls is qualified by PCI SSC to conduct assessments against the PCI Card Production Logical Security Standard, and a Card Production Security Assessor
• Logical Controls is qualified by PCI SSC to conduct assessments against the PCI Card Production Logical Security Requirements, and a Card Production Security Assessor
Modified
p. 13 → 14
• Physical Controls is qualified by PCI SSC to conduct assessment against the PCI Card Production Physical Security Standard. A CPSA Employee may qualify for either or both categories. CPSA Employees (for both Logical Controls and Physical Controls) are responsible for the following:
• Physical Controls is qualified by PCI SSC to conduct assessment against the PCI Card Production Physical Security Requirements. A CPSA Employee may qualify for either or both categories. CPSA Employees (for both Logical Controls and Physical Controls) are responsible for the following:
Modified
p. 13 → 14
Performing Logical or Physical (as applicable) PCI Card Production Assessments.
Modified
p. 13 → 14
Verifying the work product addresses all PCI Card Production Assessment procedure steps and supports the validation status of the Card Production Entity.
Modified
p. 13 → 14
Strictly following the PCI Card Production and Provisioning Security Requirements (both Logical and Physical).
Modified
p. 13 → 14
Producing the final Card Production Report on Compliance (ROC) and Card Production Attestation of Compliance (AOC).
Modified
p. 13 → 14
Pass background checks required per Section 4.2.
Modified
p. 13 → 14
Possess a minimum of five years of experience in Cryptography and/or Key Management which includes:
Modified
p. 13 → 14
− Cryptographic techniques including cryptographic algorithms, key management, and key lifecycle − Knowledge of industry standards for cryptographic techniques and key management, including but not limited to ISO 11568 and 13491, ANSI X9.24 and X9.97, and FIPS 140-2 − Public key infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA) − Hardware security modules (HSMs) operations, policies, and procedures − Physical security techniques for high-security areas − Key-loading devices (KLDs) and key-management methods, …
− Cryptographic techniques including cryptographic algorithms, key management, and key lifecycle − Knowledge of industry standards for cryptographic techniques and key management, including but not limited to ISO 11568 and 13491, ANSI X9.24 and X9.97, and FIPS 140-2 − Public key infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA) − Hardware security modules (HSMs) operations, policies, and procedures − Physical security techniques for high-security areas − Key-loading devices (KLDs) and key-management methods, …
Modified
p. 13 → 14
Possess at least five years of experience in IT auditing or security assessments.
Removed
p. 14
• Possess at least one of the following accredited, industry-recognized professional certifications from each list:
• Be an employee of the CPSA Company.
• Be an employee of the CPSA Company.
Modified
p. 14 → 15
Pass background checks required per Section 4.2.
Modified
p. 14 → 15
• IRCA ISMS Auditor or higher (e.g., Auditor/Lead Auditor, Principal Auditor)
• IRCA ISMS Auditor or higher e.g., Auditor/Lead Auditor, Principal Auditor
Modified
p. 14 → 15
• IIA Certified Internal Auditor (CIA)
• IIA Certified Internal Auditor (CIA) Be an employee of the CPSA Company.
Modified
p. 14 → 15
Possess a minimum of four years of work experience in physical security or have a current Physical Security Professional (PSP) or Certified Protection Professional (CPP) certification with two years of work experience in physical security.
Modified
p. 14 → 15
Possess a minimum of four years of experience in physical security audits or have a current certification from List B (see 3.2.1.1 above) with three years of experience in physical security audits.
Removed
p. 15
• Possess a minimum of three years of experience in system security. System security refers to the logical security of systems that provide or enforce physical security⎯e.g., CCTV and access-control systems.
Note: Prior to June 1, 2021, subject to completion of applicable online CPSA Program training required by PCI SSC, the requirements of Sections 3.2.1.1 and 3.2.1.2 shall not apply to any CPSA Employee (for Logical Controls or Physical Controls) candidate who, at the time of application to the CPSA Program:
• Is approved and in good standing as a Card Production Entity assessor (Logical or Physical) under any corresponding Card Production Entity assessor program conducted by Visa, Mastercard, American Express, Discover or qualifying PCI Affiliate Members (each a “Legacy Program”) as of June 1, 2019.
Note: Prior to June 1, 2021, subject to completion of applicable online CPSA Program training required by PCI SSC, the requirements of Sections 3.2.1.1 and 3.2.1.2 shall not apply to any CPSA Employee (for Logical Controls or Physical Controls) candidate who, at the time of application to the CPSA Program:
• Is approved and in good standing as a Card Production Entity assessor (Logical or Physical) under any corresponding Card Production Entity assessor program conducted by Visa, Mastercard, American Express, Discover or qualifying PCI Affiliate Members (each a “Legacy Program”) as of June 1, 2019.
Modified
p. 15 → 16
Be an employee of the CPSA Company.
Modified
p. 15 → 16
Record of years of relevant work experience and active certifications as outlined in 3.2.1 above.
Modified
p. 15 → 16
Résumé or Curriculum Vitae (CV) of each candidate CPSA Employee.
Modified
p. 15 → 16
Completion and submission of Appendix D for each candidate CPSA Employee − Logical Controls and Appendix E for each candidate CPSA Employee − Physical Controls.
Modified
p. 15 → 16
PCI SSC has adopted a Code of Professional Responsibility (the “Code”) to help ensure that CPSA Companies and CPSA Employees adhere to high standards of ethical and professional conduct. All CPSA Companies and CPSA Employees must advocate, adhere to, and support the Code (available on the Website).
PCI SSC has adopted the PCI SSC Code of Professional Responsibility (the “Code”) to help ensure that CPSA Companies and CPSA Employees adhere to high standards of ethical and professional conduct. All CPSA Companies and CPSA Employees must advocate, adhere to, and support the Code (available on the Website).
Modified
p. 16 → 17
Name Job title Address Phone number Fax number E-mail address 4.2 Background Checks 4.2.1 Requirements Each CPSA Company must perform background checks that satisfy the provisions described below (to the extent legally permitted within the applicable jurisdiction) with respect to each applicant CPSA Employee.
Modified
p. 16 → 17
Attestation that its policies and hiring procedures include performing background checks: Examples of background checks include previous employment history, criminal record, credit history, and reference checks.
Removed
p. 17
• The CPSA Company must adhere to all CPSA Program quality assurance requirements described in this document or otherwise established by PCI SSC from time to time.
Modified
p. 17 → 18
A summary description of current CPSA employee personnel background check policies and procedures, which must require and include the following:
Modified
p. 17 → 18
− Verification of aliases (when applicable) − Comprehensive country and (if applicable) state level review of records of any criminal activity such as felony (or non-US equivalent) convictions or outstanding warrants, within the past five years minimum − Annual background checks consistent with this section for each of its CPSA Employees for any change in criminal records, arrests or convictions 4.3 Quality Assurance 4.3.1 Requirements
− Verification of aliases (when applicable) − Comprehensive country and (if applicable) state level review of records of any criminal activity such as felony (or non-US equivalent) convictions or outstanding warrants, within the past five years minimum − Annual background checks consistent with this section for each of its CPSA Employees for any change in criminal records, arrests or convictions 4.3 Internal Quality Assurance 4.3.1 Requirements The CPSA Company must adhere to all CPSA Program quality-assurance requirements described in …
Modified
p. 17 → 18
The CPSA Company must have a quality-assurance (QA) program, documented in its Quality Assurance manual.
Modified
p. 17 → 18
The CPSA Company must maintain and adhere to a documented quality-assurance process and manual, which includes all of the following:
Modified
p. 17 → 18
− Company name − A resource planning policy and process for PCI Card Production Assessments which includes: onboarding requirements for CPSA Employees, résumés and current skill sets for CPSA Employees, and a process for ongoing training, monitoring, and evaluation of CPSA Employees to ensure their skill sets stay current and relevant for PCI Card Production Security Assessments − Descriptions of all job functions and responsibilities within the CPSA Company relating to its status and obligations as a CPSA Company − …
− Company name − A resource planning policy and process for PCI Card Production Assessments which includes: onboarding requirements for CPSA Employees, résumés and current skill sets for CPSA Employees, and a process for ongoing training, monitoring, and evaluation of CPSA Employees to ensure their skill sets stay current and relevant for PCI Card Production Security Assessments − Descriptions of all job functions and responsibilities within the CPSA Company relating to its status and obligations as a CPSA Company − …
Removed
p. 18
• The CPSA Company must have qualified personnel conduct a quality assurance review of assessment procedures performed, supporting documentation workpapers retained in accordance with CPSA Company’s Workpaper Retention Policy, information documented in the Card Production ROC related to the appropriate selection of system components, sampling procedures, remediation recommendations, proper use of payment definitions, consistent findings, and thorough documentation of results.
