Document Comparison
QIR_Qualification_Requirements_September2015.pdf
→
QIR_Qualification_Requirements_v4.1.pdf
36% similar
23 → 17
Pages
8102 → 5852
Words
74
Content Changes
Content Changes
74 content changes. 33 administrative changes (dates, page numbers) hidden.
Added
p. 2
March 2018 4.0 Update to reflect QIR Program Expansion
March 2023 4.1 Update PA-DSS references and to include applicable Software Security Framework references
March 2023 4.1 Update PA-DSS references and to include applicable Software Security Framework references
Added
p. 4
All qualified QIR Professionals are identified on the QIR List. If an industry practitioner is not on the QIR List, they are not recognized as a QIR Professional by PCI SSC. All individuals seeking to qualify as QIR Professionals must satisfy all initial Qualification Requirements and requalify with PCI SSC every year, as detailed further in this document.
• Introduction and Program Overview
• How to Earn Your Qualification
• How to Use Your Qualification
• Schedules and Appendices 1.2 QIR Program Overview The QIR Program offers the QIR Professional Qualification, a credential for those industry practitioners who carry out Qualified Installations on behalf of merchants or service providers. A Qualified Installation involves the installation of, or upgrade to, a Payment Application, Payment Software and/or activities concerning the deployment, configuration, or access to a Payment Application, Payment Software or other payment technologies or services in the Customer’s Cardholder Data environment.
To qualify as a QIR …
• Introduction and Program Overview
• How to Earn Your Qualification
• How to Use Your Qualification
• Schedules and Appendices 1.2 QIR Program Overview The QIR Program offers the QIR Professional Qualification, a credential for those industry practitioners who carry out Qualified Installations on behalf of merchants or service providers. A Qualified Installation involves the installation of, or upgrade to, a Payment Application, Payment Software and/or activities concerning the deployment, configuration, or access to a Payment Application, Payment Software or other payment technologies or services in the Customer’s Cardholder Data environment.
To qualify as a QIR …
Added
p. 6
To begin the application process, candidates seeking QIR Professional Qualification must submit a registration form through the Website. After review of the registration form, PCI SSC will send an e- mail to the candidate with credentials to access the secure web portal designated by PCI SSC for the QIR Program (the “Portal”) and begin the application process.
• Have training and experience in the implementation of all Payment Applications, Payment Software, and related payment technologies and services they implement, including any PA- DSS Validated Payment Applications or PCI Validated Payment Software.
• Attend requisite QIR Program training and legitimately pass, of his or her own accord without any unauthorized assistance, all requisite QIR Program training examinations. QIR Professionals who fail to pass such exams must not lead or manage any Qualified Installation until passing such exams.
• Perform implementations in accordance with applicable Qualification Requirements.
• Work history, such as a Résumé or Curriculum …
• Have training and experience in the implementation of all Payment Applications, Payment Software, and related payment technologies and services they implement, including any PA- DSS Validated Payment Applications or PCI Validated Payment Software.
• Attend requisite QIR Program training and legitimately pass, of his or her own accord without any unauthorized assistance, all requisite QIR Program training examinations. QIR Professionals who fail to pass such exams must not lead or manage any Qualified Installation until passing such exams.
• Perform implementations in accordance with applicable Qualification Requirements.
• Work history, such as a Résumé or Curriculum …
Added
p. 8
Please refer to the current schedule of QIR Program Fees (in the Programs Fee Schedule on the Website) for course pricing information.
Once the invoice has been paid, the candidate will receive an e-mail with training instructions and access to the online QIR Professional training course and exam. The QIR Professional training course and exam are self-paced, and access will expire 60 days from the date that access credentials are issued. Upon completion of the exam, the candidate will receive a pass/fail result. Candidates who do not pass the exam on the first attempt may retake the exam a further two times within the 60 days without paying any additional fees.
Individuals who do not pass the QIR Professional training exam within the allotted 60-day period or on their third attempt are required to pay a new QIR Professional training course fee before taking the exam again.
Once the invoice has been paid, the candidate will receive an e-mail with training instructions and access to the online QIR Professional training course and exam. The QIR Professional training course and exam are self-paced, and access will expire 60 days from the date that access credentials are issued. Upon completion of the exam, the candidate will receive a pass/fail result. Candidates who do not pass the exam on the first attempt may retake the exam a further two times within the 60 days without paying any additional fees.
Individuals who do not pass the QIR Professional training exam within the allotted 60-day period or on their third attempt are required to pay a new QIR Professional training course fee before taking the exam again.
Added
p. 8
QIR Professional Qualification is invalid if PCI SSC reasonably determines that it has been obtained or renewed through fraud or the submission of inaccurate qualification data. The QIR Professional Qualification remains valid until expired, forfeited, or revoked.
Added
p. 8
PCI SSC’s maintenance requirements help ensure that QIR Professionals remain current with technical and industry changes and demonstrate professionalism. To maintain in Good Standing, a QIR Professional must:
• Abide by the PCI SSC Code of Professional Responsibility.
• Comply with all Qualification Requirements.
• Successfully complete required QIR Professional training and exams each year.
Note: There is no requirement for proof of information technology or payment card industry Continuing Professional Education (CPE) hours for the QIR Professional Qualification.
• Abide by the PCI SSC Code of Professional Responsibility.
• Comply with all Qualification Requirements.
• Successfully complete required QIR Professional training and exams each year.
Note: There is no requirement for proof of information technology or payment card industry Continuing Professional Education (CPE) hours for the QIR Professional Qualification.
Added
p. 9
Retention of Results For each Qualified Installation, the resulting QIR Implementation Statement must follow the instructions set forth in the QIR Implementation Instructions. Each QIR Implementation Statement must be prepared by a QIR Professional and be based on the results of the Qualified Installation in accordance with the QIR Program Guide. If clarification on the intent of any question in the QIR Implementation Statement is needed, the QIR Implementation Instructions should be used as a reference guide.
The QIR Professional must secure documentary evidence of each Qualified Installation, including the corresponding QIR Implementation Statement, in accordance with applicable Qualification Requirements, including the requirements set out in the QIR Program Guide.
