Document Comparison
pci_qsa_validation_requirements_pa-qsa_supplement.pdf
→
PA-QSA_Qualification_Requirements.pdf
51% similar
31 → 33
Pages
9984 → 12308
Words
117
Content Changes
From Revision History
- February 2014 2.0 Made minor changes to this document to be consistent with v3.0 of the PCI Data Security Standards. Qualifications required for entry are more precise
Content Changes
117 content changes. 54 administrative changes (dates, page numbers) hidden.
Added
p. 4
Term Meaning PA-DSS The then-current version of the Payment Card Industry (PCI) Payment Application Data Security Standard Requirements and Security Assessment Procedures, as from time to time amended and made available on the Website.
PA-DSS Assessment With respect to a given PA-QSA Company, such PA-QSA Company’s review of a Payment Application for purposes of validating the compliance of such Payment Application with the PA-DSS as part of the PA-DSS Program.
PA-DSS Program The Payment Application Data Security Standard Program managed and operated by PCI SSC.
PA-QSA Acronym for "Payment Application
• Qualified Security Assessor" Company, a company then qualified by PCI SSC to perform PA-DSS Assessments.
PA-QSA Company A company that has been qualified, and continues to be qualified, by PCI SSC to perform PA-DSS Assessments for PA-DSS Program purposes.
PA-QSA Company Testing Laboratory A laboratory environment maintained by the PA-QSA Company to perform testing of payment applications that software vendors provide for validation.
PA-DSS Assessment With respect to a given PA-QSA Company, such PA-QSA Company’s review of a Payment Application for purposes of validating the compliance of such Payment Application with the PA-DSS as part of the PA-DSS Program.
PA-DSS Program The Payment Application Data Security Standard Program managed and operated by PCI SSC.
PA-QSA Acronym for "Payment Application
• Qualified Security Assessor" Company, a company then qualified by PCI SSC to perform PA-DSS Assessments.
PA-QSA Company A company that has been qualified, and continues to be qualified, by PCI SSC to perform PA-DSS Assessments for PA-DSS Program purposes.
PA-QSA Company Testing Laboratory A laboratory environment maintained by the PA-QSA Company to perform testing of payment applications that software vendors provide for validation.
Added
p. 5
PA-QSA List The then-current list of PA-QSA Companies published by PCI SSC on the Website.
PA-QSA Qualification Requirements The then-current version of (or successor documents to) the Payment Card Industry (PCI) Qualification Requirements for Payment Application Qualified Security Assessors (PA-QSA), as from time to time amended and made available on the Website.
PA-QSA Requirements With respect to a given PA-QSA Company or PA-QSA Employee, the requirements and obligations thereof pursuant to the PA-QSA Qualification Requirements, the PA-QSA Addendum, the PA-DSS Program Guide, each addendum, supplement, and other agreement entered into between such PA-QSA Company or PA-QSA Employee and PCI SSC, and any and all other policies, procedures, requirements, or obligations imposed, mandated, provided for, or otherwise established by PCI SSC from time to time in connection with any PCI SSC program in which such PA-QSA Company or PA-QSA Employee (as applicable) is then a participant, including but not limited to, the requirements …
PA-QSA Qualification Requirements The then-current version of (or successor documents to) the Payment Card Industry (PCI) Qualification Requirements for Payment Application Qualified Security Assessors (PA-QSA), as from time to time amended and made available on the Website.
PA-QSA Requirements With respect to a given PA-QSA Company or PA-QSA Employee, the requirements and obligations thereof pursuant to the PA-QSA Qualification Requirements, the PA-QSA Addendum, the PA-DSS Program Guide, each addendum, supplement, and other agreement entered into between such PA-QSA Company or PA-QSA Employee and PCI SSC, and any and all other policies, procedures, requirements, or obligations imposed, mandated, provided for, or otherwise established by PCI SSC from time to time in connection with any PCI SSC program in which such PA-QSA Company or PA-QSA Employee (as applicable) is then a participant, including but not limited to, the requirements …
Added
p. 6
Together, the QSA Requirements and the PA-QSA Requirements are intended to serve as a qualification baseline and provide a transparent process for PA-QSA Company and PA-QSA Employee qualification and re-qualification for PA-DSS Program purposes. Among other things, the PA-QSA Company and PA-QSA Employees must adhere to all requirements in these PA-QSA Qualification Requirements and must provide all of the required provisions described herein.
All PA-QSA Companies appear on the PA-QSA List. If a company is not on this list, its work product as a PA-QSA Company is not recognized by PCI SSC. PA-QSA Companies and PA-QSA Employees must re-qualify annually.
Section 2: PA-QSA Company Business Requirements covers minimum business requirements that must be demonstrated to PCI SSC by the QSA Company that are additional to those required by QSA Companies. This section outlines information and items that must be provided to establish required business stability, independence, and insurance coverage.
All PA-QSA Companies appear on the PA-QSA List. If a company is not on this list, its work product as a PA-QSA Company is not recognized by PCI SSC. PA-QSA Companies and PA-QSA Employees must re-qualify annually.
Section 2: PA-QSA Company Business Requirements covers minimum business requirements that must be demonstrated to PCI SSC by the QSA Company that are additional to those required by QSA Companies. This section outlines information and items that must be provided to establish required business stability, independence, and insurance coverage.
Added
p. 7
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Payment Card Industry (PCI) Data Security Standard Qualification Requirements for Qualified Security Assessors (QSA) Payment Card Industry (PCI) Payment Application Data Security Standard Requirements and Security Assessment Procedures Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS) Program Guide 1.6 PA-QSA Application Process In addition to outlining the requirements that a PA-QSA Company and its PA-QSA Employees must meet to be recognized by PCI SSC to perform PA-DSS Assessments, this document describes the information that must be provided to PCI SSC as part of the PA-DSS Program application and qualification process. Each outlined requirement is followed by the information that must be submitted to document that the QSA Company meets or exceeds the stated requirements.
Important Note: PCI SSC reserves the right to reject any application from any applicant (company or employee) that PCI …
Important Note: PCI SSC reserves the right to reject any application from any applicant (company or employee) that PCI …
Added
p. 8
An initial application fee (see the Website
• PCI SSC Programs Fee Schedule). Initial application fees are credited toward regional qualification fees (see below) if a company is qualified as a PA-QSA Company. Initial application fee checks should be made payable to PCI SSC and mailed with the completed PA-QSA application package. See Section 1.6 of this document for the mailing address.
Annual PA-QSA Company regional re-qualification fees for subsequent years, which depend on the region or country in which the PA-QSA Company intends to perform PA-DSS Assessments.
The current initial application, regional qualification, and training fees are specified on the Website
•see PCI SSC Programs Fee Schedule
For each PA-QSA Employee, fees for required PCI SSC annual training.
