Document Comparison
Card_Production_Security_Assessor_(CPSA)_Program_Guide__v1.0_Apr_2019.pdf
→
CPSA_Program_Guide_v1.2.pdf
80% similar
24 → 29
Pages
7766 → 8878
Words
75
Content Changes
Content Changes
75 content changes. 37 administrative changes (dates, page numbers) hidden.
Added
p. 2
March 2022 1.1 Added requirement for CPSAs to have appropriate skills for assessments Added requirement that CPSAs must be trained on the version of Card Production Security Requirements they are using Added guidance regarding remote assessments Added Appendix B to provide additional QA guidance Performed minor clarifications in language throughout
March 2024 1.2 Added requirement for annual QA Questionnaire in Section 8.1
March 2024 1.2 Added requirement for annual QA Questionnaire in Section 8.1
Added
p. 5
PCI SSC Remote Assessment Guidelines and Procedures Detailed guidelines and procedures for performing PCI SSC program assessments remotely.
Added
p. 7
CPSA Requirements With respect to a given CPSA Company or CPSA Employee, the applicable requirements and obligations thereof pursuant to the CPSA Qualification Requirements, the CPSA Agreement, each addendum, supplement, or other agreement or attestation entered into between such CPSA Company or CPSA Employee and PCI SSC, and any and all other policies, procedures, requirements, validation or qualification requirements, or obligations imposed, mandated, provided for, or otherwise established by PCI SSC from time to time in connection with any PCI SSC Program in which such CPSA Company or CPSA Employee (as applicable) is then a participant, including but not limited to all policies, procedures, requirements, standards, obligations of all applicable PCI SSC training programs, quality-assurance programs, remediation programs, program guides, and other related PCI SSC Program materials, including without limitation those relating to probation, fines, penalties, oversight, remediation, suspension, and/or revocation.
Card Production Security Requirements The set of security requirements as …
Card Production Security Requirements The set of security requirements as …
Added
p. 10
Data preparation, Manufacturing, Pre-personalization, Card embossing, chip embedding, Card personalization, Chip personalization, PIN generation, PIN mailers, Card carriers, and Distribution.
Added
p. 13
A CPSA Employee must requalify with PCI SSC on an annual basis by their requalification date for each of their CPSA Program qualifications. In order to requalify:
(a) Complete at least three (3) Logical PCI Card Production Assessments for different facilities over the previous one-year period and complete PCI SSC computer-based CPSA-L training course/exam.
(b) Successfully complete PCI SSC instructor-led CPSA Logical training course and exam.
(a) Complete at least three (3) Physical PCI Card Production Assessments for different facilities over the previous one- year period and complete PCI SSC computer-based CPSA Physical training course/exam.
(b) Successfully complete PCI SSC instructor-led CPSA-P training course and exam.
Note: CPSA Employees who do not complete the required number of assessments must register and complete PCI SSC CPSA Instructor-led training and exam prior to their requalification date to remain listed as an active assessor. PCI SSC CPSA Instructor-led training is subject to availability.
(a) Complete at least three (3) Logical PCI Card Production Assessments for different facilities over the previous one-year period and complete PCI SSC computer-based CPSA-L training course/exam.
(b) Successfully complete PCI SSC instructor-led CPSA Logical training course and exam.
(a) Complete at least three (3) Physical PCI Card Production Assessments for different facilities over the previous one- year period and complete PCI SSC computer-based CPSA Physical training course/exam.
(b) Successfully complete PCI SSC instructor-led CPSA-P training course and exam.
Note: CPSA Employees who do not complete the required number of assessments must register and complete PCI SSC CPSA Instructor-led training and exam prior to their requalification date to remain listed as an active assessor. PCI SSC CPSA Instructor-led training is subject to availability.
Added
p. 16
The use of remote assessment methods may be a suitable alternative in scenarios where an onsite assessment is not feasible.
Added
p. 17
Prior to the engagement, the CPSA Company must consult with the Participating Payment Brands to determine any compliance impacts associated with the use of remote assessments.
Added
p. 20
The notification sent to the Primary Contact specifies the information and materials the CPSA Company must provide as part of the CPSA Annual QA Questionnaire, which may include but is not limited to internal QA manuals, documented processessuch as the Workpaper Retention Policy, Card Production ROC excerpts redacted in accordance with PCI SSC policy, and other data specified in the notice. The notification will further provide a link to a worksheet that the Primary Contact can use to gather data for submission in the Portal.