So long as a QIR Professional continues to appear on the QIR List, in advertising and/or promoting its Services, they may refer to their listing on the QIR List and to their qualification by PCI SSC as a QIR Professional. Without prior …
The QIR Professional must secure documentary evidence of each Qualified Installation, including the corresponding QIR Implementation Statement, in accordance with applicable Qualification Requirements, including the requirements set out in the QIR Program Guide.
So long as a QIR Professional continues to appear on the QIR List, in advertising and/or promoting its Services, they may refer to their listing on the QIR List and to their qualification by PCI SSC as a QIR Professional. Without prior …
Added
p. 10
Exam Security The QIR Professional Qualification training exam and all related materials are the sole and exclusive property of PCI SSC. Individuals taking this exam must keep these materials confidential and not make them available to any person or entity for any reason.
Conduct that is considered to violate the security of QIR Professional Qualification training examinations and QIR Program policies includes: (without limitation): Cheating on any exam in connection with QIR Program training, including without limitation submitting work that is not the work of the QIR Professional taking the exam; theft of or accepting or providing unauthorized access to any QIR Program exam or exam question or answer; use of an alternate, stand-in or proxy during an exam; use of any prohibited or unauthorized materials, notes, or computer programs during an exam; and providing or communicating in any way any unauthorized information to another person during an exam.
Privacy Policy QIR …
Conduct that is considered to violate the security of QIR Professional Qualification training examinations and QIR Program policies includes: (without limitation): Cheating on any exam in connection with QIR Program training, including without limitation submitting work that is not the work of the QIR Professional taking the exam; theft of or accepting or providing unauthorized access to any QIR Program exam or exam question or answer; use of an alternate, stand-in or proxy during an exam; use of any prohibited or unauthorized materials, notes, or computer programs during an exam; and providing or communicating in any way any unauthorized information to another person during an exam.
Privacy Policy QIR …
Added
p. 11
Engagement The entire commitment of Services, as specified in the contractual agreement between a QIR Professional and their Customer, to provide a Qualified Installation and any ongoing support activities required to maintain the applicable Payment Applications and other payment technologies and services.
Good Standing With respect to a given QIR Professional, that the QIR Professional (a) has been qualified by PCI SSC as a QIR Professional and such qualification has not been revoked, terminated, suspended, cancelled, or withdrawn; (b) is in compliance with all Qualification Requirements; and (c) is not in breach of any term, condition, or obligation under any other agreement with PCI SSC.
Note: The PCI PA-DSS Program is closed to new applications. PA-DSS Validated Applications that are listed as “Acceptable Only for Pre- Existing Deployments” may be used in existing implementations; however, questions about their continued use to satisfy brand or acquirer compliance requirements should be directed to those …
Good Standing With respect to a given QIR Professional, that the QIR Professional (a) has been qualified by PCI SSC as a QIR Professional and such qualification has not been revoked, terminated, suspended, cancelled, or withdrawn; (b) is in compliance with all Qualification Requirements; and (c) is not in breach of any term, condition, or obligation under any other agreement with PCI SSC.
Note: The PCI PA-DSS Program is closed to new applications. PA-DSS Validated Applications that are listed as “Acceptable Only for Pre- Existing Deployments” may be used in existing implementations; however, questions about their continued use to satisfy brand or acquirer compliance requirements should be directed to those …
Added
p. 13
QIR Professional Qualification Qualification as a QIR Professional granted by PCI SSC for purposes of authorizing industry practitioners who satisfy applicable requirements to perform Qualified Installations under the QIR Program.
QIR Program Guide The then-current version of the Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)TM Program Guide (or successor document thereto), as made publicly available by PCI SSC on the Website.
Qualified Installation The installation or upgrade of Payment Application or related payment technologies, or provision of related services or activities in connection with the deployment, configuration, or access to the foregoing in the Customer’s Cardholder Data environment, for QIR Program purposes.
Qualification Requirements With respect to a given QIR Professional, the requirements and obligations thereof pursuant to the QIR Qualification Requirements, the QIR Agreement, and the QIR Program Guide, each addendum and supplement to each of the foregoing, each agreement entered into between such QIR Professional and PCI SSC, and …
QIR Program Guide The then-current version of the Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)TM Program Guide (or successor document thereto), as made publicly available by PCI SSC on the Website.
Qualified Installation The installation or upgrade of Payment Application or related payment technologies, or provision of related services or activities in connection with the deployment, configuration, or access to the foregoing in the Customer’s Cardholder Data environment, for QIR Program purposes.
Qualification Requirements With respect to a given QIR Professional, the requirements and obligations thereof pursuant to the QIR Qualification Requirements, the QIR Agreement, and the QIR Program Guide, each addendum and supplement to each of the foregoing, each agreement entered into between such QIR Professional and PCI SSC, and …
Added
p. 14
1. QIR Professional Qualification; Listing. During the Term (defined below): (a) PCI SSC hereby qualifies you to perform Qualified Installations and Services subject to compliance with all applicable Qualification Requirements, and (B) PCI SSC is authorized to include your name and QIR Professional Qualification status information in the QIR List. You acknowledge and agree that in the event PCI SSC determines in its sole but reasonable discretion that you have failed to satisfy all applicable Qualification Requirements or that you otherwise meet any condition for “Remediation” or “Revocation” (as defined in the QIR Program Guide), PCI SSC may, upon notice, offer you the opportunity to participate in Remediation, revoke your QIR Professional Qualification, annotate or remove your listing on the QIR List, and/or terminate this Agreement.
2. Qualification Requirements. During the Term, you agree to comply with all Qualification Requirements, including but not limited to the policies, procedures, terms and conditions …
2. Qualification Requirements. During the Term, you agree to comply with all Qualification Requirements, including but not limited to the policies, procedures, terms and conditions …
Added
p. 15
6. Confidentiality and Required Disclosures; Use of Marks. You hereby acknowledge and agree to comply with the confidentiality and required disclosure provisions set forth in the QIR Program Documents. To help ensure your ability to promptly make such required disclosures, you shall ensure that your agreements with each Customer permit you to make such disclosures in accordance with the QIR Program Documents.
Topic Requirement QIR Agreement The applicant must accept the terms of the QIR Agreement.
Contact Information The applicant must include all their contact details, including their full legal name, e-mail address, and phone number.