Once qualified as a QSA Company, there are various other agreements a QSA Company must execute and submit to PCI SSC, depending on the QSA programs in which the QSA wishes to participate. In …
• PCI SSC Programs Fee Schedule). Initial application fees are credited toward regional qualification fees (see below) if a company is qualified as a PA-QSA Company. Initial application fee checks should be made payable to PCI SSC and mailed with the completed PA-QSA application package. See Section 1.6 of this document for the mailing address.
Annual PA-QSA Company regional re-qualification fees for subsequent years, which depend on the region or country in which the PA-QSA Company intends to perform PA-DSS Assessments.
The current initial application, regional qualification, and training fees are specified on the Website
•see PCI SSC Programs Fee Schedule
For each PA-QSA Employee, fees for required PCI SSC annual training.
Once qualified as a QSA Company, there are various other agreements a QSA Company must execute and submit to PCI SSC, depending on the QSA programs in which the QSA wishes to participate. In …
Added
p. 10
Two client references from application security engagements within the last 12 months.
Have substantial application security knowledge and experience that demonstrates at least three (3) years of work experience, with a minimum of one year of experience in each of the following disciplines:
• Conducting application testing and source-code reviews, performing web vulnerability assessments, performing application penetration testing, experience using penetration-testing methodologies including the use of forensic tools/methods.
• Source-code creation per OWASP or other secure coding guidelines, ability to exploit OWASP vulnerabilities, and ability to execute arbitrary code to test processes; and
• Demonstrated competence in cryptographic techniques such as cryptographic algorithms, key management and rotation processes, and secure key storage, as determined in the sole discretion of PCI SSC.
• Demonstrated competence in cryptographic techniques such as cryptographic algorithms, key management and rotation processes, and secure key storage, as determined in the sole discretion of PCI SSC.
Note: This section is intended …
Have substantial application security knowledge and experience that demonstrates at least three (3) years of work experience, with a minimum of one year of experience in each of the following disciplines:
• Conducting application testing and source-code reviews, performing web vulnerability assessments, performing application penetration testing, experience using penetration-testing methodologies including the use of forensic tools/methods.
• Source-code creation per OWASP or other secure coding guidelines, ability to exploit OWASP vulnerabilities, and ability to execute arbitrary code to test processes; and
• Demonstrated competence in cryptographic techniques such as cryptographic algorithms, key management and rotation processes, and secure key storage, as determined in the sole discretion of PCI SSC.
• Demonstrated competence in cryptographic techniques such as cryptographic algorithms, key management and rotation processes, and secure key storage, as determined in the sole discretion of PCI SSC.
Note: This section is intended …
Added
p. 12
Requirements for using a Testing Laboratory during a PA-DSS Assessment can be found in the PA- DSS Program Guide. Submission of Appendix B: Testing Laboratory Configuration for PA-DSS Assessments as set forth in the ROV Reporting Template is required for each PA-DSS Assessment.
The Objectivity Criteria for the PA-QSA Company’s Testing Laboratory are as follows:
PCI DSS compliant In order to simulate real-world merchant environments, the PA-QSA Company’s Testing Laboratory must be configured to be PCI DSS compliant. All security technologies required by the PCI DSS, as well as operating systems, supporting software, and any patches, must be configured in a PCI DSS compliant manner.
The PA-QSA Company must assign responsibility for PA-QSA Company Testing Laboratory maintenance to ensure that processes and controls are in place to ensure that system components, applications, source code, documentation, and other laboratory assets can be accessed only by authorized personnel.
The Objectivity Criteria for the PA-QSA Company’s Testing Laboratory are as follows:
PCI DSS compliant In order to simulate real-world merchant environments, the PA-QSA Company’s Testing Laboratory must be configured to be PCI DSS compliant. All security technologies required by the PCI DSS, as well as operating systems, supporting software, and any patches, must be configured in a PCI DSS compliant manner.
The PA-QSA Company must assign responsibility for PA-QSA Company Testing Laboratory maintenance to ensure that processes and controls are in place to ensure that system components, applications, source code, documentation, and other laboratory assets can be accessed only by authorized personnel.
Added
p. 13
• Use of forensic tools/methods capable of searching all storage and output identified for evidence of sensitive authentication data
• Attempting to exploit application vulnerabilities per PA-DSS Requirement 5
• Running of arbitrary code during application update processes Testing Laboratory Verification
PCI SSC reserves the right to conduct audits of the PA-QSA Company’s Testing Laboratory at any time and further reserves the right to conduct site visits at the expense of the PA-QSA Company and at the discretion of PCI SSC.
In addition, a PA-QSA Employee must review and confirm Testing Laboratory configurations as part of each PA-DSS Assessment and complete Appendix B: Testing Laboratory Configuration for PA-DSS Assessments in the PA-DSS ROV Reporting Template.
Completed PA-QSA Qualification Requirements Appendix B: Confirmation of PA-QSA Company's General Testing Laboratory Capabilities.
• Attempting to exploit application vulnerabilities per PA-DSS Requirement 5
• Running of arbitrary code during application update processes Testing Laboratory Verification
PCI SSC reserves the right to conduct audits of the PA-QSA Company’s Testing Laboratory at any time and further reserves the right to conduct site visits at the expense of the PA-QSA Company and at the discretion of PCI SSC.
In addition, a PA-QSA Employee must review and confirm Testing Laboratory configurations as part of each PA-DSS Assessment and complete Appendix B: Testing Laboratory Configuration for PA-DSS Assessments in the PA-DSS ROV Reporting Template.
Completed PA-QSA Qualification Requirements Appendix B: Confirmation of PA-QSA Company's General Testing Laboratory Capabilities.
Added
p. 14
Person responsible for PA-DSS Assessments.
Person responsible for oversight of quality assurance of PA-DSS Assessments.
An officer of the PA-QSA Company must sign the PA-QSA Addendum, which includes a statement that the PA-QSA Company will adhere to all PA-QSA Requirements.
Prior to conducting any PA-DSS Assessment for a given payment application Vendor, the PA-QSA Company must inform such Vendor that the Vendor must execute and deliver to PCI SSC a standard Vendor Release Agreement on the form approved by PCI SSC in order for any of its payment applications to be identified on PCI SSC’s published List of Validated Payment Applications.
Person responsible for oversight of quality assurance of PA-DSS Assessments.
An officer of the PA-QSA Company must sign the PA-QSA Addendum, which includes a statement that the PA-QSA Company will adhere to all PA-QSA Requirements.
Prior to conducting any PA-DSS Assessment for a given payment application Vendor, the PA-QSA Company must inform such Vendor that the Vendor must execute and deliver to PCI SSC a standard Vendor Release Agreement on the form approved by PCI SSC in order for any of its payment applications to be identified on PCI SSC’s published List of Validated Payment Applications.
Added
p. 15
The PA-QSA Company must have an implemented PA-QSA quality assurance program, documented in a quality assurance manual.