The AQM team will review the completed CPSA Annual QA Questionnaire to monitor the CPSA Company’s ongoing adherence to program requirements and provide relevant feedback in a summary document within the Portal.
Note: Findings discovered within the CPSA Annual QA Questionnaire review may impact a CPSA Company’s prioritization for CPSA Audit.
The AQM team will review the completed CPSA Annual QA Questionnaire to monitor the CPSA Company’s ongoing adherence to program requirements and provide relevant feedback in a summary document within the Portal.
Note: Findings discovered within the CPSA Annual QA Questionnaire review may impact a CPSA Company’s prioritization for CPSA Audit.
Added
p. 22
Each CPSA Company agrees that when it (or any CPSA Employee thereof) recommends remediation actions that include one of its own solutions or products, the CPSA Company will also recommend other market options that exist.
Each CPSA Company must adhere to all independence requirements as established by PCI SSC. For a complete list, please see Section 2.2 in the CPSA Qualification Requirements.
Each CPSA Company must adhere to all independence requirements as established by PCI SSC. For a complete list, please see Section 2.2 in the CPSA Qualification Requirements.
Added
p. 22
Any Participating Payment Brand or Card Production Entity may submit CPSA Feedback Forms to PCI SSC to provide feedback on a PCI Card Production Security Assessment, CPSA Company, or CPSA Employee.
Note: PCI SSC does not issue an official PCI seal, mark, or logo that companies can use when they achieve PCI Card Production compliance. Please note that the PCI SSC logo is a registered trademark and may not be used without authorization. You may not use or encourage or enable others to use the phrases or marks “PCI Compliant,” “PCI Certified,” “ PCI Card Production Compliant,” “PCI Card Production Certified,” or “PCI” with check marks or any other mark or logo that suggests or implies compliance or conformance with PCI SSC standards.
Note: PCI SSC does not issue an official PCI seal, mark, or logo that companies can use when they achieve PCI Card Production compliance. Please note that the PCI SSC logo is a registered trademark and may not be used without authorization. You may not use or encourage or enable others to use the phrases or marks “PCI Compliant,” “PCI Certified,” “ PCI Card Production Compliant,” “PCI Card Production Certified,” or “PCI” with check marks or any other mark or logo that suggests or implies compliance or conformance with PCI SSC standards.
Added
p. 29
PCI SSC reviews Assessor work product and stakeholder feedback with the expectation that the Assessor has followed the requirements of the applicable PCI SSC Program as documented in applicable Program documentation and has acted in the best interest of the customer in an ethical manner that results in factual, documented, and defendable opinions. Program participants must keep up with PCI SSC updates (included but not limited to updates to the CPSA Qualification Requirements and CPSA Program Guide, monthly Assessor Newsletter articles, published FAQs on the Website, and content from relevant webinars).
The Four Cs are useful measurements to evaluate the strength and quality of the Assessor’s approach and/or conclusions and can help the Assessor ensure that work can be defended in a meaningful way.
The Four Cs are useful measurements to evaluate the strength and quality of the Assessor’s approach and/or conclusions and can help the Assessor ensure that work can be defended in a meaningful way.
Modified
p. 1
Payment Card Industry (PCI) Card Production Security Assessors Program Guide Version 1.0
Payment Card Industry (PCI) Card Production Security Assessors (CPSA) Logical and Physical Program Guide Version 1.2
Modified
p. 4 → 5
Document name Description Payment Card Industry (PCI) Card Production and Provisioning Logical Security Requirements Lists the specific technical and operational security requirements used by assessors to validate Logical PCI Card Production and Provisioning compliance.
Document name Description Payment Card Industry (PCI) Card Production and Provisioning Logical Security Requirements (Card Production Logical Security Requirements) Lists the specific technical and operational security requirements used by assessors to validate Logical PCI Card Production and Provisioning compliance.
Modified
p. 4 → 5
Payment Card Industry (PCI) Card Production and Provisioning Physical Security Requirements Lists the specific technical and operational security requirements used by assessors to validate Physical PCI Card Production and Provisioning compliance.