Experience The applicant must confirm experience in information technology and experience in installing and configuring payment technologies that will form part of Qualified Installations that they will perform, equal to at least one year or three separate engagements.
Topic Requirement QIR Agreement The applicant must accept the terms of the QIR Agreement.
Contact Information The applicant must include all their contact details, including their full legal name, e-mail address, and phone number.
Experience The applicant must confirm experience in information technology and experience in installing and configuring payment technologies that will form part of Qualified Installations that they will perform, equal to at least one year or three separate engagements.
Modified
p. 1
Payment Card Industry (PCI) Qualification Requirements For Qualified Integrators and Resellers (QIRs)™ Version 3.0
Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)™ Qualification Requirements Version 4.1
Removed
p. 4
All QIR Companies are identified on the QIR List in accordance with the QIR Agreement. If a company is not on the QIR List, it is not recognized as a QIR Company by PCI SSC. All companies and individuals seeking to qualify as QIR Companies or QIR Employees must satisfy initial qualification requirements and requalify with PCI SSC every three years, as detailed further in this document.
Removed
p. 4
Section 1: Introduction offers a high-level overview of the QIR application process.
Section 2: QIR Company Business Requirements covers minimum business requirements that must be demonstrated to PCI SSC by the company.
Section 3: QIR Company and QIR Employee Capability Requirements reviews the information and documentation necessary to demonstrate the service qualifications and expertise of the company and its employees.
Section 4: QIR Company Administrative Requirements focuses on the logistics of doing business as a QIR Company, including background checks, adherence to QIR Program procedures, protection of confidential and sensitive information, and quality assurance.
Section 5: QIR Requalification briefly outlines the QIR requalification process.
Section 6: QIR Remediation and Revocation Process contains information regarding remediation and revocation procedures.
Schedules and Appendices: The schedules and appendices to the QIR Qualification Requirements include the terminology schedule, QIR Agreement and Application Checklist.
PCI DSS, the PCI SSC standard that sets the foundation for other PCI Standards and related requirements …
Section 2: QIR Company Business Requirements covers minimum business requirements that must be demonstrated to PCI SSC by the company.
Section 3: QIR Company and QIR Employee Capability Requirements reviews the information and documentation necessary to demonstrate the service qualifications and expertise of the company and its employees.
Section 4: QIR Company Administrative Requirements focuses on the logistics of doing business as a QIR Company, including background checks, adherence to QIR Program procedures, protection of confidential and sensitive information, and quality assurance.
Section 5: QIR Requalification briefly outlines the QIR requalification process.
Section 6: QIR Remediation and Revocation Process contains information regarding remediation and revocation procedures.
Schedules and Appendices: The schedules and appendices to the QIR Qualification Requirements include the terminology schedule, QIR Agreement and Application Checklist.
PCI DSS, the PCI SSC standard that sets the foundation for other PCI Standards and related requirements …
Modified
p. 4
Interested applicants should complete the online registration form located on the PCI Security Standards Council Website (Website).
Interested applicants should complete the online registration form located on the Website.
Removed
p. 5
In the event a company does not meet the requirements specified in the QIR Qualification Requirements, PCI SSC will notify the company, and the company will have 30 days from the date of notification to appeal the decision. Appeals must be addressed to the PCI SSC General Manager. If a company’s appeal is denied, its name will not be placed on the QIR List.
Modified
p. 5
• QIR Implementation Instructions, the guidance document used to explain how to complete the QIR Implementation Statement
Modified
p. 5 → 7
1. PCI SSC reserves the right to reject any applicant if PCI SSC determines in its reasonable discretion, or has reason to believe, that the applicant fails to satisfy applicable QIR Program requirements or has, within two (2) years prior to the application date, engaged in any conduct that would have been considered a “Violation” (defined in the QIR Program Guide) if committed by a QIR Professional. The period of ineligibility will be a minimum of one (1) year as …
Removed
p. 6
Copy of business license or equivalent (proof of legal existence from the relevant jurisdiction; see Business License Requirements on Website).
Attestation that the QIR Company (and QIR Company principals) have no past or present allegations or convictions of any fraudulent or criminal activity against them, or a written statement describing any such allegations or convictions and the status and resolution thereof.
Attestation that the QIR Company (and QIR Company principals) have no past or present allegations or convictions of any fraudulent or criminal activity against them, or a written statement describing any such allegations or convictions and the status and resolution thereof.
Removed
p. 6
Each QIR Employee must accept the PCI SSC Code of Professional Responsibility at the beginning of each PCI SSC QIR Training course.
Removed
p. 6
PCI Security Standards Council 401 Edgewater Place, Suite 600 Wakefield, MA 01880 USA Phone number: (781) 876-8855 QIR Companies are responsible for payment of the following Fees as then specified on the Website:
Modified
p. 6 → 7
PCI SSC has adopted a PCI SSC Code of Professional Responsibility (the “Code,” available on the Website) to help ensure that PCI SSC-qualified companies and individuals adhere to high standards of ethical and professional conduct. All PCI SSC-qualified companies and individuals must advocate, adhere to and support the Code.
PCI SSC has adopted a PCI SSC Code of Professional Responsibility (the “Code,” available on the Website) to help ensure the highest standards of ethical and professional conduct are followed. QIR Professional candidates must advocate, adhere to, and support the Code.
Removed
p. 7
Exam Retake (necessary only if the QIR Employee’s previous attempt resulted in failure) There is no limit to the number of times an individual QIR Employee can retake the QIR Exam and there is no waiting period required after each failed attempt. The QIR Company will be assessed the Exam Retake Fee prior to each retake attempt.
Requalification Requalification is required every three years on or before the QIR Employee’s qualification expiration date. In order to requalify, individual QIR Employees will need to take the QIR Training and Exam. The Fees a QIR Company will pay are the QIR Training and Exam Fee for each individual QIR Employee they want to have requalify.
Requalification Requalification is required every three years on or before the QIR Employee’s qualification expiration date. In order to requalify, individual QIR Employees will need to take the QIR Training and Exam. The Fees a QIR Company will pay are the QIR Training and Exam Fee for each individual QIR Employee they want to have requalify.