The PA-QSA Company must provide a PA-QSA Feedback Form to each PA-DSS Assessment client during the course of the PA-DSS Assessment. The PA-QSA Feedback Form is an on-line form available on the PCI SSC Website.
PCI SSC reserves the right to conduct audits of the PA-QSA Company at any time and further reserves the right to conduct site visits at the expense of the PA-QSA Company and at the discretion of PCI SSC.
Additionally, for a minimum of three (3) years from submission of a given ROV to PCI SSC, the PA- QSA Company must secure (in accordance with 4.5 above) and maintain documented evidence (whether in digital or hard copy format) substantiating all conclusions in such ROV, including but not limited to copies of any and all case logs, audit results, work …
The PA-QSA Company must provide a PA-QSA Feedback Form to each PA-DSS Assessment client during the course of the PA-DSS Assessment. The PA-QSA Feedback Form is an on-line form available on the PCI SSC Website.
PCI SSC reserves the right to conduct audits of the PA-QSA Company at any time and further reserves the right to conduct site visits at the expense of the PA-QSA Company and at the discretion of PCI SSC.
Additionally, for a minimum of three (3) years from submission of a given ROV to PCI SSC, the PA- QSA Company must secure (in accordance with 4.5 above) and maintain documented evidence (whether in digital or hard copy format) substantiating all conclusions in such ROV, including but not limited to copies of any and all case logs, audit results, work …
Added
p. 17
The annual re-qualification process for the PA-DSS Program requires an annual submission of Appendix B: Confirmation of PA-QSA Company’s General Testing Laboratory Capabilities.
Added
p. 18
City: State/Province:
Added
p. 19
(a) The term "Services" shall include (without limitation) the PA-QSA Services (defined below).
(b) The term "QSA Requirements" shall include (without limitation) the PA-QSA Requirements.
(c) The terms “Subjects” or “QSA Company clients” shall include (without limitation) Vendors.
(d) The terms "Report of Compliance," "ROC" and "Attestation of Compliance" shall, where applicable, include (without limitation) the terms "Report of Validation," "ROV" and "Attestation of Validation," respectively, as those terms are used in the PA-QSA Qualification Requirements.
A.3.2 PA-QSA Services Subject to the terms and conditions of this Addendum and the Agreement, PCI SSC hereby approves QSA, while QSA is in “good standing” (defined in Section A.5(b) below) as a PA- QSA Company (or as otherwise expressly approved by PCI SSC in writing) to conduct PA- DSS Assessments for Vendors solely in order to validate compliance of such Vendors’ Payment Applications with the PA-DSS. Notwithstanding the foregoing, QSA agrees that neither QSA nor PCI SSC …
(b) The term "QSA Requirements" shall include (without limitation) the PA-QSA Requirements.
(c) The terms “Subjects” or “QSA Company clients” shall include (without limitation) Vendors.
(d) The terms "Report of Compliance," "ROC" and "Attestation of Compliance" shall, where applicable, include (without limitation) the terms "Report of Validation," "ROV" and "Attestation of Validation," respectively, as those terms are used in the PA-QSA Qualification Requirements.
A.3.2 PA-QSA Services Subject to the terms and conditions of this Addendum and the Agreement, PCI SSC hereby approves QSA, while QSA is in “good standing” (defined in Section A.5(b) below) as a PA- QSA Company (or as otherwise expressly approved by PCI SSC in writing) to conduct PA- DSS Assessments for Vendors solely in order to validate compliance of such Vendors’ Payment Applications with the PA-DSS. Notwithstanding the foregoing, QSA agrees that neither QSA nor PCI SSC …
Added
p. 21
(b) So long as QSA is in good standing as a PA-QSA Company and is identified in the QSA List as a PA-QSA Company, QSA may make reference to such PA-QSA Company listing and its qualification as a PA-QSA Company in advertising or promoting its PA-QSA Services. A PA-QSA Company is deemed to be in "good standing" as a PA-QSA Company as long as the PA-QSA Addendum between the PA-QSA Company and PCI SSC is in full force and effect, the PA-QSA Company has been approved by PCI SSC as a PA-QSA Company and such approval has not been revoked, terminated, suspended, cancelled, or withdrawn, the PA-QSA Company is in compliance with all PA-QSA Requirements, and the PA-QSA Company is not in breach of any of the terms or conditions of remediation, its PA-QSA Addendum (including without limitation, all provisions regarding compliance with the PA-QSA Qualification Requirements, and payment) or …
Added
p. 23
A.7.4 Effect of Termination Upon any termination or expiration of this Addendum: (i) QSA will no longer be identified as a PA-QSA Company on the QSA List; (ii) QSA shall immediately cease all advertising and promotion of its status as a PA-QSA Company and all references to the PA-DSS and other PCI Materials; (iii) QSA shall immediately cease soliciting for and performing PA-QSA Services (including but not limited to processing of ROVs), provided that, if and to the extent instructed by PCI SSC in writing, QSA shall complete any and all PA-QSA Services for which QSA was engaged prior to such expiration or the notice of termination; (iv) to the extent QSA is instructed to complete any PA-QSA Services pursuant to preceding clause; (iii) QSA will deliver all corresponding outstanding ROVs within the time contracted with the Vendor; (v) QSA shall remain responsible for all of the obligations, representations and …
Added
p. 24
(b) All Revocation appeals proceedings will be conducted in accordance with such procedures as PCI SSC may establish from time to time; PCI SSC will review all relevant evidence submitted by QSA and each complainant (if any) in connection with therewith; and PCI SSC shall determine whether termination of any PCI SSC qualification is warranted or, in the alternative, no action, or specified remedial actions shall be required. All determinations of PCI SSC regarding Revocation and any related appeals shall be final and binding upon QSA. If PCI SSC determines that termination is warranted, then effective immediately and automatically upon such determination, this Addendum and/or the Agreement (as applicable) shall terminate, and accordingly, each corresponding PCI SSC qualification of QSA shall also terminate. If PCI SSC determines that no action is required of QSA, the Revocation shall be lifted and QSA shall be reinstated on the QSA List (as appropriate). …
Added
p. 25
A: Physical Requirements Requirement Findings A1 Requirement A1: The PA-QSA Company Testing Laboratory must have a physical address(es).
Physical Location(s) of PA-QSA Company Testing Laboratory:
A2 Requirement A2: The PA-QSA Company Testing Laboratory must be physically secured.
Describe how the PA-QSA Company Testing Laboratory is physically secured:
A3 Requirement A3: The PA-QSA Company Testing Laboratory must be physically restricted to authorized employees.
Describe how the PA-QSA Company Testing Laboratory is physically restricted to authorized employees:
A4 Requirement A4: The PA-QSA Company must have implemented a quality assurance process, documented in a quality assurance manual, which includes controls for review of the PA-QSA Company Testing Laboratory’s processes and documentation and controls for the physical integrity of the PA-QSA Company Testing Laboratory’s hardware.