Payment Card Industry (PCI) Card Production and Provisioning Physical Security Requirements (Card Production Physical Security Requirements) Lists the specific technical and operational security requirements used by assessors to validate Physical PCI Card Production and Provisioning compliance.
Modified
p. 4 → 5
PCI Card Production and Provisioning Attestation of Compliance (Card Production AOC) A form for Card Production Entities and CPSA Companies to attest to the results of a PCI CPSA assessment (Logical and/or Physical), as documented in the CPSA Report on Compliance.
PCI Card Production and Provisioning Attestation of Compliance (Card Production AOC) A form for Card Production Entities and CPSA Companies to attest to the results of a PCI Card Production Assessment (Logical and/or Physical), as documented in the CPSA Report on Compliance.
Modified
p. 4 → 5
PCI Card Production Security Assessor (CPSA) Qualification Requirements Defines the set of requirements that must be met by a CPSA Companies and CPSA Employees in order to perform their respective roles in connection with PCI Card Production Assessments.
PCI Card Production Security Assessor (CPSA) Qualification Requirements Defines the set of requirements that must be met by CPSA Companies and CPSA Employees in order to perform their respective roles in connection with PCI Card Production Assessments.
Modified
p. 4 → 6
PCI Card Production and Provisioning Template for Report on Compliance (Card Production ROC) The mandatory template for use in completing a Card Production Report on Compliance. Provides detail on how to document the findings of a PCI Card Production Assessment. There is one template for use with the PCI Card Production Logical Security Standard and one template for use with the PCI Card Production Physical Security Standard.
PCI Card Production and Provisioning Template for Report on Compliance (Card Production ROC) The mandatory template for use in completing a Card Production Report on Compliance. Provides detail on how to document the findings of a PCI Card Production Assessment. There is one template for use with the PCI Card Production Logical Security Requirements and one template for use with the PCI Card Production Physical Security Requirements.
Modified
p. 4 → 6
CPSA Feedback Form Gives the Card Production Entity an opportunity to offer feedback regarding the CPSA and the assessment process. https://www.pcisecuritystandards.org/assessors_and_solutions/Card Production Security_Assessors_feedback
CPSA Feedback Form Gives the Card Production Entity an opportunity to offer feedback regarding the CPSA and the assessment process. https://listings.pcisecuritystandards.org/assessors_and_solutions/cp sa_feedback 1.2 Updates to Documents and Security Requirements This Program Guide is expected to change as necessary to align with updates to the PCI Card Production Security Requirements and other PCI SSC Standards. Additionally, PCI SSC provides interim updates to the PCI community through a variety of means, including required CPSA Employee training, e-mail bulletins and newsletters, frequently asked …
Removed
p. 5
Legacy Program The Card Production Entity assessor programs managed by Visa, Mastercard, American Express, Discover and qualifying PCI Affiliate Members prior to the PCI Card Production Security Assessor program.
Modified
p. 5 → 6
Term Definition / Source / Document Reference Assessor Portal Web-based application made available to PCI qualified assessors to access PCI program documentation and forms.
Term Definition / Source / Document Reference Assessor Portal (Portal) Web-based application made available to PCI SSC qualified assessors to access PCI SSC program documentation and forms.
Modified
p. 5 → 6
CPSA Employee An employee of a CPSA Company who has been qualified, and continues to be qualified, by PCI SSC to perform PCI Card Production Assessments (Logical and/or Physical) CPSA List The then-current list of CPSA Companies published by PCI SSC on the Website.
CPSA Employee An employee of a CPSA Company who has been qualified, and continues to be qualified, by PCI SSC to perform PCI Card Production Assessments (Logical and/or Physical).
Modified
p. 5 → 7
CPSA Qualification Requirements The then-current version of (or successor documents to) the Payment Card Industry (PCI) Qualification Requirements for Card Production Security Assessors (CPSA), as from time to time amended and made available on the Website.
Removed
p. 6
PCI Card Production Assessment Onsite reviews of a Card Production Entity to determine its compliance with the PCI Card Production Standards as part of the PCI CPSA Program. The onsite reviews are conducted by CPSA Companies and their employees.
Modified
p. 6 → 7
PCI SSC PCI Security Standards Council is the standards body that maintains the PCI SSC Standards and supporting programs and documentation Remediation The PCI Assessor Quality Management (AQM) process for addressing identified quality issues at CPSA Companies.