Removed
p. 7
The QIR Company must have processes in place to ensure that its QIR Employees are trained and have access to applicable documentation to perform Qualified Installations. Processes must include, but are not limited to, participation in the training program(s) provided by PCI SSC and the Payment Application vendor(s). The PA-DSS standard requires PA-DSS Payment Application vendors to maintain instructional documentation and training programs for integrators and resellers.
The QIR Company must have experience installing and configuring applications, preferably Payment Applications, equal to at least one year or three separate engagements.
The QIR Company must at all times employ at least one (1) QIR Employee.
The QIR Company must have experience installing and configuring applications, preferably Payment Applications, equal to at least one year or three separate engagements.
The QIR Company must at all times employ at least one (1) QIR Employee.
Modified
p. 7
2. All QIR Program Fees are non-refundable, updated annually, and subject to change upon notice from PCI SSC. Posting of a revised Programs Fee Schedule on the Website shall be deemed to constitute notice of a fee change.
Removed
p. 8
Confirmation that the QIR Company is either the direct provider of a PA-DSS validated Payment Application or a completely independent third-party licensed or otherwise authorized by the PA-DSS validated Payment Application vendor to implement the Payment Application into the merchant or service provider environment.
Confirmation that the QIR Company has processes for ensuring that all of its QIR Employees are trained and have access to documentation from PCI SSC and the Payment Application vendor, including, but not limited to the PCI DSS and PA-DSS standard and program documentation, and Payment Application vendor training and the PA-DSS Implementation Guide for each PA-DSS validated Payment Application for which they intend to perform Qualified Installations.
Confirmation of the QIR Company’s experience installing or configuring applications equal to one year or three separate engagements.
List of the regional markets and languages supported by the QIR Company.
Acknowledgement that the QIR Company must continually …
Confirmation that the QIR Company has processes for ensuring that all of its QIR Employees are trained and have access to documentation from PCI SSC and the Payment Application vendor, including, but not limited to the PCI DSS and PA-DSS standard and program documentation, and Payment Application vendor training and the PA-DSS Implementation Guide for each PA-DSS validated Payment Application for which they intend to perform Qualified Installations.
Confirmation of the QIR Company’s experience installing or configuring applications equal to one year or three separate engagements.
List of the regional markets and languages supported by the QIR Company.
Acknowledgement that the QIR Company must continually …
Removed
p. 8
Performing the Qualified Installation(s).
Ensuring the PA-DSS validated Payment Application is installed in a manner compliant with the Payment Application vendor’s PA-DSS Implementation Guide, following the best practices of the QIR Program Guide, and in a manner that facilitates Customers’ PCI DSS compliance.
Producing the QIR Implementation Statement.
Be knowledgeable regarding the QIR Program Guide.
Be knowledgeable of appropriate contents of the PA-DSS Implementation Guide(s) for the Payment Application(s) they implement.
Be trained in and have up-to-date knowledge of the PA-DSS validated Payment Application(s) they implement, and perform such implementation(s) in accordance with applicable QIR Requirements.
Ensuring the PA-DSS validated Payment Application is installed in a manner compliant with the Payment Application vendor’s PA-DSS Implementation Guide, following the best practices of the QIR Program Guide, and in a manner that facilitates Customers’ PCI DSS compliance.
Producing the QIR Implementation Statement.
Be knowledgeable regarding the QIR Program Guide.
Be knowledgeable of appropriate contents of the PA-DSS Implementation Guide(s) for the Payment Application(s) they implement.
Be trained in and have up-to-date knowledge of the PA-DSS validated Payment Application(s) they implement, and perform such implementation(s) in accordance with applicable QIR Requirements.
Modified
p. 8 → 7
• Have at least one year of technology installation and system hardening experience (gained over at least one year or three separate engagements) conducting technically complex installations.
Removed
p. 9
Be employees of the QIR Company (meaning this work cannot be subcontracted to non- employees) or permitted subcontractors approved in writing by PCI SSC. Approved subcontractors shall not be permitted to include a company logo other than that of the responsible QIR Company or any reference to another company in the QIR Implementation Statement documents while performing work on behalf of the QIR Company.
Removed
p. 9
Work history, such as a Résumé or Curriculum Vitae, that includes relevant work experience and responsibilities in Payment Application installations, system hardening, system integration, network security, etc., and work experience related to the payment industry.
Removed
p. 9
Job Title Phone number E-mail address 4.2 Background Checks 4.2.1 Requirements The QIR Company must perform background checks (as described in Section 4.2.2) on all QIR Employees, if legally permitted within the applicable jurisdiction.
Upon request, the QIR Company must provide to PCI SSC the background check history for each QIR Employee, if legally permitted within the applicable jurisdiction.
Upon request, the QIR Company must provide to PCI SSC the background check history for each QIR Employee, if legally permitted within the applicable jurisdiction.
Removed
p. 10
Confirmation that the QIR Company conducts background checks for each employee: o Background checks must be completed prior to submitting employee qualification requests to PCI SSC. o QIR Employees must successfully pass the background check in accordance with the QIR Company’s policies and procedures (where legally permitted). o Examples of background checks include previous employment history, criminal record, credit history and reference checks.
Confirmation that the QIR Company background checks include each of the following (to the extent legally permissible in the applicable jurisdiction): o Gathering of current photographs o Verification of aliases (when applicable) o Annual review of records of any criminal activity, arrests or convictions o Automatic disqualification from QIR Employee consideration of individuals who have committed any felony or crime involving financial fraud or forgery 4.3 Adherence to PCI SSC Procedures 4.3.1 Implementation Statements For each Qualified Installation, the resulting QIR Implementation Statement must follow the …
Confirmation that the QIR Company background checks include each of the following (to the extent legally permissible in the applicable jurisdiction): o Gathering of current photographs o Verification of aliases (when applicable) o Annual review of records of any criminal activity, arrests or convictions o Automatic disqualification from QIR Employee consideration of individuals who have committed any felony or crime involving financial fraud or forgery 4.3 Adherence to PCI SSC Procedures 4.3.1 Implementation Statements For each Qualified Installation, the resulting QIR Implementation Statement must follow the …
Removed
p. 11
The QIR Company must provide a QIR Feedback Form to each Customer at the start of the installation.
The QIR Company must adhere to all quality assurance requirements mandated by PCI SSC.