Describe the contents of the PA-QSA Company’s quality assurance manual to confirm the procedures fully document process(es) that protect the integrity of the PA-QSA Company Testing Laboratory’s hardware:
List all security devices installed in the PA-QSA Company …
Physical Location(s) of PA-QSA Company Testing Laboratory:
A2 Requirement A2: The PA-QSA Company Testing Laboratory must be physically secured.
Describe how the PA-QSA Company Testing Laboratory is physically secured:
A3 Requirement A3: The PA-QSA Company Testing Laboratory must be physically restricted to authorized employees.
Describe how the PA-QSA Company Testing Laboratory is physically restricted to authorized employees:
A4 Requirement A4: The PA-QSA Company must have implemented a quality assurance process, documented in a quality assurance manual, which includes controls for review of the PA-QSA Company Testing Laboratory’s processes and documentation and controls for the physical integrity of the PA-QSA Company Testing Laboratory’s hardware.
Describe the contents of the PA-QSA Company’s quality assurance manual to confirm the procedures fully document process(es) that protect the integrity of the PA-QSA Company Testing Laboratory’s hardware:
List all security devices installed in the PA-QSA Company …
Added
p. 26
A7 Requirement A7: Provide capabilities for forensics tools/methods.
Describe the PA-QSA Company Testing Laboratory capabilities for forensic tools/methods:
Describe the process for how all output will be searched:
Describe the PA-QSA Company Testing Laboratory capabilities for forensic tools/methods:
Describe the process for how all output will be searched:
Added
p. 27
Name and title of the person responsible for maintaining the PA-QSA Company Testing Laboratory:
B2 Requirement B2: The PA-QSA Company Testing Laboratory must be logically secured.
Describe how the PA-QSA Company Testing Laboratory is logically secured•i.e., access controls:
B3 Requirement B3: The PA-QSA Company Testing Laboratory must be logically restricted to authorized employees.
Describe how the PA-QSA Company Testing Laboratory is logically restricted to authorized employees:
B4 Requirement B4: The PA-QSA Company must have implemented a quality assurance process, documented in a quality assurance manual, which includes controls for review of PA-QSA Company Testing Laboratory’s processes and documentation and controls for the logical integrity of the PA-QSA Company Testing Laboratory’s software.
Describe the contents of the PA-QSA Company’s quality assurance manual to confirm the procedures fully document process(es) that logically protect the integrity of the PA-QSA Company Testing Laboratory’s software:
B5 Requirement B5: All required security devices must be configured to be PCI DSS compliant.
Security Device: Briefly …
B2 Requirement B2: The PA-QSA Company Testing Laboratory must be logically secured.
Describe how the PA-QSA Company Testing Laboratory is logically secured•i.e., access controls:
B3 Requirement B3: The PA-QSA Company Testing Laboratory must be logically restricted to authorized employees.
Describe how the PA-QSA Company Testing Laboratory is logically restricted to authorized employees:
B4 Requirement B4: The PA-QSA Company must have implemented a quality assurance process, documented in a quality assurance manual, which includes controls for review of PA-QSA Company Testing Laboratory’s processes and documentation and controls for the logical integrity of the PA-QSA Company Testing Laboratory’s software.
Describe the contents of the PA-QSA Company’s quality assurance manual to confirm the procedures fully document process(es) that logically protect the integrity of the PA-QSA Company Testing Laboratory’s software:
B5 Requirement B5: All required security devices must be configured to be PCI DSS compliant.
Security Device: Briefly …
Added
p. 29
PA-QSA Business Requirements2 Requirement Information/documentation Needed Business Legitimacy Not applicable for PA-QSA documentation; however, this information should either:
Description of dates and clients for two previous PCI DSS Assessments performed by company Description of the PA-QSA Company’s relevant areas of specialization within application security, and code reviews (for example, use of OWASP or other secure coding guidelines, web vulnerability assessment, application penetration testing, or designing or implementing cryptography systems), demonstrating at least one area of specialization.
Description of cryptographic techniques, including cryptographic algorithms, key management and rotation processes, and secure key storage Description of experience using penetration testing methodologies, to include use of forensic tools/methods, ability to exploit OWASP vulnerabilities, and ability to execute arbitrary code to test processes.
Two client references from recent application security assessments PA-QSA Employee Skills and Experience Meet the following for each PA-QSA Employee to be qualified, in addition to all QSA Requirements specified in Qualification Requirements for …
Description of dates and clients for two previous PCI DSS Assessments performed by company Description of the PA-QSA Company’s relevant areas of specialization within application security, and code reviews (for example, use of OWASP or other secure coding guidelines, web vulnerability assessment, application penetration testing, or designing or implementing cryptography systems), demonstrating at least one area of specialization.
Description of cryptographic techniques, including cryptographic algorithms, key management and rotation processes, and secure key storage Description of experience using penetration testing methodologies, to include use of forensic tools/methods, ability to exploit OWASP vulnerabilities, and ability to execute arbitrary code to test processes.
Two client references from recent application security assessments PA-QSA Employee Skills and Experience Meet the following for each PA-QSA Employee to be qualified, in addition to all QSA Requirements specified in Qualification Requirements for …
Added
p. 31
Demonstrated competence in cryptographic techniques such as cryptographic algorithms, key management and rotation processes, and secure key storage, as determined in the sole discretion of PCI SSC.
PA-QSA Administrative Requirements4 Requirement Information/documentation Needed PA-QSA Company’s Testing Laboratory Description of PA-QSA Company Testing Laboratory, using Appendix B as a template Inclusion of completed Appendix B: Confirmation of PA-QSA Company's General Testing Laboratory Capabilities Description of documented processes used by PA-QSA Company to verify vendor’s testing laboratory meets the requirements specified in Appendix B, if use of vendor’s testing is necessary PA-QSA Contact Person•Primary and Secondary Background Checks For each PA-QSA employee to be qualified, statement that employee successfully completed the background check in accordance with the QSA’s policies and procedures Company Officer’s signature on the PA-QSA Addendum Adherence to PCI DSS Procedures and Attestation of Validation Company Officer’s signature on the PA-QSA Addendum 4 This checklist is for PA-QSA Companies and Employees …
PA-QSA Administrative Requirements4 Requirement Information/documentation Needed PA-QSA Company’s Testing Laboratory Description of PA-QSA Company Testing Laboratory, using Appendix B as a template Inclusion of completed Appendix B: Confirmation of PA-QSA Company's General Testing Laboratory Capabilities Description of documented processes used by PA-QSA Company to verify vendor’s testing laboratory meets the requirements specified in Appendix B, if use of vendor’s testing is necessary PA-QSA Contact Person•Primary and Secondary Background Checks For each PA-QSA employee to be qualified, statement that employee successfully completed the background check in accordance with the QSA’s policies and procedures Company Officer’s signature on the PA-QSA Addendum Adherence to PCI DSS Procedures and Attestation of Validation Company Officer’s signature on the PA-QSA Addendum 4 This checklist is for PA-QSA Companies and Employees …
Added
p. 32
Oversight of quality assurance for all PA-DSS reports Review and approval of all PA-DSS reports prior to submission to PCI SSC Sole responsibility for submitting PA-DSS reports to PCI SSC A description of the contents of the PA-QSA Company’s quality assurance manual to confirm the procedures fully document the PA-QSA Company’s audit and report review processes for generation of the ROV using the requirements contained in the PA-DSS Program Guide, including at least the following:
Reviews of testing procedures, reports, and supporting documentation, and other information as documented in the PA-DSS Program Guide related to the appropriate selection of system components.