PCI SSC PCI Security Standards Council is the standards body that maintains the PCI SSC Standards and supporting programs and documentation.
Removed
p. 7
Endorsing qualification criteria Responding to cardholder data compromises 5.2 PCI Security Standards Council
Modified
p. 7 → 8
Managing compliance enforcement programse.g. policies, procedures, mandates, and due dates Determining the compliance status of the assessed entity Establishing penalties and fees Determining the card production entities that need to comply and be validated.
Managing compliance enforcement programse.g., policies, procedures, mandates, and due dates Determining the compliance status of the assessed entity Establishing penalties and fees Determining the card production entities that need to comply and be validated Endorsing qualification criteria Responding to cardholder data compromises 2.2 PCI Security Standards Council
Modified
p. 7 → 8
Maintains the PCI Card Production Standards and related validation requirements, programs, and supporting documentation.
Maintains the PCI Card Production Security Requirements and related validation requirements, programs, and supporting documentation.
Modified
p. 7 → 8
Note: Contact details for the Participating Payment Brands can be found in FAQ #1142 on the Website.
Note: Contact details for the Participating Payment Brands can be found in Card Production and Provisioning Technical FAQ on the Website.
Removed
p. 8
− Being on-site at assessed entity during the PCI Card Production Assessment − Selecting employees, systems, and system components to accurately represent the assessed environment when sampling is employed.
− Assessing the level of compliance the entity has achieved with respect to PCI Card Production Standards (Logical and/or Physical) − Submission of reporting as described in the PCI Card Production Assessment Audit Process below
− Assessing the level of compliance the entity has achieved with respect to PCI Card Production Standards (Logical and/or Physical) − Submission of reporting as described in the PCI Card Production Assessment Audit Process below
Modified
p. 8 → 9
Adhering to the CPSA Requirements and this Program Guide Successfully completing all applicable CPSA Program training requirements Maintaining knowledge of and ensuring adherence to current and relevant PCI Card Production guidance located in the Document Library section of the Website Performing PCI Card Production Assessments in accordance with the PCI Card Production Standards, including but not limited to:
Adhering to the CPSA Requirements and this Program Guide Successfully completing all applicable CPSA Program training requirements Maintaining knowledge of and ensuring adherence to current and relevant PCI Card Production guidance located in the Document Library section of the Website Performing PCI Card Production Assessments in accordance with the PCI Card Production Security Requirements, including but not limited to:
Modified
p. 8 → 9
− Effectively using the Card Production Reporting Template to produce Reports on Compliance (Card Production ROC) − Completing the PCI Card Production Attestation of Compliance (CPSA AOC) − Validating and attesting as to an entity’s compliance with the PCI Card Production Standards − Maintaining documents, workpapers, and interview notes that were collected during the PCI Card Production Assessment and used to validate the findings − Applying and maintaining independent judgement in all PCI Card Production Security Assessment decisions − Conducting …
− Selecting employees, systems, and system components to accurately represent the assessed environment when sampling is employed − Effectively using the Card Production Reporting Template to produce Reports on Compliance (Card Production ROC) − Completing the PCI Card Production Attestation of Compliance (CPSA AOC) − Validating and attesting as to an entity’s compliance with the PCI Card Production Security Requirements − Maintaining documents, workpapers, and interview notes that were collected during the PCI Card Production Assessment and used to validate …
Modified
p. 8 → 9
Note: While the Primary Contact’s role includes helping facilitate and coordinate with PCI SSC regarding administrative or technical questions, Primary Contacts as well as CPSA Companies and CPSA Employees are strongly encouraged to check the FAQs published on the Website prior to contacting PCI SSC with questions.
Note: While the Primary Contact’s role includes helping facilitate and coordinate with PCI SSC regarding administrative or technical questions, Primary Contacts as well as CPSA Companies and CPSA Employeesare strongly encouraged to check the FAQs published on the Website prior to contacting PCI SSC with questions.
Modified
p. 9 → 10
Understanding compliance and validation requirements of the current PCI Card Production Standard.
Understanding compliance and validation requirements of the current PCI Card Production Security Requirements.
Modified
p. 9 → 10
Maintaining compliance with the PCI Card Production Standards at all times.
Maintaining compliance with the PCI Card Production Security Requirements at all times.
Modified
p. 9 → 10
Providing related attestation (e.g., proper scoping and network segmentation).