− Systems storing customer data do not reside on Internet accessible systems − Protection of systems storing customer data by network and application layer controls including technologies such as firewall(s) and IDS/IPS − Restricting access (e.g., via locks) to the physical office space
− Systems storing customer data do not reside on Internet accessible systems − Protection of systems storing customer data by network and application layer controls including technologies such as firewall(s) and IDS/IPS − Restricting access (e.g., via locks) to the physical office space
Modified
p. 18 → 19
The CPSA Company should require all new CPSA Employees, who have not previously performed a PCI Card Production assessment or a Card Production Entity assessment under a Legacy Program to shadow a CPSA Employee on at least one (1) PCI Card Production Assessment prior to conducting an assessment by themselves.
Modified
p. 18 → 19
The CPSA Company must inform each PCI Card Production Assessment client of the CPSA Feedback Form (available on the Website) upon commencement of each PCI Card Production Assessment.
Modified
p. 18 → 19
PCI SSC, at its sole discretion, reserves the right to conduct audits of the CPSA Company at any time and further reserves the right to conduct site visits at the expense of the CPSA Company.
Modified
p. 18 → 19
Upon request, the CPSA Company (or applicant) must provide a complete copy of the quality-assurance manual to PCI SSC.
Modified
p. 18 → 20
The CPSA Company must maintain the privacy and confidentiality of information obtained in the course of performing its duties and obligations as a CPSA Company, unless (and to the extent) disclosure is required by legal authority.
Modified
p. 18 → 20
Physical, electronic, and procedural safeguards including:
Modified
p. 19 → 21
A requirement that all Assessment Results and Related Materials must be classified as confidential and handled accordingly, with detailed instructions describing how CPSA Employees are to comply with this requirement. If the classification and handling of confidential information is addressed in other confidential and sensitive data protection handling policies of the CPSA Company, this should be clearly noted within the Workpaper Retention Policy.
Modified
p. 19 → 21
A requirement that Assessment Results and Related Materials must be retained for at least three (3) years and must include all digital and hard copy evidence created and/or obtained by or on behalf of the CPSA Company during each PCI Card Production Assessment• including but not limited to: documentation reviewed (policies, processes, procedures, network and dataflow diagrams), case logs, meeting agendas and notes, evidence of onsite and offsite activities (including interview notes), screenshots, config files, results of any tests …
Modified
p. 20 → 21
Requirements ensuring that the CPSA Company has confirmed that all Assessment Results and Related Materials relating to a given PCI Card Production Assessment have been retained in accordance with the procedures defined in the Workpaper Retention Policy, prior to releasing the final Card Production ROC or assessment report for that PCI Card Production Assessment.
Modified
p. 20 → 21
All Assessment Results and Related Materials must be made available to PCI SSC and/or its Affiliates upon request for a minimum of three (3) years after completion of the applicable PCI Card Production Assessment.
Modified
p. 20 → 21
The CPSA Company must provide a copy of the Workpaper Retention Policy and related procedures to PCI SSC upon request, including copies of any other policies and procedures referenced within any of the foregoing documents, such as general confidential and sensitive data protection handling policies for the CPSA Company.
Modified
p. 20 → 22
If a PFI investigation is required by a Participating Payment Brand, a CPSA Company or CPSA Employee shall take no action after an Incident that is reasonably likely to diminish the integrity of, or otherwise interfere with or negatively affect the ability of a PCI Forensic Investigator to perform, any “PFI Investigation” (see the PCI Forensic Investigator (PFI) Program Guide for additional details).
If a PFI Investigation (see the PCI Forensic Investigator (PFI) Program Guide on the Website for additional details) is required by a Participating Payment Brand, a CPSA Company or CPSA Employee shall take no action after an Incident that is reasonably likely to diminish the integrity of, otherwise interfere with, or negatively affect the ability of a PCI Forensic Investigator to perform such PFI Investigation.
Modified
p. 21 → 22
Instructions and procedures for notifying customers of Incidents discovered during or in connection with the performance of any PCI Card Production Assessment or other CPSA Program-related services and documenting those Incidents and related information in accordance with Section 4.6.1.
Modified
p. 21 → 22
Retention requirement for all incident-related documentation, notices, and reports, with the same protections as those noted for work-paper retention in the CPSA Company’s evidence-retention policy and procedures.
Removed
p. 22
Only those CPSA Companies and CPSA Employees on the CPSA List or in such search tool (as applicable) are recognized by PCI SSC to perform or support PCI Card Production Assessments.
A CPSA Employee must be re-qualified by PCI SSC on an annual basis. In order to requalify, each CPSA Employee must have either (a) completed at least three PCI Card Production Assessments for different facilities over the last one-year period or (b) successfully completed PCI SSC’s in-person, instructor-led CPSA Employee training course and exam. A combined physical and logical assessment for a specific site will count as one assessment for purposes of the preceding sentence.
A CPSA Employee must be re-qualified by PCI SSC on an annual basis. In order to requalify, each CPSA Employee must have either (a) completed at least three PCI Card Production Assessments for different facilities over the last one-year period or (b) successfully completed PCI SSC’s in-person, instructor-led CPSA Employee training course and exam. A combined physical and logical assessment for a specific site will count as one assessment for purposes of the preceding sentence.
Modified
p. 22 → 23
Once an individual has met applicable CPSA Requirements, PCI SSC will add the CPSA Employee to the applicable CPSA Employee search tool on the Website.
Once an individual has met applicable CPSA Requirements, PCI SSC will add the CPSA Employee to the applicable CPSA Employee listing on the Website.
Modified
p. 22 → 23
If, at any time, a CPSA Company and/or CPSA Employee does not meet the applicable CPSA Requirements (including without limitation, payment or documentation requirements), PCI SSC reserves the right to immediately remove the CPSA Company and/or CPSA Employee from the respective list(s) or tool(s) on the Website, regardless of Remediation or Revocation. PCI SSC will notify the CPSA Company of the removal in accordance with the CPSA Agreement, typically via registered or overnight mail and/or e-mail. Refer to Sections 6.2 …
If, at any time, a CPSA Company and/or CPSA Employee does not meet the applicable CPSA Requirements (including without limitation, payment or documentation requirements), PCI SSC reserves the right to immediately remove the CPSA Company and/or CPSA Employee from the respective list(s) on the Website, regardless of Remediation or Revocation. PCI SSC will notify the CPSA Company of the removal in accordance with the CPSA Agreement, typically via registered or overnight mail and/or e-mail. Refer to Sections 6.2 and 6.3 …
Modified
p. 22 → 24
The annual re-qualification date is based upon the CPSA Employee’s previous qualification date. Re-qualification requires, proof of training successfully completed, payment of annual training and re-qualification fees, and continued compliance with applicable CPSA Requirements.
The annual requalification date is based upon the CPSA Employee’s previous qualification date. Requalification requires proof of training successfully completed, payment of annual training and requalification fees, and continued compliance with applicable CPSA Requirements.
Modified
p. 22 → 24
Negative feedback from CPSA Company clients, PCI SSC, Participating Payment Brands, or others may impact CPSA Company and/or CPSA Employee eligibility for re-qualification.
Negative feedback from CPSA Company clients, PCI SSC, Participating Payment Brands, or others may impact CPSA Company and/or CPSA Employee eligibility for requalification.
Removed
p. 23
• CPSA Companies − Payment of annual CPSA Company fees
− CPSA Employees without professional certifications must provide proof of information systems security training within the last 12 months in accordance with the current version of the PCI SSC CPE Maintenance Guide.