The QIR Company must permit PCI SSC to conduct audits of any QIR program-related requirement at the discretion of PCI SSC.
The QIR Company must adhere to all quality assurance requirements mandated by PCI SSC.
The QIR Company must permit PCI SSC to conduct audits of any QIR program-related requirement at the discretion of PCI SSC.
Removed
p. 11
Contact information for the QIR Company’s designated quality assurance manager (who may be the same as the primary contact), as follows: o Job Title o Phone number o E-mail address Confirmation that the QIR Company has a Quality Manual that complies with the requirements set forth in the QIR Program Guide and include, at a minimum, the following: o A reference to the QIR Company’s installation procedures or details of the installation processes. o A reference to procedures or details of processes for employees and contractors with access to Customer sites to strictly follow secure access, installation, maintenance and support processes included in the PA-DSS Implementation Guide for each validated Payment Application. o Appropriate requirements, processes and/or procedures to ensure the proper documentation of all installation results. o A requirement for the Lead QIR to complete the QIR Implementation Statement and sign the completed document. o A requirement …
Removed
p. 12
The QIR Company must adhere to all requirements to such protect sensitive and confidential information, as required by the applicable Customer, PCI SSC or Participating Payment Brands.
To the extent the QIR Company stores, processes or transmits any data to which the PCI DSS applies, the QIR Company shall be required to be certified as compliant with the PCI DSS and shall, at its sole cost and expense: (a) conduct or have conducted the audits required for PCI DSS compliance; and (b) take all actions required to maintain PCI DSS compliance.
To the extent the QIR Company stores, processes or transmits any data to which the PCI DSS applies, the QIR Company shall be required to be certified as compliant with the PCI DSS and shall, at its sole cost and expense: (a) conduct or have conducted the audits required for PCI DSS compliance; and (b) take all actions required to maintain PCI DSS compliance.
Removed
p. 12
Confirmation that the QIR Company has implemented and complies with appropriate practices for protecting and handling all such confidential and sensitive data, including at a minimum the following physical, electronic, and procedural safeguards: o Systems storing Customer data do not reside on Internet-accessible systems. o Protection of systems storing Customer data by adequate network and application- layer controls, including a firewall and IDS/IPS. o The following physical and logical access controls:
• Restricted access (e.g., via locks) to the physical office space.
• Restricted access (e.g., via locked file cabinets) to paper files.
• Restricted logical access to electronic files via role-based access control.
• Encryption of sensitive Customer information when transmitted over the Internet either by e-mail or other means.
• Secure transport and storage of backup media.
• Encryption of Customer data on QIR employee laptops. o Processes to ensure employees and contractors maintain the confidentiality and restrict the use of all such …
• Restricted access (e.g., via locks) to the physical office space.
• Restricted access (e.g., via locked file cabinets) to paper files.
• Restricted logical access to electronic files via role-based access control.
• Encryption of sensitive Customer information when transmitted over the Internet either by e-mail or other means.
• Secure transport and storage of backup media.
• Encryption of Customer data on QIR employee laptops. o Processes to ensure employees and contractors maintain the confidentiality and restrict the use of all such …
Removed
p. 13
Be retained for a minimum of three (3) years from the completion of each Qualified Installation. The QIR Company must secure (in accordance with 4.5 above) and maintain documented evidence (whether in digital or hard copy format) of compliance with all requirements of the PA-DSS Implementation Guide, including but not limited to copies of configuration and other installation reports and settings, results, and related work papers, notes, and technical information created and/or obtained during the applicable Qualified Installation. For a list of acceptable forms of evidence, please see the QIR Program Guide.
Adhere to all evidence-retention requirements required by PCI SSC.
Be available upon request by PCI SSC, PFIs and Participating Payment Brands for the time period specified in the QIR Program Guide, even if the QIR Company leaves the QIR Program.
Adhere to all evidence-retention requirements required by PCI SSC.
Be available upon request by PCI SSC, PFIs and Participating Payment Brands for the time period specified in the QIR Program Guide, even if the QIR Company leaves the QIR Program.
Removed
p. 13
Confirmation that the QIR Company has a retention policy or retention schedule that covers the requirements in Section 4.6.1.
A copy of the QIR Company’s record retention policy or schedule upon request.
A copy of the QIR Company’s record retention policy or schedule upon request.
Removed
p. 13
Payment of applicable Fees.
The Company maintaining internal processes for managing employee training.
Successful completion of QIR training provided by PCI SSC, which includes passing the exam.
QIR Employees completing the required Continued Professional Education (CPE) credits.
Positive Feedback from Customers, PCI SSC and Participating Payment Brands.
The Company maintaining internal processes for managing employee training.
Successful completion of QIR training provided by PCI SSC, which includes passing the exam.
QIR Employees completing the required Continued Professional Education (CPE) credits.
Positive Feedback from Customers, PCI SSC and Participating Payment Brands.
Removed
p. 13
Payment of all applicable QIR Training and Exam Fees (including requalification Fees).
Confirmation that the QIR Company has internal processes to routinely educate QIR Employees on the appropriate methods and techniques to install and configure the validated Payment Application(s) that the QIR Company is authorized to implement.
Confirmation that the QIR Company has internal processes to routinely educate QIR Employees on the appropriate methods and techniques to install and configure the validated Payment Application(s) that the QIR Company is authorized to implement.
Removed
p. 15
Engagement The entire commitment of services, as specified in the contractual agreement between a QIR Company and its Customer, to provide a Qualified Installation and any ongoing support activities required to maintain the PA-DSS validated Payment Application in a manner which facilitates PCI DSS compliance.
Good Standing (a) With respect to a given QIR Company, that the QIR Agreement between the QIR Company and PCI SSC is in full force and effect, the QIR Company has been approved by PCI SSC as a QIR Company and such approval has not been revoked, terminated, suspended, cancelled or withdrawn, the QIR Company is in compliance with all QIR Company Requirements, and the QIR Company is not in breach of any of the terms or conditions of remediation, its QIR Agreement (including without limitation, all provisions regarding compliance with the QIR Qualification Requirements and payment), or any other agreement with PCI SSC; and (b) …
Good Standing (a) With respect to a given QIR Company, that the QIR Agreement between the QIR Company and PCI SSC is in full force and effect, the QIR Company has been approved by PCI SSC as a QIR Company and such approval has not been revoked, terminated, suspended, cancelled or withdrawn, the QIR Company is in compliance with all QIR Company Requirements, and the QIR Company is not in breach of any of the terms or conditions of remediation, its QIR Agreement (including without limitation, all provisions regarding compliance with the QIR Qualification Requirements and payment), or any other agreement with PCI SSC; and (b) …
Modified
p. 15 → 11
Customer A merchant, service provider, or other entity by or for which a given QIR Professional has been engaged to perform a Qualified Installation.