Providing related attestatione.g., proper scoping and network segmentation.
Modified
p. 10 → 11
The following sections introduce the procedures, requirements, and forms that are applied by the PCI SSC to qualify a CPSA Company and CPSA Employee to assess compliance with the PCI Card Production and Provisioning Security Standard. The qualification process is described in detail within a separate PCI Card Production Assessor Qualification Requirements document.
The following sections introduce the procedures, requirements, and forms that are applied by the PCI SSC to qualify a CPSA Company and CPSA Employee to assess compliance with the PCI Card Production and Provisioning Security Requirements. The qualification process is described in detail within a separate PCI Card Production Security Assessor Qualification Requirements document.
Removed
p. 11
Employee of CPSA company 6.2.3 Card Production Assessors under Legacy Programs Card Production Entity assessors (Logical or Physical) in good standing under existing Legacy Programs as of June 1, 2019 will not be required to qualify to all CPSA qualification requirements if they satisfy each of the following:
Have at least two years of experience as a Card Production Entity assessor and have completed at least four Card Production Entity assessments under a Legacy Program or have less than two years of experience as a Card Production Entity assessor and completed at least eight Card Production Entity assessments under a Legacy Program.
Have completed the required PCI CPSA program training.
Are an employee of a CPSA company.
These assessors will be required to qualify to all CPSA qualification requirements by March 1, 2021. See the CPSA Qualification Requirements for more information.
Have at least two years of experience as a Card Production Entity assessor and have completed at least four Card Production Entity assessments under a Legacy Program or have less than two years of experience as a Card Production Entity assessor and completed at least eight Card Production Entity assessments under a Legacy Program.
Have completed the required PCI CPSA program training.
Are an employee of a CPSA company.
These assessors will be required to qualify to all CPSA qualification requirements by March 1, 2021. See the CPSA Qualification Requirements for more information.
Removed
p. 12
A CPSA Employee must be re-qualified by PCI SSC on an annual basis. In order to requalify, each CPSA Employee must have either (a) completed at least three PCI Card Production Assessments for different facilities over the last one-year period or (b) successfully completed PCI SSC’s in-person, instructor-led CPSA Employee training course and exam. A combined physical and logical assessment for a specific site will count as one assessment for purposes of the preceding sentence.
Modified
p. 12 → 13
The annual re-qualification date is based upon the CPSA Employee’s previous qualification date. Re-qualification requires proof of training successfully completed and continued compliance with applicable CPSA Requirements. For example, a one-year requalification for a certification with a current qualification date of 15 November 2019 will be changed to 15 November 2020 upon successful completion, regardless of whether the requalification was completed on 31 October 2019 or 25 November 2019.
The annual requalification date is based upon the CPSA Employee’s previous qualification date. Requalification requires proof of training successfully completed and continued compliance with applicable CPSA Requirements. Regardless of when the CPSA Employee completes their requalification requirements within the grace period described below, the requalification date remains the same. For example, a one-year requalification for a certification with a current qualification date of 15 November of a given year will be changed to 15 November one year later upon successful …
Modified
p. 12 → 13
Note: Negative feedback from Card Production Entities, PCI SSC, Participating Payment Brands, or others may impact the CPSA Company’s and/or CPSA Employee’s eligibility for requalification.
Note: Negative feedback from Card Production Entities, PCI SSC, Participating Payment Brands, or others may impact the CPSA Company’s and/or CPSA Employee’s eligibility for requalification. (See Requirement 6.3 in CPSA Qualification Requirements.)
Modified
p. 12 → 14
Registration for requalification training must be completed prior to the CPSA Employee’s qualification expiration date. A candidate who is not registered prior to that expiry date must re-enroll as a new candidate.
Registration for requalification training must be completed prior to the CPSA Employee’s qualification expiration date. A candidate who is not registered prior to that expiry date must re-enroll as a new candidate and successfully complete Instructor-led training.
Modified
p. 12 → 14
A two-week grace period is provided beyond the candidate’s expiry date in order to complete requalification training; however, candidates will not be qualified by PCI SSC during this time and will not be requalified until the requalification exam is successfully completed.
A two-week grace period is provided beyond the candidate’s expiry date in order to complete requalification training; however, candidates will be removed from the CPSA Assessor List and will not be qualified by PCI SSC during this time and will not be requalified until the requalification exam is successfully completed.