− CPSA Employees without professional certifications must provide proof of information systems security training within the last 12 months in accordance with the current version of the PCI SSC CPE Maintenance Guide.
Modified
p. 23 → 24
CPSA Companies − Payment of annual CPSA Company fees CPSA Employees − Proof that the CPSA Employee has completed at least three PCI Card Production Assessments for different facilities over the last one-year period, for each CPSA Program Certification and completion of required PCI computer-based CPSA training and exam OR has attended CPSA Instructor-led Logical and/or Physical training over the last one-year period.
Modified
p. 23 → 24
− CPSA Employees without professional certifications must provide proof of information systems security training within the last 12 months in accordance with the current version of the PCI SSC CPE Maintenance Guide.
− CPSA-P Employees without professional certifications must provide proof of Continuing Professional Education within the last 12 months in accordance with the current version of the PCI SSC CPE Maintenance Guide.
Modified
p. 23 → 24
− Payment of annual re-qualification fees in accordance with the Website
• PCI SSC Programs Fee Schedule.
• PCI SSC Programs Fee Schedule.
− Payment of annual requalification fees in accordance with the Website
• PCI SSC Programs Fee Schedule.
• PCI SSC Programs Fee Schedule.
Modified
p. 23 → 24
Note: PCI SSC may from time to time request that CPSA Companies and/or CPSA Employees submit additional information or materials in order to demonstrate adherence to applicable requirements or as part of the applicable qualification or re-qualification process.
Note: PCI SSC may from time to time request that CPSA Companies and/or CPSA Employees submit additional information or materials in order to demonstrate adherence to applicable requirements or as part of the applicable qualification or requalification process.
Modified
p. 24 → 25
PCI SSC reserves the right to audit a CPSA Company at any time, and further reserves the right to conduct site visits, at the expense of the CPSA Company.
PCI SSC reserves the right to audit a CPSA Company at any time, and further reserves the right to conduct site visits at the expense of the CPSA Company.
Removed
p. 25
• Failure to meet applicable CPSA Program quality standards or comply with applicable CPSA Requirements
• Failure to pay applicable CPSA Program fees
• Failure to meet applicable CPSA Program training requirements (annual or otherwise)
• Failure to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates
• Failure to maintain applicable CPSA Program insurance requirements
• Failure to comply with or validate compliance in accordance with applicable CPSA Requirements, PCI Card Production Standards or program guides, or the terms of the CPSA Agreement.
• Failure to maintain physical, electronic, or procedural safeguards to protect confidential or sensitive information
• Failure to report unauthorized access to any system storing confidential or sensitive information
• Failure to comply with any provision or obligation regarding non-disclosure or use of confidential information or materials
• Providing false or intentionally incomplete or misleading information to the Council in any application or other materials
• Failure to be in …
• Failure to pay applicable CPSA Program fees
• Failure to meet applicable CPSA Program training requirements (annual or otherwise)
• Failure to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates
• Failure to maintain applicable CPSA Program insurance requirements
• Failure to comply with or validate compliance in accordance with applicable CPSA Requirements, PCI Card Production Standards or program guides, or the terms of the CPSA Agreement.
• Failure to maintain physical, electronic, or procedural safeguards to protect confidential or sensitive information
• Failure to report unauthorized access to any system storing confidential or sensitive information
• Failure to comply with any provision or obligation regarding non-disclosure or use of confidential information or materials
• Providing false or intentionally incomplete or misleading information to the Council in any application or other materials
• Failure to be in …
Modified
p. 25 → 26
Failure to maintain physical, electronic, or procedural safeguards to protect confidential or sensitive information Failure to report unauthorized access to any system storing confidential or sensitive information Engaging in unprofessional or unethical business conduct, including without limitation, plagiarism or other improper use of third-party work product in Card Production ROCs.
Modified
p. 25 → 26
Failure to comply with any provision or obligation regarding non-disclosure or use of confidential information or materials Cheating on any exam in connection with CPSA Program training; submitting exam work in connection with CPSA Program training that is not the work of the individual candidate taking the exam; theft of or unauthorized access to CPSA Program exam content; use of an alternate, stand-in or proxy during any CPSA Program exam; use of any prohibited or unauthorized materials, notes, …
Modified
p. 25 → 27
PCI SSC's quality-assurance, remediation, and oversight programs and initiatives as established or imposed from time to time by PCI SSC in its sole discretion Failure to promptly notify PCI SSC of any event described above that occurred within three (3) years of the CPSA Company’s or CPSA Employee’s initial qualification date Each Violation constitutes a breach of the CPSA Agreement and a failure to comply with applicable CPSA Requirements, and may result in revocation of CPSA Company and/or CPSA …
Modified
p. 26 → 27
The CPSA Company and/or CPSA Employee (as applicable) name will be removed from the CPSA List and/or search tool (as applicable).
Modified
p. 26 → 27
PCI SSC may notify third parties.
Modified
p. 26 → 27
A company and/or individual (as applicable) the Qualification of which has been revoked can reapply after 180 days; provided however, that (i) if revoked in connection with Remediation, an election not to participate in Remediation when offered, or due to failure to satisfy applicable quality-assurance standards set by PCI SSC, such company and/or individual shall be ineligible to re-apply to the CPSA Program for a period of two (2) years; and (ii) acceptance of qualification applications after revocation is …
Modified
p. 28 → 29
CPSA acknowledges that data security practices exist within a rapidly changing environment and agrees to monitor the Website at least weekly for changes to the PCI Card Production Standards and the CPSA Qualification Requirements. CPSA will incorporate all such changes into all applicable PCI Card Production Assessments initiated on or after the effective date of such changes. CPSA acknowledges and agrees that any Card Production ROC or other required report regarding a PCI Card Production Assessment that is not conducted …
CPSA acknowledges that data security practices exist within a rapidly changing environment and agrees to monitor the Website at least weekly for changes to the PCI Card Production Security Requirements and the CPSA Qualification Requirements. CPSA will incorporate all such changes into all applicable PCI Card Production Assessments initiated on or after the effective date of such changes. CPSA acknowledges and agrees that any Card Production ROC or other required report regarding a PCI Card Production Assessment that is not …
Modified
p. 28 → 29
A.3.2 Performance of Services CPSA Company warrants, represents and agrees that it will only perform PCI Card Production Assessments for which it has been and is then qualified by PCI SSC, and that it will perform each such PCI Card Production Assessment in strict compliance with the applicable PCI Card Production Standard(s) as in effect as of the commencement date of such PCI Card Production Assessment. Without limiting the foregoing, CPSA will include in each Card Production ROC, a Card …
A.3.2 Performance of Services CPSA Company warrants, represents, and agrees that it will only perform PCI Card Production Assessments for which it has been and is then qualified by PCI SSC, and that it will perform each such PCI Card Production Assessment in strict compliance with the applicable PCI Card Production Security Requirement(s) as in effect as of the commencement date of such PCI Card Production Assessment. Without limiting the foregoing, CPSA will include in each Card
Modified
p. 29 → 30
A.3.3 CPSA Service Staffing CPSA shall ensure that a CPSA Employee that is fully qualified in accordance with all applicable CPSA Requirements supervises all aspects of each engagement to perform Services, including without limitation, being present onsite for the duration of each PCI Card Production Assessment, reviewing the work product that supports CPSA's PCI Card Production Assessment procedures, and ensuring adherence to the CPSA Qualification Requirements. Employees performing the following tasks must also be qualified as CPSA Employees: scoping decisions, …