Modified
p. 15 → 11
Term Meaning Cardholder Data Defined in the current version of (or successor document to) the Payment Card Industry (PCI) Data Security Standard Glossary of Terms, Abbreviations, and Acronyms available on the Website.
Modified
p. 15 → 11
PA-DSS The then-current version of the Payment Card Industry (PCI) Payment Application Data Security Standard Requirements and Security Assessment Procedures (or successor document thereto), as made publicly available by PCI SSC on the Website.
Modified
p. 15 → 11
PA-DSS Implementation Guide An implementation guide prepared by the applicable Payment Application vendor for a given Payment Application (required pursuant to the PA- DSS).
PA-DSS Implementation Guide An implementation guide prepared by the applicable Payment Application vendor for a given PA-DSS Validated Payment Application.
Modified
p. 15 → 12
Payment Application A software application used in connection with the storage, processing or transmission of cardholder data.
Payment Application A software application that stores, processes, or transmits cardholder data as part of processing payments from a Customer for goods or services, and requires Cardholder Data.
Modified
p. 15 → 12
PCI DSS The then current version of the Payment Card Industry (PCI) Data Security Standard Requirements (or successor document thereto), as made publicly available by PCI SSC on the Website.
PCI DSS The then-current version of the Payment Card Industry (PCI) Data Security Standard Requirements (or successor document thereto), as made publicly available by PCI SSC on the Website.
Removed
p. 16
QIR Company (or Qualified Integrator and Reseller Company) Refers to a company that has satisfied and continues to satisfy all requirements set forth in the QIR Qualification Requirements, QIR Program Guide and QIR Agreement and is thereby qualified to implement, configure, or support PA-DSS validated Payment Applications on behalf of Customers.
QIR Company Requirements The requirements applicable to QIR Companies and the provisions required of QIR Companies as set out in the QIR Qualification Requirements, and such additional requirements as PCI SSC may establish for QIR Companies from time to time in connection with the QIR Program.
QIR Employee A full-time employee of a QIR Company who has been approved as a QIR Employee and is in compliance with all QIR Employee Requirements.
QIR Employee Requirements The requirements applicable to QIR Employees as set out in the QIR Qualification Requirements, and such additional requirements as PCI SSC may establish for QIR Employees from …
QIR Company Requirements The requirements applicable to QIR Companies and the provisions required of QIR Companies as set out in the QIR Qualification Requirements, and such additional requirements as PCI SSC may establish for QIR Companies from time to time in connection with the QIR Program.
QIR Employee A full-time employee of a QIR Company who has been approved as a QIR Employee and is in compliance with all QIR Employee Requirements.
QIR Employee Requirements The requirements applicable to QIR Employees as set out in the QIR Qualification Requirements, and such additional requirements as PCI SSC may establish for QIR Employees from …
Modified
p. 16 → 12
PCI Materials The PCI DSS, PA-DSS, QIR Qualification Requirements, QIR Program Guide, QIR Program training materials, Website and all related and other materials provided or otherwise made accessible by PCI SSC in connection with the QIR Program.
PCI Materials The PCI DSS, PA-DSS, QIR Qualification Requirements, QIR Program Guide, QIR Program training materials, Website, and all other materials provided or otherwise made accessible by PCI SSC.
Modified
p. 16 → 12
PFI (or PCI Forensic Investigator) An entity approved as a PCI Forensic Investigator by PCI SSC to perform forensic investigations as part of the PCI SSC PCI Forensic Investigator Program. A list of PFIs appears on the Website.
PFI (or PCI Forensic Investigator) An entity qualified as a PCI Forensic Investigator by PCI SSC to perform forensic investigations (the application of investigative tools and analysis techniques to gather evidence from computer resources to determine the cause of data compromises) as part of the PCI SSC PCI Forensic Investigator Program. A list of PFIs appears on the Website.
Modified
p. 16 → 12
QIR Agreement The QIR Agreement attached as Appendix A to the QIR Qualification Requirements.
QIR Agreement The QIR Professional Agreement in the form attached as Appendix A to the QIR Qualification Requirements.
Modified
p. 16 → 12
QIR Feedback Form The then current version of (or successor document to) the QIR Feedback Form for Payment Brands and Others, as made publicly available by PCI SSC on the Website.
QIR Feedback Form The then-current version of (or successor document to) the QIR Feedback Form for Payment Brands and Others, as made publicly available by PCI SSC on the Website.
Modified
p. 16 → 12
QIR Implementation Statement The report provided to a Customer upon completion of the rendering of a Qualified Installation.
QIR Implementation Statement The report of results to be provided to a Customer upon completion of a Qualified Installation. A template is provided on the Website.
Modified
p. 16 → 12
QIR List The list of QIR Companies maintained on the Website.
QIR List The searchable list of QIR Professionals made available through the Website.
Modified
p. 16 → 12
Programs Fee Schedule The then-current schedule of fees payable by QIR Professionals in connection with participation in the QIR Program, as made publicly available by PCI SSC on the Website.
Modified
p. 16 → 13
QIR Program The PCI SSC Qualified Integrators and Resellers Program managed by PCI SSC, as further described herein and in the QIR Program Guide and related PCI SSC guidance and publications.
QIR Program The PCI SSC Qualified Integrator and Reseller (QIR)TM Program operated and managed by PCI SSC, as further described herein and in the QIR Program Guide and related PCI SSC guidance and publications.