A requirement that all PA-QSA Employees must adhere to the PA- DSS.
Company Officer’s signature on the PA-QSA Addendum Responsibility for QA Oversight•Primary and Secondary Protection of Confidential and Sensitive Information Not applicable for PA-QSA documentation; however, this information should either:
b) For new QSAs also applying to …
Reviews of testing procedures, reports, and supporting documentation, and other information as documented in the PA-DSS Program Guide related to the appropriate selection of system components.
A requirement that all PA-QSA Employees must adhere to the PA- DSS.
Company Officer’s signature on the PA-QSA Addendum Responsibility for QA Oversight•Primary and Secondary Protection of Confidential and Sensitive Information Not applicable for PA-QSA documentation; however, this information should either:
b) For new QSAs also applying to …
Added
p. 33
Copies of any logs or configuration files used to validate Copies of any vendor written/published documentation used to validate Copies of any troubleshooting requests Any written/published vendor procedures Written software-development processes Any written process documents Interview Notes Change control documentation Audit logs System configuration files Written/published methodologies Output from any tools utilized during the assessment Copies/screenshots of any of the following: displays of payment card data, including but not limited to POS devices, screens, logs, and receipts Any document referenced mentioned as being reviewed in the ROV Network diagram of the lab (tested environment) Evidence that the applicable lab was PCI DSS compliant:
• Firewall rules/configuration
• IDS/IPS configuration and sensor placement
• Antivirus solution/configuration
• Inventory of all components in lab
• Evidence all components have latest patches
• Evidence all components have all PCI DSS required parameters for: …
• Firewall rules/configuration
• IDS/IPS configuration and sensor placement
• Antivirus solution/configuration
• Inventory of all components in lab
• Evidence all components have latest patches
• Evidence all components have all PCI DSS required parameters for: …
Removed
p. 3
"Payment Application Qualified Security Assessor" or “PA-QSA” means a QSA company that provides services to payment application vendors in order to validate such vendors' payment applications as adhering to the requirements of the PA-DSS and that has satisfied and continues to satisfy all additional PA-QSA Requirements (as defined in the PA-QSA Addendum).
"PA-DSS Assessment" means assessment of vendor payment applications in accordance with the PA-DSS Security Audit Procedures in order to establish vendor compliance with the PA- DSS.
“PA-QSA employee” refers to an individual employed by a PA-QSA who has satisfied and continues to satisfy all PA-QSA Requirements applicable to employees of PA-QSAs who will conduct PA-QSA Assessments, as described in further detail herein.
"QSA Validation Requirements" refers to the then current version of the Payment Card Industry (PCI) Data Security Standard Validation Requirements For Qualified Security Assessors (QSA) as amended from time to time and made available on the PCI SSC web …
"PA-DSS Assessment" means assessment of vendor payment applications in accordance with the PA-DSS Security Audit Procedures in order to establish vendor compliance with the PA- DSS.
“PA-QSA employee” refers to an individual employed by a PA-QSA who has satisfied and continues to satisfy all PA-QSA Requirements applicable to employees of PA-QSAs who will conduct PA-QSA Assessments, as described in further detail herein.
"QSA Validation Requirements" refers to the then current version of the Payment Card Industry (PCI) Data Security Standard Validation Requirements For Qualified Security Assessors (QSA) as amended from time to time and made available on the PCI SSC web …
Modified
p. 3 → 4
PA-QSA Addendum The Addendum to Qualified Security Assessor (QSA) Agreement for Payment Application QSAs attached as Appendix A to the PA-QSA Qualification Requirements.
Modified
p. 3 → 5
QSA Agreement The PCI Qualified Security Assessor (QSA) Agreement attached as Appendix A to the QSA Qualification Requirements.
Modified
p. 3 → 5
All capitalized terms used in this PA-QSA Supplement without definition shall have the meanings specified in the QSA Validation Requirements or the QSA Agreement, as applicable.
All capitalized terms used in these PA-QSA Qualification Requirements without definition shall have the meanings specified in the QSA Qualification Requirements or the QSA Agreement, as applicable.
Removed
p. 4
Together, the QSA Requirements and the PA-QSA Requirements are intended to serve as a validation baseline for PA-QSAs, and provide a transparent process for PA-QSA qualification and re-qualification across the payment industry.
Companies that qualify as PA-QSAs will be identified as such on the Website in accordance with the PA-QSA Addendum for a period of one (1) year from the date of such qualification. If a company is not so identified, its work product as a PA-QSA is not recognized by PCI SSC. All PA-QSAs must re-qualify annually.
Section 2: PA-QSA Business Requirements covers minimum additional business requirements that must be demonstrated to PCI SSC by the PA-QSA. This section outlines information and items that must be provided to prove business stability, independence, and insurance coverage. PA-QSA fees and agreements are also covered.
Appendices: The appendices to the PA-QSA Supplement include the PA-QSA Addendum and several helpful checklists, feedback forms, and detailed fee …
Companies that qualify as PA-QSAs will be identified as such on the Website in accordance with the PA-QSA Addendum for a period of one (1) year from the date of such qualification. If a company is not so identified, its work product as a PA-QSA is not recognized by PCI SSC. All PA-QSAs must re-qualify annually.
Section 2: PA-QSA Business Requirements covers minimum additional business requirements that must be demonstrated to PCI SSC by the PA-QSA. This section outlines information and items that must be provided to prove business stability, independence, and insurance coverage. PA-QSA fees and agreements are also covered.
Appendices: The appendices to the PA-QSA Supplement include the PA-QSA Addendum and several helpful checklists, feedback forms, and detailed fee …
Modified
p. 4 → 6
To initiate the PA-QSA qualification process, the QSA must sign the PA-QSA Addendum in unmodified form and submit it to PCI SSC as part of its completed PA-QSA application package.
To initiate the qualification process, the QSA Company must sign the PA-QSA Addendum in unmodified form and submit it to PCI SSC.
Modified
p. 4 → 6
Section 1: Introduction offers a high-level overview of the PA-QSA applications process.
Section 1: Introduction offers a high-level overview of the PA-DSS Program application process.
Modified
p. 4 → 6
All requirements set forth in the QSA Qualification Requirements must be met by organizations wishing to qualify as PA-QSA Companies.