A.3.3 CPSA Service Staffing CPSA shall ensure that a CPSA Employee that is fully qualified in accordance with all applicable CPSA Requirements supervises all aspects of each engagement to perform Services, including without limitation, being present onsite for the duration of each PCI Card Production Assessment (or monitoring remotely in accordance with the PCI SSC Remote Assessment Guidelines and Procedures), reviewing the work product that supports CPSA's PCI Card Production Assessment procedures, and ensuring adherence to the CPSA Qualification Requirements. …
Modified
p. 29 → 30
A.3.4 CPSA Requirements CPSA agrees to comply with all CPSA Requirements, including without limitation, CPSA’s responsibilities and obligations pursuant to this Agreement, all CPSA Program quality assurance and Remediation requirements, and all requirements applicable to CPSA pursuant to the CPSA Qualification Requirements. Without limiting the foregoing, CPSA agrees to comply with all requirements of, make all provisions provided for in, and ensure that its CPSA Employees comply with all applicable CPSA Qualification Requirements, agrees to comply with all such requirements …
A.3.4 CPSA Requirements CPSA agrees to comply with all CPSA Requirements, including without limitation, CPSA’s responsibilities and obligations pursuant to this Agreement, all CPSA Program quality-assurance and Remediation requirements, and all requirements applicable to CPSA pursuant to the CPSA Qualification Requirements. Without limiting the foregoing, CPSA agrees to comply with all requirements of, make all provisions provided for in, and ensure that its CPSA Employees comply with all applicable CPSA Qualification Requirements, agrees to comply with all such requirements regarding …
Modified
p. 30 → 31
CPSA acknowledges that PCI SSC may review and modify its Fees at any time and from time to time. Whenever a change in Fees occurs, PCI SSC shall notify CPSA in accordance with the terms of Section A.10.1. Such change(s) will be effective immediately after the date of such notification. However, should CPSA not agree with such change(s), CPSA shall have the right to terminate this Agreement upon written notice to PCI SSC in accordance with the provisions of Section …
CPSA acknowledges that PCI SSC may review and modify its Fees at any time and from time to time. Whenever a change in Fees occurs, PCI SSC shall notify CPSA in accordance with the terms of Section A.10.1. Such change(s) will be effective immediately after the date of such notification. However, should CPSA not agree with such change(s), CPSA shall have the right to terminate this Agreement upon written notice to PCI SSC in accordance with the provisions of Section …
Modified
p. 31 → 32
(c) Except as expressly authorized herein, CPSA shall not use any PCI SSC trademark, service mark, certification mark, logo or other indicator of origin or source (each a “Mark”) without the prior written consent of PCI SSC in each instance. Without limitation of the foregoing, absent the prior written consent of PCI SSC in each instance and except as otherwise expressly authorized herein, CPSA shall have no authority to make, and consequently shall not make, any statement that would constitute …
(c) Except as expressly authorized herein, CPSA shall not use any PCI SSC trademark, service mark, certification mark, logo, or other indicator of origin or source (each a “Mark”) without the prior written consent of PCI SSC in each instance. Without limitation of the foregoing, absent the prior written consent of PCI SSC in each instance and except as otherwise expressly authorized herein, CPSA shall have no authority to make, and consequently shall not make, any statement that would constitute …
Modified
p. 32 → 33
A.5.3 No Other Rights Granted Except as expressly stated in this Section A.5, no rights to use any party's or Member’s marks or other Intellectual Property Rights (as defined below) are granted herein, and each party respectively reserves all of its rights therein. Without limitation of the foregoing, except as expressly provided in this Agreement, no rights are granted to CPSA with respect to any Intellectual Property Rights in the PCI Card Production Standards or any other PCI Materials.
A.5.3 No Other Rights Granted Except as expressly stated in this Section A.5, no rights to use any party's or Member’s marks or other Intellectual Property Rights (as defined below) are granted herein, and each party respectively reserves all of its rights therein. Without limitation of the foregoing, except as expressly provided in this Agreement, no rights are granted to CPSA with respect to any Intellectual Property Rights in the PCI Card Production Security Requirements or any other PCI Materials.
Modified
p. 32 → 33
A.5.4 Intellectual Property Rights (a) All Intellectual Property Rights, title and interest in and the CPSA Program, the PCI Card Production Standards and all other PCI Materials, all materials CPSA receives from PCI SSC, and each portion, future version, revision, extension, and improvement of any of the foregoing, are and at all times shall remain solely and exclusively the property of PCI SSC or its licensors, as applicable. Subject to the foregoing and to the restrictions set forth in Section …
A.5.4 Intellectual Property Rights (a) All Intellectual Property Rights, title and interest in and the CPSA Program, the PCI Card Production Security Requirements and all other PCI Materials, all materials CPSA receives from PCI SSC, and each portion, future version, revision, extension, and improvement of any of the foregoing, are and at all times shall remain solely and exclusively the property of PCI SSC or its licensors, as applicable. Subject to the foregoing and to the restrictions set forth in …
Modified
p. 32 → 33
(b) All right, title and interest in and to the Intellectual Property Rights in all materials generated by or on behalf of PCI SSC with respect to CPSA are and at all times shall remain the property of PCI SSC. Subject to the provisions of Section A.6, CPSA may use and disclose such materials solely for the purposes expressly permitted by this Agreement. CPSA shall not revise, abridge, modify or alter any such materials.
(b) All right, title and interest in and to the Intellectual Property Rights in all materials generated by or on behalf of PCI SSC with respect to CPSA are and at all times shall remain the property of PCI SSC. Subject to the provisions of Section A.6, CPSA may use and disclose such materials solely for the purposes expressly permitted by this Agreement. CPSA shall not revise, abridge, modify, or alter any such materials.
Modified
p. 33 → 34
A.6 Confidentiality A.6.1 Definition of Confidential Information As used in this Agreement, “Confidential Information" means (i) all terms of this Agreement; (ii) any and all information designated in this Agreement as Confidential Information; (iii) any and all originals or copies of, any information that either party has identified in writing as confidential at the time of disclosure; and (iv) any and all Personal Information, proprietary information, merchant information, technical information or data, assessment reports, trade secrets or know- how, information …
A.6 Confidentiality A.6.1 Definition of Confidential Information As used in this Agreement, “Confidential Information" means (i) all terms of this Agreement; (ii) any and all information designated in this Agreement as Confidential Information; (iii) any and all originals or copies of, any information that either party has identified in writing as confidential at the time of disclosure; and (iv) any and all Personal Information, proprietary information, merchant information, technical information or data, assessment reports, trade secrets or know- how, information …
Modified
p. 34 → 35
(b) Except with regard to Personal Information, such confidentiality obligation shall not apply to information which: (i) is in the public domain or is publicly available or becomes publicly available otherwise than through a breach of this Agreement; (ii) has been lawfully obtained by the Receiving Party from a third party; (iii) is known to the Receiving Party prior to disclosure by the Disclosing Party without confidentiality restriction; or (iv) is independently developed by a member of the Receiving Party's …
(b) Except with regard to Personal Information, such confidentiality obligation shall not apply to information which: (i) is in the public domain or is publicly available or becomes publicly available otherwise than through a breach of this Agreement; (ii) has been lawfully obtained by the Receiving Party from a third party; (iii) is known to the Receiving Party prior to disclosure by the Disclosing Party without confidentiality restriction; or (iv) is independently developed by a member of the Receiving Party's …
Modified
p. 34 → 35
A.6.3 CPSA Company Client Data To the extent any data or other information obtained by CPSA relating to any CPSA Company client in the course of providing Services thereto may be subject to any confidentiality restrictions between CPSA and such CPSA Company client, CPSA shall provide in each agreement containing such restrictions (and in the absence of any such agreement must agree with such CPSA Company client in writing) that (i) CPSA may disclose each Card Production ROC, Attestation of …