Modified
p. 12 → 14
Access to the course and requalification exam will be granted only after payment is processed, and candidates will have access to the exam at most four weeks prior and two weeks past their expiration date.
Access to the requalification course and exam will be granted only after payment is processed by PCI SSC, and candidates will have access to the exam up to four calendar weeks prior to, and two calendar weeks past their expiration date.
Modified
p. 12 → 14
If a candidate is registered for requalification training and fails to take the training within the defined period, payment will be forfeited in full and the individual will need to reapply as a new CPSA Employee candidate.
If a candidate is registered for requalification training and fails to take the training or fails the exam within the defined period, payment will be forfeited in full, and the individual must reapply as a new CPSA Employee candidate.
Modified
p. 13 → 15
Notices from PCI SSC to the designated Primary Contact may be communicated via the Assessor Portal, e-mail, registered mail, or any other method permitted by the CPSA Agreement.
Notices from PCI SSC to the Primary Contact may be communicated via the Assessor Portal, e-mail, registered mail, or any other method permitted by the CPSA Agreement.
Modified
p. 13 → 15
The Primary Contact is given initial access to the Assessor Portal once they complete and submit the online registration form on the PCI Website.
The Primary Contact is given initial access to the Assessor Portal once they complete and submit the online registration form on the Website.
Modified
p. 14 → 15
Requalification training approval page for all CPSA Employees Insurance policies with respective expiration dates Complete list of all CPSA Employee for their Company and their respective qualification expiration dates Addresses for all CPSA training locations throughout the year
Requalification training approval page for all CPSA Employees Insurance policies with respective expiration dates Complete list of all CPSA Employees for their Company and their respective qualification expiration dates Addresses for all CPSA training locations throughout the year
Modified
p. 15 → 16
Assessment Scheduling Assessment Preparation On-Site Inspection Documenting the Assessment Results Assessment Result Submission Non-compliance Finding Remediation Evidence Retention Security Incident Response 7.1 Assessment Scheduling To demonstrate compliance with the PCI Card Production Security Standard, Card Production Entities may be required to have periodic onsite PCI Card Production Security Assessments conducted as required by each Participating Payment Brand.
Assessment Scheduling Assessment Preparation Facility Assessment Documenting the Assessment Results Assessment Result Submission Non-compliance Finding Remediation Evidence Retention Security Incident Response CPSA Employees must work only on those PCI Card Production Assessments for which they are qualified by PCI SSC, have appropriate skills, including technology and language, and have an appropriate understanding of the client’s business.
Modified
p. 15 → 16
PCI Card Production Security Assessments are required to be conducted by a CPSA Company through its CPSA Employees, in accordance with the PCI Card Production Security Standards, which contain requirements, testing procedures, and guidance to ensure that the intent of each requirement is understood.
PCI Card Production Assessments are required to be conducted by a CPSA Company through its CPSA Employees, in accordance with the PCI Card Production Security Requirements, which contain requirements, testing procedures, and guidance to ensure that the intent of each requirement is understood.
Modified
p. 15 → 16
Compliance with the PCI Card Production and Provisioning Security Requirements (Physical and Logical) is conducted on-site. Any controls that are assessed offsite must be identified and the results documented in the Card Production ROC. The Card Production ROC must accurately represent the assessed environment and the security controls evaluated by the CPSA Employee.
Compliance with the PCI Card Production Security Requirements (Physical and Logical) is conducted onsite. Any controls that are assessed offsite must be identified and the results documented in the Card Production ROC. The Card Production ROC must accurately represent the assessed environment and the security controls evaluated by the CPSA Employee.