Modified
p. 4 → 6
Section 3: PA-QSA Capability Requirements reviews the information and documentation necessary to demonstrate the PA-QSA's service expertise, as well as that of its employees.
Section 3: PA-QSA Company Capability Requirements reviews the information and documentation necessary to demonstrate the QSA Company's service expertise, as well as that of its employees.
Modified
p. 4 → 6
Section 4: PA-QSA Administrative Requirements focuses on the logistics of doing business as a PA-QSA, including adherence to PCI DSS procedures, quality assurance, and protection of confidential and sensitive information.
Section 4: PA-QSA Company Administrative Requirements focuses on the standards to meet regarding the logistics of doing business as a PA-QSA Company, including background checks, adherence to PCI SSC procedures documented in the PA-DSS Program Guide, quality assurance, and protection of confidential and sensitive information.
Removed
p. 5
PCI DSS, QSA Validation Requirements, Payment Card Industry (PCI) Data Security Standard Security Audit Procedures, and PA-DSS Security Audit Procedures.
Removed
p. 5
PCI SSC, in an effort to maintain the integrity of the QSA program, may request from time to time demonstrated adherence to the requirements listed in this document. The PA-QSA is responsible to respond to such a PCI SSC request with the documented evidence no later than three (3) weeks from receipt of written notice.
Modified
p. 5 → 7
To facilitate preparation of the application package, refer to Appendix C: PA-QSA Application Process Checklist. All application materials and the signed PA-QSA Addendum must be submitted in English. The PA-QSA Addendum is binding in English even if the PA-QSA Addendum was translated and reviewed in another language. All other documentation provided by the PA-QSA in a language other than English must be accompanied by a certified English translation (examples include business licenses and insurance certificates).
To facilitate preparation of the application package, refer to Appendix C: PA-DSS Program
• Application Process Checklist. All application materials and the signed PA-QSA Addendum must be submitted in English. The PA-QSA Addendum is binding in English even if the PA-QSA Addendum was translated and reviewed in another language. All other documentation provided by the PA-QSA Company in a language other than English must be accompanied by a certified English translation (examples include business licenses and insurance certificates).
• Application Process Checklist. All application materials and the signed PA-QSA Addendum must be submitted in English. The PA-QSA Addendum is binding in English even if the PA-QSA Addendum was translated and reviewed in another language. All other documentation provided by the PA-QSA Company in a language other than English must be accompanied by a certified English translation (examples include business licenses and insurance certificates).
Modified
p. 5 → 7
All PA-QSA application packages must include a signed PA-QSA Addendum and all other required documentation. Applicants should send their completed application packages by mail to the following address:
All PA-DSS Program application packages must include a signed PA-QSA Addendum and the required documentation. Applicants should send their completed application packages by mail to the following address:
Removed
p. 6
An annual PA-QSA re-qualification fee for subsequent years, also summarized by location in Appendix E.
A training fee for each PA-QSA employee to be qualified, for training sponsored by PCI SSC. This is an annual fee. See Appendix E.
Once qualified as a QSA, there are various other agreements and/or addenda a QSA must execute and submit to PCI SSC, depending on the QSA programs in which the QSA wishes to participate. Please refer to the QSA Validation Requirements for
A training fee for each PA-QSA employee to be qualified, for training sponsored by PCI SSC. This is an annual fee. See Appendix E.
Once qualified as a QSA, there are various other agreements and/or addenda a QSA must execute and submit to PCI SSC, depending on the QSA programs in which the QSA wishes to participate. Please refer to the QSA Validation Requirements for
Modified
p. 6 → 8
Regional qualification fees, which must be paid in full within 60 days of notification, and depend on the region or country in which the PA-QSA Company intends to perform PA-DSS Assessments.
Modified
p. 6 → 8
• and are subject to change.
Removed
p. 7
In order to participate in the PA-QSA program, PCI SSC requires that the PA-QSA Addendum be signed in unmodified form by a duly authorized officer of the QSA and then submitted by mail to PCI SSC with the completed PA-QSA application package.
Modified
p. 7 → 9
The PA-QSA Addendum requires that all PA-QSAs comply with this PA-QSA Supplement and all additional PA-QSA Requirements.
The PA-QSA Addendum requires, among other things, that the PA-QSA Company and its PA- QSA Employees comply with all applicable PA-QSA Requirements.
Modified
p. 8 → 10
The PA-QSA Company must fulfill all PA-QSA Requirements and comply with all terms and provisions of the PA-QSA's QSA Agreement, PA-QSA Addendum and any other agreements executed with PCI SSC.
Modified
p. 8 → 10
The PA-QSA Company must have performed at least two PCI DSS Assessments.
Modified
p. 8 → 10
The PA-QSA Company must possess substantial application security knowledge and experience performing application and/or code reviews, as determined in the sole discretion of PCI SSC.
Modified
p. 8 → 10
The PA-QSA Company must have demonstrated competence in cryptographic techniques, to include cryptographic algorithms, key management and rotation processes, and secure key storage, as determined in the sole discretion of PCI SSC.
Modified
p. 8 → 10
The PA-QSA Company must have demonstrated competence in using penetration- testing methodologies, to include use of forensic tools/methods, ability to exploit OWASP vulnerabilities, and ability to execute arbitrary code to test processes.
Modified
p. 8 → 10
For the PA-QSA Company, a description of both relevant experience with application security and application and code reviews, preferably related to payment applications and including a description of methodology used to perform such reviews equal to at least one year or three separate application security engagements.
Modified
p. 8 → 10
A description of dates and clients for two previous PCI DSS Assessments performed by the PA-QSA Company.
Modified
p. 8 → 10
Description of the PA-QSA Company’s relevant areas of specialization within application security, and code reviews (for example, use of OWASP or other secure coding guidelines, web vulnerability assessment, application penetration testing, or designing or implementing cryptography systems), demonstrating at least one area of specialization.
Modified
p. 8 → 10
Description of the PA-QSA Company’s experience with cryptographic techniques, including cryptographic algorithms, key management and rotation processes, and secure key storage, demonstrating at least one area of specialization.
Modified
p. 8 → 10
Description of the PA-QSA Company’s experience using penetration testing methodologies, to include use of forensic tools/methods, ability to exploit OWASP vulnerabilities, and ability to execute arbitrary code to test processes.
Removed
p. 9
Have substantial application security knowledge and experience conducting application and code reviews, and/or demonstrated competence in cryptographic techniques, for example experience coding per OWASP or other secure coding guidelines, performing web vulnerability assessments, performing application penetration testing, experience using penetration testing methodologies, to include use of forensic tools/methods, ability to exploit OWASP vulnerabilities, and ability to execute arbitrary code to test processes, and/or experience in cryptographic techniques such as cryptographic algorithms, key management and rotation processes, and secure key storage, as determined in the sole discretion of PCI SSC.