A.6.3 CPSA Company Client Data To the extent any data or other information obtained by CPSA relating to any CPSA Company client in the course of providing Services thereto may be subject to any confidentiality restrictions between CPSA and such CPSA Company client, CPSA shall provide in each agreement containing such restrictions (and in the absence of any such agreement must agree with such CPSA Company client in writing) that (i) CPSA may disclose each Card Production ROC, Attestation of …
Modified
p. 35 → 36
A.6.4 Personal Information In the event that CPSA receives Personal Information from PCI SSC or any Member or CPSA Company client in the course of providing Services or otherwise in connection with this Agreement, in addition to the obligations set forth elsewhere in this Agreement, CPSA will at all times during the Term (as defined in Section A.9.1) maintain such data protection handling practices as may be required by PCI SSC from time to time, including without limitation, as a …
A.6.4 Personal Information In the event that CPSA receives Personal Information from PCI SSC or any Member or CPSA Company client in the course of providing Services or otherwise in connection with this Agreement, in addition to the obligations set forth elsewhere in this Agreement, CPSA will at all times during the Term (as defined in Section A.9.1) maintain such data-protection handling practices as may be required by PCI SSC from time to time, including without limitation, as a minimum, …
Modified
p. 36 → 37
A.7 Indemnification and Limitation of Liability A.7.1 Indemnification CPSA shall defend, indemnify, and hold harmless PCI SSC and its Members, and their respective subsidiaries, and all affiliates, subsidiaries, directors, officers, employees, agents, representatives, independent contractors, attorneys, successors, and assigns of any of the foregoing (collectively, including without limitation, PCI SSC and its Members, "Indemnified Parties") from and against any and all claims, losses, liabilities, damages, suits, actions, government proceedings, taxes, penalties or interest, associated auditing and legal expenses and other …
A.7 Indemnification and Limitation of Liability A.7.1 Indemnification CPSA shall defend, indemnify, and hold harmless PCI SSC and its Members, and their respective subsidiaries, and all affiliates, subsidiaries, directors, officers, employees, agents, representatives, independent contractors, attorneys, successors, and assigns of any of the foregoing (collectively, including without limitation, PCI SSC and its Members, "Indemnified Parties") from and against any and all claims, losses, liabilities, damages, suits, actions, government proceedings, taxes, penalties or interest, associated auditing, and legal expenses and other …
Modified
p. 36 → 37
A.7.2 Indemnification Procedure CPSA's indemnity obligations are contingent on the Indemnified Party's providing notice of the claim or liability to CPSA, provided that the failure to provide any such notice shall not relieve CPSA of such indemnity obligations except and to the extent such failure has materially and adversely affected CPSA's ability to defend against such claim or liability. Upon receipt of such notice, CPSA will be entitled to control, and will assume full responsibility for, the defense of such …
A.7.2 Indemnification Procedure CPSA's indemnity obligations are contingent on the Indemnified Party's providing notice of the claim or liability to CPSA, provided that the failure to provide any such notice shall not relieve CPSA of such indemnity obligations except and to the extent such failure has materially and adversely affected CPSA's ability to defend against such claim or liability. Upon receipt of such notice, CPSA will be entitled to control, and will assume full responsibility for, the defense of such …
Modified
p. 37 → 38
A.7.3 No Warranties; Limitation of Liability (a) PCI SSC PROVIDES THE PCI CARD PRODUCTION STANDARDS, THE CPSA PROGRAM, THE CPSA QUALIFICATION REQUIREMENTS, THE WEBSITE AND ALL RELATED AND OTHER MATERIALS PROVIDED OR OTHERWISE MADE ACCESSIBLE BY PCI SSC IN CONNECTION WITH THE PCI CPSA PROGRAM (THE FOREGOING, COLLECTIVELY, THE "PCI MATERIALS") ON AN "AS IS" BASIS WITHOUT WARRANTY OF ANY KIND. CPSA ASSUMES THE ENTIRE RISK AS TO RESULTS AND PERFORMANCE ARISING OUT OF ITS USE OF ANY OF THE …
A.7.3 No Warranties; Limitation of Liability (a) PCI SSC PROVIDES THE PCI CARD PRODUCTION SECURITY REQUIREMENTS, THE CPSA PROGRAM, THE CPSA QUALIFICATION REQUIREMENTS, THE WEBSITE, AND ALL RELATED AND OTHER MATERIALS PROVIDED OR OTHERWISE MADE ACCESSIBLE BY PCI SSC IN CONNECTION WITH THE PCI CPSA PROGRAM (THE FOREGOING, COLLECTIVELY, THE "PCI MATERIALS") ON AN "AS IS" BASIS WITHOUT WARRANTY OF ANY KIND. CPSA ASSUMES THE ENTIRE RISK AS TO RESULTS AND PERFORMANCE ARISING OUT OF ITS USE OF ANY OF …
Modified
p. 37 → 38
(b) PCI SSC MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT, INCLUDING WITHOUT LIMITATION, THE CPSA PROGRAM, THE PCI MATERIALS OR ANY MATERIALS OR SERVICES PROVIDED UNDER OR IN CONNECTION WITH THIS AGREEMENT OR THE CPSA PROGRAM. PCI SSC SPECIFICALLY DISCLAIMS, AND CPSA EXPRESSLY WAIVES, ALL REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THIS AGREEMENT, THE CPSA PROGRAM, THE PCI MATERIALS, ANY MATERIALS OR SERVICES PROVIDED UNDER OR IN …
(b) PCI SSC MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT, INCLUDING WITHOUT LIMITATION, THE CPSA PROGRAM, THE PCI MATERIALS, OR ANY MATERIALS OR SERVICES PROVIDED UNDER OR IN CONNECTION WITH THIS AGREEMENT OR THE CPSA PROGRAM. PCI SSC SPECIFICALLY DISCLAIMS, AND CPSA EXPRESSLY WAIVES, ALL REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THIS AGREEMENT, THE CPSA PROGRAM, THE PCI MATERIALS, ANY MATERIALS OR SERVICES PROVIDED UNDER OR IN …
Modified
p. 37 → 38
(c) In particular, without limiting the foregoing, CPSA acknowledges and agrees that the accuracy, completeness, sequence or timeliness of the PCI Materials or any portion thereof cannot be guaranteed. In addition, PCI SSC makes no representation or warranty whatsoever, expressed or implied, and assumes no liability, and shall not be liable in any respect to CPSA regarding (i) any delay or loss of use of any of the PCI Materials, or (ii) system performance and effects on or damages to …
(c) In particular, without limiting the foregoing, CPSA acknowledges and agrees that the accuracy, completeness, sequence, or timeliness of the PCI Materials or any portion thereof cannot be guaranteed. In addition, PCI SSC makes no representation or warranty whatsoever, expressed or implied, and assumes no liability, and shall not be liable in any respect to CPSA regarding (i) any delay or loss of use of any of the PCI Materials, or (ii) system performance and effects on or damages to …
Modified
p. 37 → 38
(d) EXCEPT FOR DAMAGES CAUSED BY THE GROSS NEGLIGENCE OR WILLFUL MISCONDUCT OF A PARTY, AND EXCEPT FOR THE OBLIGATIONS OF CPSA UNDER SECTIONS A.5 OR A.6, IN NO EVENT SHALL EITHER PARTY OR ANY MEMBER BE LIABLE TO THE OTHER FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT OR SPECIAL DAMAGES, HOWEVER CAUSED, WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY DOES …
(d) EXCEPT FOR DAMAGES CAUSED BY THE GROSS NEGLIGENCE OR WILLFUL MISCONDUCT OF A PARTY, AND EXCEPT FOR THE OBLIGATIONS OF CPSA UNDER SECTIONS A.5 OR A.6, IN NO EVENT SHALL EITHER PARTY OR ANY MEMBER BE LIABLE TO THE OTHER FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT OR SPECIAL DAMAGES, HOWEVER CAUSED, WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EVEN
Modified
p. 38 → 39
A.7.4 Insurance At all times while this Agreement is in effect, CPSA shall maintain insurance in such amounts, with such insurers, coverages, exclusions and deductibles which, at a minimum, meet the applicable insurance requirements for U.S. or European Union CPSA Companies (as applicable) participating in the CPSA Program, including without limitation, the insurance requirements for CPSA Companies set forth in Appendix B of the CPSA Qualification Requirements. CPSA acknowledges and agrees that if it is a non-U.S. and non-European Union …
A.7.4 Insurance At all times while this Agreement is in effect, CPSA shall maintain insurance in such amounts, with such insurers, coverages, exclusions and deductibles which, at a minimum, meet the applicable insurance requirements for U.S. or European Union CPSA Companies (as applicable) participating in the CPSA Program, including without limitation, the insurance requirements for CPSA Companies set forth in Appendix B of the CPSA Qualification Requirements. CPSA acknowledges and agrees that if it is a non-U.S. and non-European Union …
Modified
p. 41 → 42
PCI SSC may establish from time to time for the CPSA Program, PCI SSC will review all relevant evidence submitted by CPSA and each complainant (if any) in connection with therewith, and PCI SSC shall determine whether termination of CPSA’s Qualification is warranted or, in the alternative, no action, or specified remedial actions shall be required. All determinations of PCI SSC regarding Revocation and any related termination or appeals shall be final and binding upon CPSA. If PCI SSC determines …