Modified
p. 17 → 18
As part of the PCI SSC’s Assessor Quality Management (“AQM”) CPSA Program audit process (“CPSA Audit”) and in other AQM quality assurance (“QA”) review work as needed, it is common for AQM to request both the CPSA Company’s Workpaper Retention Policy and a sample of PCI Card Production Assessment workpapers. This is to ensure the CPSA Company has a current documented, implemented Workpaper Retention process consistent with the requirements defined in the CPSA Qualification Requirements•including appropriate level of detailed instructions …
As part of the PCI SSC’s Assessor Quality Management (“AQM”) CPSA Program audit process (“CPSA Audit”), and in other AQM quality-assurance (“QA”) review work as needed, it is common for AQM to request both the CPSA Company’s Workpaper Retention Policy and a sample of PCI Card Production Assessment workpapers. This is to ensure the CPSA Company has a current documented, implemented Workpaper Retention process consistent with the requirements defined in the CPSA Qualification Requirements•including the appropriate level of detailed instructions …
Modified
p. 18 → 20
A “Satisfactory” finding indicates that the audit findings reasonably confirmed (1) the CPSA Company/Employee’s on-going adherence to the current CPSA Qualification Requirements; (2) that the CPSA Company’s quality policy documentation is implemented and maintained according to the CPSA Qualification Requirements; and (3) the CPSA Company/Employee’s on-going general adherence to reporting requirements as evidenced by sampled CPSA ROCs.
A “Satisfactory” finding indicates that the audit findings reasonably confirmed (1) the CPSA Company/Employee’s ongoing adherence to the current CPSA Qualification Requirements; (2) that the CPSA Company’s quality policy documentation is implemented and maintained according to the CPSA Qualification Requirements; and (3) the CPSA Company/Employee’s ongoing general adherence to reporting requirements as evidenced by sampled CPSA ROCs.
Modified
p. 18 → 21
A “Needs Improvement” finding indicates that there were minor findings and/or opportunities for improvement identified that assessors should address to ensure continued adherence with program documentation. Still, the audit findings reasonably confirmed (1) the CPSA Company/Employee’s on-going adherence to the current CPSA Qualification Requirements; (2) that the CPSA Company’s quality policy documentation is implemented and maintained according to the CPSA Qualification Requirements; and (3) the CPSA Company/Employee’s on-going general adherence to reporting requirements as evidenced by sampled CPSA ROCs.
A “Needs Improvement” finding indicates that there were minor findings and/or opportunities for improvement identified that assessors should address to ensure continued adherence with program documentation. Still, the audit findings reasonably confirmed (1) the CPSA Company/Employee’s ongoing adherence to the current CPSA Qualification Requirements; (2) that the CPSA Company’s quality policy documentation is implemented and maintained according to the CPSA Qualification Requirements; and (3) the CPSA Company/Employee’s ongoing general adherence to reporting requirements as evidenced by sampled CPSA ROCs.
Modified
p. 18 → 21
An “Unsatisfactory” finding indicates that there were serious findings identified during the CPSA Audit, including possible Violations to the CPSA Agreement. This finding will result in Remediation and/or Revocation, per the current CPSA Qualification Requirements. Audit findings that result in an Unsatisfactory finding mean that AQM could not confirm one or more of the following: (1) the CPSA Company/Employee’s on-going adherence to the current CPSA Qualification Requirements; (2) that the CPSA Company’s quality policy documentation is implemented and maintained according …
An “Unsatisfactory” finding indicates that there were serious findings identified during the CPSA Audit, including possible Violations to the CPSA Agreement. This finding will result in Remediation and/or Revocation, per the current CPSA Qualification Requirements. Audit findings that result in an Unsatisfactory finding mean that AQM could not confirm one or more of the following: (1) the CPSA Company/Employee’s ongoing adherence to the current CPSA Qualification Requirements; (2) that the CPSA Company’s quality policy documentation is implemented and maintained according …
Removed
p. 19
• Each CPSA Company agrees that when it (or any CPSA Employee thereof) recommends remediation actions that include one of its own solutions or products, the CPSA Company will also recommend other market options that exist.
• Each CPSA Company must adhere to all independence requirements as established by PCI SSC. For a complete list, please see Section 2.2 in the CPSA Qualification Requirements.
• Each CPSA Company must adhere to all independence requirements as established by PCI SSC. For a complete list, please see Section 2.2 in the CPSA Qualification Requirements.
Removed
p. 19
Any Participating Payment Brand or Card Production Entities may submit CPSA Feedback Forms to PCI SSC to provide feedback on a PCI Card Production Security Assessment, CPSA Company, or CPSA Employee.
Modified
p. 19 → 21
CPSA Companies and CPSA Employees are prohibited from performing PCI Card Production Assessments of entities that they control or are controlled by, and entities with which they are under common control or in which they hold any investment.
Modified
p. 19 → 21
CPSA Companies and CPSA Employees must not enter into any contract with a Card Production Entity that guarantees a compliant CPSA ROC.