Removed
p. 17
QIR Requirements With respect to a given QIR Company, the requirements and obligations thereof pursuant to the QIR Qualification Requirements, the QIR Agreement and the QIR Program Guide, each addendum and supplement to each of the foregoing, each agreement entered into between such QIR Company and PCI SSC, and any and all other policies, procedures, requirements or obligations imposed, mandated, provided for or otherwise established by PCI SSC from time to time in connection with any PCI SSC program in which such QIR Company is then a participant, including but not limited to, the requirements of all applicable PCI SSC training programs, quality assurance and remediation programs, program guides and other related PCI SSC program materials.
Qualified Installation The installation and/or configuration of a PA-DSS validated Payment Application for purposes of compliance with the applicable PA-DSS Implementation Guide and the QIR Program Guide as part of the QIR Program.
Qualified Installation The installation and/or configuration of a PA-DSS validated Payment Application for purposes of compliance with the applicable PA-DSS Implementation Guide and the QIR Program Guide as part of the QIR Program.
Modified
p. 17 → 13
QIR Qualification Requirements With respect to a given QIR Company, the then most current version of (or successor document to) the Payment Card Industry (PCI) Qualification Requirements For Qualified Integrators and Resellers (QIRs), as made publicly available on the Website and amended by PCI SSC from time to time in its sole discretion, all supplements and addenda thereto, and any and all related agreements and/or undertakings applicable to a such QIR Company in connection with the QIR Program.
QIR Qualification Requirements The then-current version of (or successor document to) the Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR) Qualification Requirements, as made publicly available on the Website and amended by PCI SSC from time to time in its sole discretion.
Modified
p. 17 → 13
Services The QIR Installations and all related services performed by a given QIR Company to PCI SSC, the QIR Company’s Customers or others in connection with the QIR Agreement and the QIR Program Website The PCI SSC website at www.pcisecuritystandards.org.
Services The QIR Installations and related services performed by a given QIR Professional for PCI SSC, the QIR Professional’s Customers, or others in connection with the QIR Agreement or the QIR Program.
Removed
p. 18
1. QIR Qualification; Listing; Primary Contact. During the Term (defined below): (a) QIR is hereby qualified by PCI SSC to perform Qualified Installations subject to applicable QIR Requirements, and (B) PCI SSC is authorized to display QIR’s name and QIR Company qualification status information on the QIR List and incorporate into QIR’s listing on the QIR List such QIR trademarks as (and in the manner) QIR has designated for such purpose. QIR acknowledges and agrees that in the event PCI SSC determines in its sole but reasonable discretion that QIR meets any condition for “remediation” or “revocation” (defined in the QIR Program Guide), PCI SSC may, upon notice, offer QIR the opportunity to participate in remediation, revoke QIR's QIR Company qualification, annotate or remove the listing of QIR on the QIR List, and/or terminate this Agreement. QIR hereby designates the individual identified to PCI SSC as QIR’s “Primary Contact” as …
Modified
p. 18 → 14
B. EXCEPT FOR DAMAGES CAUSED BY A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT OR AS PROVIDED IN SECTION 4.C, IN NO EVENT SHALL: (I) EITHER PARTY BE LIABLE TO THE OTHER FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, PUNITIVE OR SPECIAL DAMAGES OR FOR ANY DAMAGES AS A RESULT OF LOSS OF BUSINESS, REVENUE, GOODWILL, OR OTHER COMMERCIAL OR ECONOMIC LOSS, TO THE EXTENT ARISING OUT OF OR IN CONNECTION WITH THE QIR PROGRAM, THE PCI MATERIALS, THIS AGREEMENT OR THE SUBJECT …
B. EXCEPT FOR DAMAGES CAUSED BY A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT OR AS PROVIDED IN SECTION 4.C, IN NO EVENT SHALL: (I) EITHER PARTY BE LIABLE TO THE OTHER FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, PUNITIVE OR SPECIAL DAMAGES OR FOR ANY DAMAGES AS A RESULT OF LOSS OF BUSINESS, REVENUE, GOODWILL, OR OTHER COMMERCIAL OR ECONOMIC LOSS, TO THE EXTENT ARISING OUT OF OR IN CONNECTION WITH THE QIR PROGRAM, THE PCI MATERIALS, THIS AGREEMENT OR THE
Removed
p. 19
6. Confidentiality and Required Disclosures; Use of Marks. QIR hereby acknowledges and agrees to comply with the confidentiality and required disclosure provisions set forth in the QIR Qualification Requirements. To help ensure its ability to promptly make such required disclosures, QIR shall ensure that its written agreements with each Customer permit QIR to make such disclosures to PCI SSC, in accordance with the QIR Qualification Requirements.