(c) All Revocation appeal proceedings will be conducted in accordance with such procedures as PCI SSC may establish from time to time for the CPSA Program, PCI SSC will review all relevant evidence submitted by CPSA and each complainant (if any) in connection with therewith, and PCI SSC shall determine whether termination of CPSA’s Qualification is warranted or, in the alternative, no action, or specified remedial actions shall be required. All determinations of PCI SSC regarding Revocation and any related …
Modified
p. 42 → 43
A.10.2 Audit and Financial Statements (a) CPSA shall allow PCI SSC or its designated agents access during normal business hours throughout the Term and for six (6) months thereafter to perform audits of CPSA's facilities, operations and records of Services to determine whether CPSA has complied with this Agreement. CPSA also shall provide PCI SSC or its designated agents during normal business hours with books, records and supporting documentation adequate to evaluate CPSA's performance hereunder. Upon request, CPSA shall provide …
A.10.2 Audit and Financial Statements (a) CPSA shall allow PCI SSC or its designated agents access during normal business hours throughout the Term and for six (6) months thereafter to perform audits of CPSA's facilities, operations and records of Services to determine whether CPSA has complied with this Agreement. CPSA also shall provide PCI SSC or its designated agents during normal business hours with books, records and supporting documentation adequate to evaluate CPSA's performance hereunder. Upon request, CPSA shall provide …
Modified
p. 42 → 43
(b) Notwithstanding anything to the contrary in Section A.6 of this Agreement, in order to assist in ensuring the reliability and accuracy of CPSA's PCI Card Production Assessments, CPSA hereby agrees to comply with all quality assurance procedures and requirements established or imposed by PCI SSC from time to time in connection with the CPSA Program (including but not limited to conditions and requirements imposed in connection with remediation, revocation, or any other Qualification status) and that, within 15 days …
(b) Notwithstanding anything to the contrary in Section A.6 of this Agreement, in order to assist in ensuring the reliability and accuracy of CPSA's PCI Card Production Assessments, CPSA hereby agrees to comply with all quality-assurance procedures and requirements established or imposed by PCI SSC from time to time in connection with the CPSA Program (including but not limited to conditions and requirements imposed in connection with remediation, revocation, or any other Qualification status) and that, within 15 days of …
Modified
p. 43 → 44
A.10.3 Governing Law; Severability Any dispute in any way arising out of or in connection with the interpretation or performance of this Agreement, which cannot be amicably settled within thirty (30) days of the written notice of the dispute given to the other party by exercising the best efforts and good faith of the parties, shall be finally settled by the courts of Delaware (United States of America) in accordance with Delaware law without resort to its conflict of laws …
A.10.3 Governing Law; Severability Any dispute in any way arising out of or in connection with the interpretation or performance of this Agreement, which cannot be amicably settled within thirty (30) days of the written notice of the dispute given to the other party by exercising the best efforts and good faith of the parties, shall be finally settled by the courts of Delaware (United States of America) in accordance with Delaware law without resort to its conflict of laws …
Modified
p. 43 → 44
A.10.4 Entire Agreement; Modification; Waivers The parties agree that this Agreement, including the CPSA Qualification Requirements and any other documents, addenda, supplements, amendments, appendices, exhibits, schedules or other materials incorporated herein by reference (each of which is hereby incorporated into and made a part of this Agreement by this reference), is the exclusive statement of the agreement between the parties with respect to the subject matter hereof, which supersedes and merges all prior proposals, understandings and all other agreements, oral …
A.10.4 Entire Agreement; Modification; Waivers The parties agree that this Agreement, including the CPSA Qualification Requirements and any other documents, addenda, supplements, amendments, appendices, exhibits, schedules, or other materials incorporated herein by reference (each of which is hereby incorporated into and made a part of this Agreement by this reference), is the exclusive statement of the agreement between the parties with respect to the subject matter hereof, which supersedes and merges all prior proposals, understandings and all other agreements, oral …
Modified
p. 44 → 45
A.10.5 Assignment CPSA may not assign this Agreement, or assign, delegate or subcontract any of its rights and/or obligations under this Agreement.
A.10.5 Assignment CPSA may not assign this Agreement, or assign, delegate, or subcontract any of its rights and/or obligations under this Agreement.
Modified
p. 44 → 45
A.10.10 No Third-Party Beneficiaries Except as expressly provided herein, the provisions of this Agreement are for the benefit of the parties hereto only, no third-party beneficiaries are intended and no third party may seek to enforce or benefit from the provisions hereof.
A.10.10 No Third-Party Beneficiaries Except as expressly provided herein, the provisions of this Agreement are for the benefit of the parties hereto only, no third-party beneficiaries are intended, and no third party may seek to enforce or benefit from the provisions hereof.
Removed
p. 45
• WORKERS’ COMPENSATION: Statutory Workers Compensation as required by applicable law and
• EMPLOYER’S LIABILITY with a limit of $1,000,000
• COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non-owned autos subject to minimum limits of $1,000,000 per accident
• EMPLOYER’S LIABILITY with a limit of $1,000,000
• COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non-owned autos subject to minimum limits of $1,000,000 per accident
Modified
p. 45 → 46
WORKERS’ COMPENSATION: Statutory Workers Compensation as required by applicable law and EMPLOYER’S LIABILITY with a limit of $1,000,000 COMMERCIAL GENERAL LIABILITY INSURANCE including PRODUCTS, COMPLETED OPERATIONS, ADVERTISING INJURY, PERSONAL INJURY, and CONTRACTUAL LIABILITY INSURANCE with the following minimum limits for Bodily Injury and Property Damage on an Occurrence basis: $1,000,000 per occurrence and $2,000,000 annual aggregate. PCI SSC to be added as “Additional Insured.” The policy Coverage Territory must include the entire Region(s) in which the CPSA …
Modified
p. 45 → 46
COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non-owned autos subject to minimum limits of $1,000,000 per accident CRIME/FIDELITY BOND including first-party employee dishonesty, robbery, fraud, theft, forgery, alteration, mysterious disappearance, and destruction. Coverage must also include third-party employee dishonesty − i.e., coverage for claims made by the CPSA Company’s client against the CPSA Company for theft committed by the CPSA Company’s employees. The minimum limit shall be $1,000,000 each loss and annual aggregate. The policy Coverage Territory …
Modified
p. 45 → 46
TECHNOLOGY ERRORS & OMISSIONS, CYBER-RISK and PRIVACY LIABILITY INSURANCE covering liabilities for financial loss resulting or arising from acts, errors, or omissions in rendering computer or information technology Services, or from data damage/destruction/corruption, including without limitation, failure to protect privacy, unauthorized access, unauthorized use, virus transmission, denial of service, and loss of income from network security failures in connection with the Services provided under this agreement with a minimum limit of two million dollars ($2,000,000) each claim and annual …
Modified
p. 45 → 46
Without limiting Security Assessor’s indemnification duties as outlined in the Indemnification Section herein, PCI SSC shall be named as an additional insured under the Commercial General Liability for any claims and losses arising out of, allegedly arising out of, or in any way connected to the Security Assessor’s performance of the Services under this agreement. The insurers shall agree that the Security Assessor’s insurance is primary and any insurance maintained by CPS SSC shall be excess and non- contributing to …
Without limiting Security Assessor’s indemnification duties as outlined in the Indemnification Section herein, PCI SSC shall be named as an additional insured under the Commercial General Liability for any claims and losses arising out of, allegedly arising out of, or in any way connected to the Security Assessor’s performance of the Services under this agreement. The insurers shall agree that the Security
Modified
p. 48 → 49
Describe any past or present allegations or convictions of any fraudulent or criminal activity involving the company (and/or company principals), and the status and resolution 1:
Describe any past or present allegations or convictions of any fraudulent or criminal activity involving the company (and/or company principals), and the status and resolution1:
Modified
p. 48 → 49
Independence
• 2.2.2 Provisions The Company hereby acknowledges and agrees that it must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise itsi ndependent judgment in performing PCI Card Production Assessments.