Modified
p. 9 → 11
Performing the PA-DSS Assessments.
Modified
p. 9 → 11
Verifying that the laboratory used to test the client’s application meets requirements defined in Appendix B: Confirmation of PA-QSA Company’s General Testing Laboratory Capabilities.
Modified
p. 9 → 11
Verifying the work product addresses all assessment procedure steps and supports the validation status of the application.
Modified
p. 9 → 11
Strictly following the PA-DSS and PA-DSS Program Guide.
Modified
p. 9 → 11
Producing the final report.
Modified
p. 9 → 11
Be a QSA Employee and fulfill all requirements specified in Section 3.2 of the QSA Qualification Requirements.
Modified
p. 9 → 11
Have performed at least two PCI DSS Assessments.
Modified
p. 9 → 11
Be knowledgeable about the PA-DSS, as determined in the sole discretion of PCI SSC.
Modified
p. 9 → 11
Attend annual training provided by PCI SSC, and legitimately pass, of his or her own accord without any unauthorized assistance, all examinations conducted as part of training. If a PA-QSA Employee fails to pass any exam in connection with such training, the PA-QSA Employee must no longer lead or manage a PA-DSS Assessment until successfully passing the exam on a future attempt.
Modified
p. 9 → 11
Be employees of the PA-QSA Company (meaning this work cannot be subcontracted to non-employees) unless PCI SSC has given prior written consent for each subcontracted worker.
Removed
p. 10
Description of area(s) of expertise within application security, code reviews and cryptography (for example, use of OWASP or other secure coding guidelines, web vulnerability assessment, application penetration testing, experience using penetration testing methodologies, to include use of forensic tools/methods, ability to exploit OWASP vulnerabilities, and ability to execute arbitrary code to test processes, and/or designing or implementing cryptography systems) with at least one year (total) in three separate areas.
In addition, PA-QSA must review and confirm testing laboratory configurations as part of each PA-DSS review and complete PA-DSS Security Audit Procedures Appendix B: Confirmation of Testing Laboratory Configuration Specific to the PA- DSS Assessment.
Completed Appendix B.
In addition, PA-QSA must review and confirm testing laboratory configurations as part of each PA-DSS review and complete PA-DSS Security Audit Procedures Appendix B: Confirmation of Testing Laboratory Configuration Specific to the PA- DSS Assessment.
Completed Appendix B.
Modified
p. 10 → 12
A description that includes dates and clients, of two previous PCI DSS Assessments performed by such individual.
Modified
p. 10 → 13
a) Maintains a testing laboratory meeting all requirements specified in Appendix B.
a) Maintains a PA-QSA Company Testing Laboratory meeting all requirements specified in Appendix B of this document; and
Modified
p. 10 → 13
b) Has documented processes to verify that a software vendor’s laboratory meets the requirements specified in Appendix B, whenever it is necessary to use a software vendor’s testing laboratory rather than the PA-QSA’s testing laboratory.
b) Has documented processes to verify that an alternative laboratory (such as a third-party lab service or a Vendor’s laboratory) meets the requirements specified in Appendix B, whenever it is necessary to use an alternative testing laboratory.
Modified
p. 10 → 13
PCI SSC reserves the right to require successful completion of a mock assessment annually, after at least one employee has successfully completed PA-QSA training and passed the examination, or to use a mock assessment as a tool to validate the PA-QSA’s quality assurance program.
PCI SSC reserves the right to require successful completion of a mock assessment annually, after at least one employee has successfully completed PA-QSA training (including passing the training examination), or to use a mock assessment as a tool to validate the PA-QSA Company’s quality assurance program.
Removed
p. 11
The PA-QSA must prepare each PA-DSS ROV based on evidence obtained by following the PA-DSS Security Audit Procedures.
The PA-QSA must accompany a PA-DSS ROV with an “Attestation of Validation” in the form available through http://www.pcisecuritystandards.org, signed by a duly authorized officer of the PA-QSA, that summarizes whether the entity is in compliance or not in compliance with PCI PA-DSS, and any related findings. 4.4 Quality Assurance 4.4.1 Requirements
The PA-QSA must accompany a PA-DSS ROV with an “Attestation of Validation” in the form available through http://www.pcisecuritystandards.org, signed by a duly authorized officer of the PA-QSA, that summarizes whether the entity is in compliance or not in compliance with PCI PA-DSS, and any related findings. 4.4 Quality Assurance 4.4.1 Requirements
Modified
p. 11 → 14
Job Title Phone number Fax number E-mail address 4.2 Background Checks Each PA-QSA Employee must meet all background check requirements as specified in the QSA Qualification Requirements.
Removed
p. 12
The PA-QSA must have implemented a quality assurance program that includes PA-DSS reports, as documented in their company’s quality assurance program manual (as described in Subsection 4.4.2 of the PA-QSA Supplement as well as subsection 4.4.2 of the QSA Validation Requirements).
The PA-QSA must provide a PA-QSA Feedback Form to their client at the completion of the audit. See Appendix D: Sample PA-QSA Feedback Form.
• Report review processes
• Fines and penalties
• Suspension and any reinstatement processes PCI SSC reserves the right to conduct site visits and audit the PA-QSA at the discretion of the PCI SSC.
• A requirement that all PA-QSA employees must adhere to the PA-DSS Security Audit Procedures.
The PA-QSA must provide a PA-QSA Feedback Form to their client at the completion of the audit. See Appendix D: Sample PA-QSA Feedback Form.
• Report review processes
• Fines and penalties
• Suspension and any reinstatement processes PCI SSC reserves the right to conduct site visits and audit the PA-QSA at the discretion of the PCI SSC.
• A requirement that all PA-QSA employees must adhere to the PA-DSS Security Audit Procedures.
Modified
p. 12 → 15
The PA-QSA Company must comply with all PA-DSS Program quality assurance requirements established from time to time.
Modified
p. 12 → 15
Upon request, the PA-QSA Company must provide the quality assurance manual to PCI SSC.
Modified
p. 12 → 15
The description of the responsibilities of the PA-DSS Company quality assurance person that lists, at a minimum, the following responsibilities:
Modified
p. 12 → 15
• Oversight of quality assurance for all PA-QSA reports.
• Oversight of quality assurance for all PA-DSS Assessment work documentation.
Modified
p. 12 → 15
• Review and approval of all PA-DSS reports prior to submission to PCI SSC.
• Review and approval of all ROVs prior to submission to PCI SSC.
Modified
p. 12 → 15
• Sole responsibility for submitting PA-DSS reports to PCI SSC.
• Sole responsibility for submitting ROVs to the web portal designated for such purpose by PCI SSC.
Modified
p. 12 → 15
• A description of the contents of the PA-QSA quality assurance manual to confirm the procedures include PA-DSS audit and report review processes.