Modified
p. 19 → 21
CPSA Companies must fully disclose in the CPSA Report on Compliance if they assess Card Production Entities who use any security-related devices or security-related applications that
Modified
p. 20 → 22
Remediation Period of at least 120 days.
Remediation Period of at least 120 calendar days.
Modified
p. 20 → 22
An AQM case manager assigned to the CPSA Company to offer support as it works to bring its quality level to the expected baseline standard of quality.
An AQM case manager assigned to the CPSA Company to offer support as it works to bring its quality level to the required baseline standard of quality.
Modified
p. 20 → 23
Failure to perform PCI Card Production Security Assessments in accordance with the PCI Card Production Standards.
Failure to perform PCI Card Production Security Assessments in accordance with the PCI Card Production Security Requirements or CPSA Program.
Modified
p. 20 → 23
Failure to maintain physical, electronic and procedural safeguards to protect the confidential and sensitive information.
Failure to maintain physical, electronic, and/or procedural safeguards to protect confidential and sensitive information.
Modified
p. 20 → 23
Failure to successfully complete any required PCI SSC training.
Failure to successfully complete applicable required PCI SSC training.
Modified
p. 20 → 23
Cheating on any PCI SSC training exam.
Cheating on any PCI SSC exam.
Modified
p. 20 → 23
Upon notification of pending CPSA Company Revocation by PCI SSC, the CPSA Company or CPSA Employee will have 30 days in which to appeal the ruling in writing to PCI SSC.
Upon notification of pending CPSA Company Revocation by PCI SSC, the CPSA Company or CPSA Employee will have 30 calendar days in which to appeal in writing to PCI SSC.
Modified
p. 20 → 23
Revocation will result in the CPSA Company or CPSA Employee being removed from the CPSA List or search engine, as applicable.
Revocation will result in the CPSA Company or CPSA Employee being removed from the CPSA List or search tool, as applicable.
Modified
p. 21 → 24
CPSA Employee may transfer to other companies. The following should be noted when a CPSA Employee moves to a new company:
CPSA Employees may transfer to other companies. The following should be noted when a CPSA Employee moves to a new company:
Modified
p. 21 → 24
2. If the CPSA Employee moves to an active CPSA Company and is to be utilized by that CPSA Company as an CPSA Employee, the Primary Contact of the new CPSA Company must notify the CPSA Program Manager prior to permitting the CPSA Employee to participate in any PCI Card Production Assessment. The following information should be supplied to the CPSA Program Manager:
2. If the CPSA Employee moves to an active CPSA Company and is to be utilized by that CPSA Company as an CPSA Employee, the Primary Contact of the new CPSA Company must notify the CPSA Program Manager prior to permitting the CPSA Employee to participate in any PCI Card Production Assessment. The following information must be provided to the CPSA Program Manager:
Removed
p. 23
• Facility identification
• Services confirmation
• Previous finding resolution status and details
• Facility and production environment description
• Services confirmation
• Previous finding resolution status and details
• Facility and production environment description
Modified
p. 23 → 27
Facility identification Services confirmation Previous finding resolution status and details Facility and production environment description Network diagram(s) Key life cycle summary 5 CPSA Company and CPSA Employees provided a thorough response that includes details of testing and observation to validate the integrity of the segmentation within the Summary Overview.
Removed
p. 24
• Define audit scope and expected activities
• Audit scheduled when due
• Identify changes since last audit
• Verify previous finding status
• Comply with test procedures and review appropriate evidence
• Exhibit knowledge of requirements
• Audit scheduled when due
• Identify changes since last audit
• Verify previous finding status
• Comply with test procedures and review appropriate evidence
• Exhibit knowledge of requirements
Modified
p. 24 → 28
Define audit scope and expected activities Audit scheduled when due Establish onsite and/or remote (as applicable) viewing and access expectations 3 CPSA Company and CPSA Employees adequately perform the audit process, including but not limited to:
Modified
p. 24 → 28
Identify changes since last audit Verify previous finding status Comply with test procedures and review appropriate evidence Exhibit knowledge of requirements Perform end of audit result review 4 CPSA Company and CPSA Employees adequately provide post-audit support, including but not limited to:
Modified
p. 24 → 28
Finding clarification Finding disputes