• 2.2.2 Provisions The Company hereby acknowledges and agrees that it must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its
Independence
• 2.2.2 Provisions The Company hereby acknowledges and agrees that it must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing PCI Card Production Assessments.
• 2.2.2 Provisions The Company hereby acknowledges and agrees that it must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing PCI Card Production Assessments.
Modified
p. 48 → 49
Below or attached hereto are (a) a description of the Company’s practices for maintaining and assuring assessor independence, including but not limited to, the Company’s p ractices, organizational structures, separation of duties, rules, and employee education in place to prevent conflicts of interest, and (b) copies of all written Company policies relating to any of the foregoing.1 (Continued) 1 QSA Companies in good standing will have already provided these materials and will not be required to resubmit them as part …
Below or attached hereto are (a) a description of the Company’s practices for maintaining and assuring assessor independence, including but not limited to, the Company’s practices, organizational structures, separation of duties, rules, and employee education in place to prevent conflicts of interest, and (b) copies of all written Company policies relating to any of the foregoing.1 (Continued) 1 QSA Companies in good standing will have already provided these materials and will not be required to resubmit them as part of …
Modified
p. 49 → 50
• Agrees not to use its status as a “listed CPSA” to market services unnecessary to bring clients into compliance with the PCI Card Production Standards.
• Agrees not to use its status as a “listed CPSA” to market services unnecessary to bring clients into compliance with the PCI Card Production Security Requirements.
Modified
p. 49 → 50
• Agrees not to misrepresent any requirement of the PCI Card Production Standards in connection with its promotion or sales of services to clients, and not to state or imply that the PCI Card Production Standards requires usage of any of the Company’s products or services.
• Agrees not to misrepresent any requirement of the PCI Card Production Security Requirements in connection with its promotion or sales of services to clients, and not to state or imply that the PCI Card Production Security Requirements requires usage of any of the Company’s products or services.
Modified
p. 49 → 50
Insurance Coverage
• 2.3.2 Provisions The Company agrees that at all times while its CPSA Agreement is in effect, Company will maintain sufficient insurance, insurers, coverage, exclusions, and deductibles that PCI SSC reasonablyreq uests to adequately insure the Company for its obligations and liabilities under the CPSA Agreement, including without limitation the Company's indemnification obligations.
• 2.3.2 Provisions The Company agrees that at all times while its CPSA Agreement is in effect, Company will maintain sufficient insurance, insurers, coverage, exclusions, and deductibles that PCI SSC reasonably
Insurance Coverage
• 2.3.2 Provisions The Company agrees that at all times while its CPSA Agreement is in effect, Company will maintain sufficient insurance, insurers, coverage, exclusions, and deductibles that PCI SSC reasonably requests to adequately insure the Company for its obligations and liabilities under the CPSA Agreement, including without limitation the Company's indemnification obligations.
• 2.3.2 Provisions The Company agrees that at all times while its CPSA Agreement is in effect, Company will maintain sufficient insurance, insurers, coverage, exclusions, and deductibles that PCI SSC reasonably requests to adequately insure the Company for its obligations and liabilities under the CPSA Agreement, including without limitation the Company's indemnification obligations.
Modified
p. 49 → 50
The Company hereby certifies to PCI SSC that, along with this application, the Company is providing to PCI SSC a proof-of-coverage statement demonstrating that its insurance coverage matches locally set insurance coverage requirements.1 1 QSA Companies in good standing will have already provided these materials and will not be required to resubmit them as part of the initial CPSA Company application process if there have been no changes to such materials since those materials were last submitted to PCI SSC.
The Company hereby certifies to PCI SSC that, along with this application, the Company is providing to PCI SSC a proof-of-coverage statement demonstrating that its insurance coverage matches locally set insurance coverage requirements.1 The Company hereby agrees not to subcontract or assign any portion of the CPSA services.
Modified
p. 50 → 51
CPSA Agreement
• 2.5.1 Requirements The Company acknowledges and agrees that along with its completed application package it is providing to
• 2.5.1 Requirements The Company acknowledges and agrees that along with its completed application package it is providing to
CPSA Agreement
• 2.5.1 Requirements The Company acknowledges and agrees that along with its completed application package it is providing to PCI SSC a CPSA Agreement between PCI SSC and the Company, in unmodified form, signed by a duly authorized officer of the Company.
• 2.5.1 Requirements The Company acknowledges and agrees that along with its completed application package it is providing to PCI SSC a CPSA Agreement between PCI SSC and the Company, in unmodified form, signed by a duly authorized officer of the Company.
Modified
p. 50 → 51
CPSA Company Skills and Experience
• 3.1.2 Provisions The Company represents and warrants that it currently possesses (and at all times while it is a CPSA Company will continue to possess) technical security assessment experience similar or related to PCI Card Production Assessments, and that it has (and must have) a dedicated security practice that includes staff with specific job functions that support the securitypractice The Company acknowledges and agrees that in order to perform or manage any PCI Card …
• 3.1.2 Provisions The Company represents and warrants that it currently possesses (and at all times while it is a CPSA Company will continue to possess) technical security assessment experience similar or related to PCI Card Production Assessments, and that it has (and must have) a dedicated security practice that includes staff with specific job functions that support the security
CPSA Company Skills and Experience
• 3.1.2 Provisions The Company represents and warrants that it currently possesses (and at all times while it is a CPSA Company will continue to possess) technical security assessment experience similar or related to PCI Card Production Assessments, and that it has (and must have) a dedicated security practice that includes staff with specific job functions that support the security practice.
• 3.1.2 Provisions The Company represents and warrants that it currently possesses (and at all times while it is a CPSA Company will continue to possess) technical security assessment experience similar or related to PCI Card Production Assessments, and that it has (and must have) a dedicated security practice that includes staff with specific job functions that support the security practice.
Modified
p. 50 → 51
The Company acknowledges and agrees that it must fulfill all CPSA Qualification Requirements, all CPSA Company Requirements, and comply with all terms and provisions of the CPSA Agreement, any other agreements executed with PCI SSC, and all other applicable policies and requirements of the CPSA Assessor Program, as mandated or imposed by PCI SSC from time to time, including but not limited to all requirements in connection with PCI SSC's quality assurance initiatives, remediation, and revocation.
The Company acknowledges and agrees that it must fulfill all CPSA Qualification Requirements, all CPSA Company Requirements, and comply with all terms and provisions of the CPSA Agreement, any other agreements executed with PCI SSC, and all other applicable policies and requirements of the CPSA Assessor Program, as mandated or imposed by PCI SSC from time to time, including but not limited to all requirements in connection with PCI SSC's quality-assurance initiatives, remediation, and revocation.
Modified
p. 51 → 52
Two client references from relevant security engagements within the last 12 months 1:
Two client references from relevant security engagements within the last 12 months1:
Modified
p. 52 → 53
Background Checks
• 4.2.2 Provisions The Company agrees that its policies and hiring procedures must include performing background checks and satisfying the provisions in Section 4.2.2 (to the extent legally permitted within theapp licable jurisdiction) when hiring each applicant CPSA Employee.
• 4.2.2 Provisions The Company agrees that its policies and hiring procedures must include performing background checks and satisfying the provisions in Section 4.2.2 (to the extent legally permitted within the
Background Checks
• 4.2.2 Provisions The Company agrees that its policies and hiring procedures must include performing background checks and satisfying the provisions in Section 4.2.2 (to the extent legally permitted within the applicable jurisdiction) when hiring each applicant CPSA Employee.
• 4.2.2 Provisions The Company agrees that its policies and hiring procedures must include performing background checks and satisfying the provisions in Section 4.2.2 (to the extent legally permitted within the applicable jurisdiction) when hiring each applicant CPSA Employee.