Modified
p. 19 → 15
C. QIR shall defend, indemnify, and hold harmless PCI SSC and its officers, directors, members, employees, agents, representatives, contractors, attorneys, successors, and assigns (collectively, "Indemnified Parties") from and against any and all claims, losses, liabilities, damages, suits, actions or proceedings (including without limitation, reasonable attorney's fees and related costs) (collectively, “Claims”) arising or resulting from any claim by any third party regarding QIR’s (i) breach of any warranty, representation or agreement herein; or (ii) performance or non-performance of the Services; …
C. You hereby agree to defend, indemnify, and hold harmless PCI SSC and its officers, directors, members, employees, agents, representatives, contractors, attorneys, successors, and assigns (collectively, "Indemnified Parties") from and against any and all claims, losses, liabilities, damages, suits, actions or proceedings (including without limitation, reasonable attorney's fees and related costs) (collectively, “Claims”) arising or resulting from any claim by any third party regarding your (i) breach of any warranty, representation or agreement herein; or (ii) performance or non-performance of …
Modified
p. 19 → 15
5. Term and Termination. This Agreement shall commence as of the Effective Date, remain in full force and effect for a period until terminated pursuant to this Section (the “Term”), and may be terminated (a) by QIR upon notice or (b) by PCI SSC (i) as of the end of any calendar year of the Term upon at least sixty (60) days’ notice; (ii) upon notice in connection with (A) any voluntary or involuntary bankruptcy, receivership, reorganization, dissolution or liquidation …
5. Term and Termination. This Agreement shall commence as of the Effective Date, remain in full force and effect for a period until terminated pursuant to this Section (the “Term”), and may be terminated (a) by you upon notice or (b) by PCI SSC (i) as of the end of any calendar year of the Term upon at least sixty (60) days’ notice; (ii) upon notice in connection with (A) your breach of any representation or warranty under this Agreement, …
Modified
p. 19 → 15
7. Notices. Notices hereunder shall be in writing and deemed effective when delivered personally, or by overnight courier upon verification of receipt, or by facsimile transmission upon electronic confirmation of transmission, or by certified or registered mail, return receipt requested, five (5) days after the mailing date. Notices to QIR shall be sent to its Primary Contact at the address specified for QIR during QIR Company registration on the Website. Notices to PCI SSC shall be sent to PCI SSC, …
7. Notices. Notices hereunder shall be in writing and deemed effective when delivered personally, or by overnight courier upon verification of receipt, or by facsimile transmission upon electronic confirmation of transmission, or by certified or registered mail, return receipt requested, five (5) days after the mailing date. Notices to you shall be sent to your address as specified during QIR Professional registration on the Website. Notices to PCI SSC shall be sent to PCI SSC, attention: QIR Program Manager, at …
Modified
p. 19 → 15
8. General. This Agreement is governed by the laws of the State of Delaware, without resort to its conflict of laws provisions. If any provision hereof is or is determined to be void, invalid or unenforceable, the validity of the remaining provisions shall not be affected thereby. This Agreement (including the QIR Qualification Requirements and QIR Program Guide, each hereby incorporated into and made a part of this Agreement) sets forth the exclusive agreement between the parties with respect to …
8. General. This Agreement is governed by the laws of the State of Delaware, without resort to its conflict of laws provisions. If any provision hereof is or is determined to be void, invalid or unenforceable, the validity of the remaining provisions shall not be affected thereby. This Agreement (including the QIR Qualification Requirements and QIR Program Guide, each hereby incorporated into and made a part of this Agreement) sets forth the entire agreement between the parties with respect to …
Removed
p. 21
Company Applies to QIR Program PA-DSS Vendor Authorization The Company must confirm that it is either a direct provider of a PA-DSS validated Payment Application or a completely independent third party licensed or otherwise authorized by a PA-DSS validated Payment Application vendor to implement that Payment Application into the merchant or service provider environment.
☐ Direct provider of a PA-DSS validated Payment Application ☐ Independent third party license or otherwise authorized by the PA-DSS validated Payment Application vendor to implement the validated Payment Application into the Customer or service provider environment QIR Agreement The Company must accept the QIR Agreement.
Primary Contact Information The Company must identify a Primary Contact and include all contact details. The Primary Contact is the individual that will receive all Council communications and will be the liaison between the QIR Company/Employee and PCI SSC.
Markets The Company must identify all regional markets served.
Languages The Company must identify all …
☐ Direct provider of a PA-DSS validated Payment Application ☐ Independent third party license or otherwise authorized by the PA-DSS validated Payment Application vendor to implement the validated Payment Application into the Customer or service provider environment QIR Agreement The Company must accept the QIR Agreement.
Primary Contact Information The Company must identify a Primary Contact and include all contact details. The Primary Contact is the individual that will receive all Council communications and will be the liaison between the QIR Company/Employee and PCI SSC.
Markets The Company must identify all regional markets served.
Languages The Company must identify all …
Modified
p. 21 → 17
Fees The Company must pay all applicable Fees (see QIR Program Fee Schedule on Website) prior to qualification, payable to PCI SSC.
Fees The applicant must pay to PCI SSC all applicable QIR Program Fees (see Programs Fee Schedule on Website) prior to qualification.
Modified
p. 21 → 17
Attestation Completed The Company must confirm that it (and its principles) have no past or present allegations or convictions of any fraudulent or criminal activity against them, or provide a written statement describing any such allegations or convictions and the status and resolution thereof.
Attestation Completed The applicant must confirm that they have no past or present allegations or convictions of any fraudulent or criminal activity against them, or provide a written statement describing any such allegations or convictions and the status and resolution thereof.
Removed
p. 22
The Company must confirm that it has incorporated the following into a Quality Manual as defined in section 4.4.2 of the QIR Qualification Requirements:
A reference to the QIR Company’s installation procedures or details of the installation processes.
A reference to procedures or details of processes for employees and contractors with access to Customer sites to strictly follow secure access, installation, maintenance and support processes included in the PA-DSS Implementation Guide for each validated Payment Application.
Appropriate requirements, processes and/or procedures to ensure the proper documentation of all installation results.
A requirement for the Lead QIR to complete the QIR Implementation Statement and sign the completed document.
A requirement for quality review of all QIR Implementation Statements.
A requirement that all QIR Employees must adhere to the QIR Program Guide A requirement for a process to manage security violations.
A requirement to maintain copies of training records confirming that each QIR Employee, before being assigned to a …
A reference to the QIR Company’s installation procedures or details of the installation processes.
A reference to procedures or details of processes for employees and contractors with access to Customer sites to strictly follow secure access, installation, maintenance and support processes included in the PA-DSS Implementation Guide for each validated Payment Application.
Appropriate requirements, processes and/or procedures to ensure the proper documentation of all installation results.
A requirement for the Lead QIR to complete the QIR Implementation Statement and sign the completed document.
A requirement for quality review of all QIR Implementation Statements.
A requirement that all QIR Employees must adhere to the QIR Program Guide A requirement for a process to manage security violations.
A requirement to maintain copies of training records confirming that each QIR Employee, before being assigned to a …
Modified
p. 22 → 17
Work History, Curriculum Vitae The applicant must upload a copy of their work history, Résumé or Curriculum Vitae that includes relevant work experience and responsibilities in installations, system hardening, network security, and work experience related to the payment industry.
Modified
p. 22 → 17
Training Registration Once the Primary Contact has completed the Employee Application, the PCI SSC QIR Program Manager will register the Employee for training. The Primary Contact will receive an invoice for training fees, and will be responsible for payment of that invoice before the trainee receives access to QIR training material.
Training Registration Once the applicant has completed the Application, the PCI SSC QIR Program Manager will register the applicant for training. The applicant will receive an invoice for training fees and will be responsible for payment of that invoice before receiving access to QIR training material.
Modified
p. 23 → 17
QIR Training and Exam The Employee must complete QIR Training and successfully pass the training exam.
QIR Training and Exam The applicant must successfully complete the QIR Program training course and exam.