Modified
p. 52 → 53
Verification of aliases (when applicable) Reviewing records of any criminal activity, such as felony (or non -US equivalent) convictions or outstanding Annually review records of any criminal activity, such as felony (or non -US equivalent) convictions or outstanding warrants Minor offenses (for example, misdemeanors or non-US equivalents) are allowed, but major offenses (for example, felonies or non-US equivalents) automatically disqualify an employee from serving as a CPSA Employee The Company understands and agrees that, upon request, it must provide to …
Verification of aliases (when applicable) Reviewing records of any criminal activity, such as felony (or non-US equivalent) convictions or outstanding warrants Annually review records of any criminal activity, such as felony (or non-US equivalent) convictions or outstanding warrants Minor offenses (for example, misdemeanors or non-US equivalents) are allowed, but major offenses (for example, felonies or non-US equivalents) automatically disqualify an employee from serving as a CPSA Employee The Company understands and agrees that, upon request, it must provide to PCI …
Modified
p. 52 → 53
• 4.3.2 Provisions
The Company acknowledges and agrees that it must adhere to all quality-assurance requirements described in the CPSA Qualification Requirements and supporting documentation, must have a quality-assurance program, documented in its Quality Assurance manual, and must maintain and adhere to a documented quality-assurance process and manual that includes all items described in Section 4.3.1 of the CPSA Qualification Requirements.
Modified
p. 52 → 53
The Company acknowledges and agrees that its internal quality assurance reviews must be performed by qualified personnel and must cover assessment procedures performed, supporting documentation, information documented in the Card Production ROC related to the appropriate selection of system components, sampling procedures, remediation recommendations, proper use of payment definitions, consistent findings, and thorough documentation of results.
The Company acknowledges and agrees that its internal quality-assurance reviews must be performed by qualified personnel (independent of the assessing and/or authoring CPSA Employee) and must cover assessment procedures performed, supporting documentation, information documented in the Card Production ROC related to the appropriate selection of system components, sampling procedures, remediation recommendations, proper use of payment definitions, consistent findings, and thorough documentation of results.
Modified
p. 53 → 54
At all times maintain and adhere to the internal quality assurance requirements as described in Section 4.3.1 of the CPSA Qualification Requirements.
At all times maintain and adhere to the internal quality-assurance requirements as described in Section 4.3.1 of the CPSA Qualification Requirements.
Modified
p. 53 → 54
Conduct all PCI Card Production Assessments on-site at the applicable client’s facilities.
Conduct all PCI Card Production Assessments on-site at the applicable client’s facilities or remotely according to the PCI SSC Remote Assessment Guidelines and Procedures.
Modified
p. 53 → 54
Protection of Confidential and Sensitive Information
• 4.4.2 Provisions The Company currently has and agrees to adhere to a documented process for protection of confidential and sensitive information, which includes adequate physical, electronic,an d procedural safeguards consistent with industry-accepted practices to protect confidential and sensitive information against any threats or unauthorized access during storage, processing, and/or communicating of this information.
• 4.4.2 Provisions The Company currently has and agrees to adhere to a documented process for protection of confidential and sensitive information, which includes adequate physical, electronic,
Protection of Confidential and Sensitive Information
• 4.4.2 Provisions The Company currently has and agrees to adhere to a documented process for protection of confidential and sensitive information, which includes adequate physical, electronic, and procedural safeguards consistent with industry-accepted practices to protect confidential and sensitive information against any threats or unauthorized access during storage, processing, and/or communicating of this information.
• 4.4.2 Provisions The Company currently has and agrees to adhere to a documented process for protection of confidential and sensitive information, which includes adequate physical, electronic, and procedural safeguards consistent with industry-accepted practices to protect confidential and sensitive information against any threats or unauthorized access during storage, processing, and/or communicating of this information.
Modified
p. 53 → 54
The Company agrees to provide PCI SSC a blank copy of the confidentiality agreement that it requires each CPSA to sign (include a blank copy of such confidentiality agreement with this application) 1.
The Company agrees to provide PCI SSC a blank copy of the confidentiality agreement that it requires each CPSA to sign (include a blank copy of such confidentiality agreement with this application)1.
Removed
p. 55
• Is approved and in good standing as a Card Production Entity assessor (Logical) under any corresponding Card Production Entity assessor program conducted by Visa, Mastercard, American Express, or Discover (each a “Legacy Program”) as of June 1, 2019.
(If yes, this applicant will be exempt from Sections 3.2.1.1 and 3.2.1.2 of the CPSA Qualifications Requirements until June 1, 2021) A résumé or CV for the applicant has been submitted along with the application.
(If yes, this applicant will be exempt from Sections 3.2.1.1 and 3.2.1.2 of the CPSA Qualifications Requirements until June 1, 2021) A résumé or CV for the applicant has been submitted along with the application.
Removed
p. 56
From (date): To (date): Total time: Years Months Provide examples of work or a description of the Candidate's knowledge and experience with cryptography and key management with a minimum of three years of the following disciplines:
Modified
p. 56 → 58
From (date): To (date): Total time: Years Months Provide examples of work or a description of the Candidate's knowledge and experience with cryptography and key management:
Modified
p. 56 → 58
Describe the types of cryptography the Candidate has used, such as hashing, symmetric, asymmetric, and algorithms used such as Diffie-Hellman, elliptic curve, DES, Blowfish, MD5.
Examples of work or description of the Candidate's experience with cryptography: Describe the types of cryptography the Candidate has used, such as hashing, symmetric, asymmetric, and algorithms used such as Diffie-Hellman, elliptic curve, DES, Blowfish, MD5.
Modified
p. 56 → 58
From (date): To (date): Total time: Years Months Examples of work or description of the Candidate's experience with key management:
From (date): To (date): Total time: Years Months Examples of work or description of the Candidate's experience with key management: Describe the Candidate's knowledge of implementing key management, for example, key storage, access control, incident response in the event of compromise, and lifecycle management (rotation, destruction, revocation).
Modified
p. 56 → 58
Total time: Years Months Knowledge of Public Key Infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA):
Total time: Years Months Knowledge of Public Key Infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA): Describe the Candidate's experience with digital certificates. For example, obtaining, generating, and deploying digital certificates, methods to protect or store digital certificates, certificate revocation, etc.
Modified
p. 56 → 58
Total time: Years Months Knowledge of POI key-injection systems and techniques including Key Loading Devices (KLDs) and key- management methods, such as "Master/Session Key," "DUKPT":
Total time: Years Months Knowledge of POI key-injection systems and techniques including Key Loading Devices (KLDs) and key- management methods, such as "Master/Session Key," "DUKPT": Describe the Candidate's experience with key injection. For example, types of keys loaded, KLDs, key- management methods, etc.
Modified
p. 57 → 59
(a) The information provided above is true, accurate and complete; (b) I have read and understand the CPSA Qualification Requirements and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advoc ate, continuously adhere to and support the terms and provisions thereof.
(a) The information provided above is true, accurate and complete; (b) I have read and understand the CPSA Qualification Requirements and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.
Removed
p. 58
• Is approved and in good standing as a Card Production Entity assessor (Physical) under any corresponding Card Production Entity assessor program conducted by Visa, Mastercard, American Express, or Discover (each a “Legacy Program”) as of June 1, 2019.
(If yes, this applicant will be exempt from Sections 3.2.1.1 and 3.2.1.2 of the CPSA Qualifications Requirements until June 1, 2021).
(If yes, this applicant will be exempt from Sections 3.2.1.1 and 3.2.1.2 of the CPSA Qualifications Requirements until June 1, 2021).
Modified
p. 58 → 60
CPSA Employee Skills, Experience and Education Examples of work and/or description of experience in Physical Security (excluding physical security audits) From (date): To (date): Total time: Years Months Examples of work and/or description of experience in Physical Security Audits:
CPSA Employee Skills, Experience and Education Examples of work and/or description of experience in Physical Security (excluding physical security audits).
Modified
p. 58 → 60
From (date): To (date): Total time: Years Months Examples of work and/or description of experience in Systems Security (logical security of systems that provide or enforce physical security⎯e.g., CCTV and access control systems):
From (date): To (date): Total time: Years Months Examples of work and/or description of experience in Systems Security (logical security of systems that provide or enforce physical securitye.g., CCTV and access control systems):
Modified
p. 59 → 61
(a) The information provided above is true, accurate and complete; (b) I have read and understand the CPSA Qualification Requirements and will comply with the terms thereof; (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.
(a) The information provided above is true, accurate and complete; (b) I have read and understand the CPSA Qualification Requirements and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.