• A description of the contents of the PA-QSA Company’s quality assurance manual to confirm the procedures fully document the PA-QSA Company’s PA-DSS Assessment and report review processes for generation of ROVs as required pursuant to the requirements contained in the PA-DSS Program Guide, including a requirement that all PA-QSA Employees must adhere to the PA-DSS.
Removed
p. 13
• PCI SSC has issued an acceptance letter to both PA-QSA and software vendor; and
• PCI SSC has included the software vendor and specific application on the published list of validated payment applications.
• PCI SSC has included the software vendor and specific application on the published list of validated payment applications.
Modified
p. 13 → 16
A statement that the PA-QSA Company will not recognize a Payment Application’s validation status until PCI SSC has notified the PA-QSA Company and the applicable Vendor via a notification of acceptance and inclusion of the application on the List of Validated Payment Applications.
Removed
p. 15
State/Province: Country: Postal Code:
Modified
p. 15 → 18
In consideration of the mutual covenants herein set forth, the sufficiency of which is acknowledged, QSA and PCI SSC agree as follows.
In consideration of the mutual covenants herein set forth, the adequacy and sufficiency of which is acknowledged, QSA and PCI SSC agree as follows.
Modified
p. 15 → 18
Regions Applying For (see Appendix D):
Regions Applying For (see Website for list):
Modified
p. 15 → 18
Applicant’s Signature Applicant’s Officer Signature Ç Date Ç Applicant Officer Name: Title:
Applicant’s Signature Applicant’s Officer Signature Date Applicant Officer Name: Title:
Modified
p. 15 → 18
PCI SSC Officer Signature Ç
PCI SSC Officer Signature
Removed
p. 17
A.3.2 PA QSA Services Subject to the terms and conditions of the Agreement, PCI SSC hereby approves QSA to conduct PA-DSS Assessments of Payment Applications for Vendors in order to validate compliance of such Payment Applications with the PA-DSS. Notwithstanding the foregoing, QSA agrees that it shall not recognize any Vendor's validation status until PCI SSC has notified QSA and Vendor via an acceptance letter and inclusion of the Vendor's Payment Application on PCI SSC's published list of validated Payment Applications.
Modified
p. 17 → 19
QSA agrees to monitor the Website at least weekly for changes to the PA-DSS, the PA-QSA Supplement and/or the PA-DSS Security Audit Procedures. QSA will incorporate all such changes into all PA-DSS Assessments initiated on or after the effective date of such changes. QSA acknowledges that PCI SSC will not accept any Report of Validation ("ROV") regarding a PA-DSS Assessment that is not conducted in accordance with the PA-DSS and PA-DSS Security Audit Procedures in effect at the initiation date …
QSA agrees to monitor the Website at least weekly for changes to the PA-DSS, the PA-QSA Qualification Requirements and/or the PA-DSS Program Guide. QSA will incorporate all such changes into all PA-DSS Assessments initiated on or after the effective date of such changes. QSA acknowledges that PCI SSC will not accept any Report of Validation ("ROV") regarding a PA-DSS Assessment that is not conducted in accordance with the PA-DSS in effect at the initiation date of such PA-DSS Assessment.
Modified
p. 17 → 20
(b) QSA acknowledges and agrees that PCI SSC, in an effort to maintain the integrity of the QSA Program, may request from time to time demonstrated adherence to the requirements set forth in the PA-QSA Supplement. Each such request shall be in writing and QSA shall respond thereto with documented evidence of such adherence in form and substance acceptable to PCI SSC no later than three (3) weeks from QSA's receipt of such written request.
(b) QSA acknowledges and agrees that, in an effort to maintain the integrity of the PA-DSS Program, PCI SSC from time to time may request demonstrated adherence to the PA- DSS and the PA-QSA Qualification Requirements. Each such request shall be in writing, and QSA shall respond thereto with documented evidence of such adherence in form and substance acceptable to PCI SSC no later than three (3) weeks from QSA's receipt of such written request.
Modified
p. 17 → 20
A.3.4 PA-QSA Service Staffing QSA shall ensure that a PA-QSA employee that is fully qualified in accordance with all applicable provisions of the PA-QSA Supplement supervises all aspects of each engagement to perform PA-QSA Services in accordance with the PA-QSA Supplement and the PA-DSS Security Audit Procedures.
A.3.4 PA-QSA Service Staffing QSA shall ensure that a PA-QSA Employee that is fully qualified in accordance with all applicable provisions of the PA-QSA Qualification Requirements supervises all aspects of each engagement to perform PA-QSA Services in accordance with the PA-QSA Qualification Requirements and the PA-DSS.
Removed
p. 18
A.5 QSA List; Promotional References; Restrictions (a) So long as QSA is in PA-QSA Good Standing (as defined below), PCI SSC may, at its sole discretion, identify QSA as a PA-QSA on the QSA List or in such other publicly available list of PA-QSAs as PCI SSC may maintain and/or distribute from time to time, whether on the Website or otherwise (for purposes of the Agreement, such other list (if any) shall be deemed to be part of the QSA List). QSA shall be deemed to be in "PA- QSA Good Standing" as long as QSA is in Good Standing as a Qualified Security Assessor, this Addendum is in full force and effect, QSA has been approved as a PA- QSA and such approval has not been revoked and QSA is in compliance with all PA-QSA Requirements.
(b) So long as QSA is in PA-QSA Good Standing and is identified in …
(b) So long as QSA is in PA-QSA Good Standing and is identified in …
Modified
p. 18 → 20
A.4 PA-QSA Fees QSA shall pay all fees (collectively, "PA-QSA Fees") as specified in Appendix E of the PA- QSA Supplement (the "PA-QSA Fee Schedule"), in accordance with Section 2.4 of the PA- QSA Supplement. QSA acknowledges that PCI SSC may review and modify such fees at any time and from time to time, provided that PCI SSC shall notify QSA of such change and such change will be effective thirty (30) days after the date of such notification. Should …
A.4 PA-DSS Program Fees QSA shall pay all applicable fees in connection with participation in the PA-DSS Program as referenced in and in accordance with the PA-QSA Qualification Requirements. QSA acknowledges that PCI SSC may review and modify such fees at any time and from time to time, provided that PCI SSC shall notify QSA of such change and such change will be effective thirty (30) days after the date of such notification. Should QSA not agree with any such …
Modified
p. 18 → 21
(c) QSA shall not: (i) make any false, misleading or incomplete statements regarding, or misrepresent the requirements of the PA-DSS, including without limitation, any requirement regarding the implementation of the PCI DSS or the application thereof to any Vendor, or (ii) state or imply that the PA-DSS requires usage of QSA's products or services.
(c) QSA shall not: (i) make any false, misleading, or incomplete statements regarding, or misrepresent PCI SSC, its status as a PA-QSA Company or the requirements of the PA-DSS, including without limitation, any requirement regarding the implementation of the PA-DSS or the application thereof to any Vendor, or (ii) state or imply that the PA-DSS requires usage of QSA's products or services.
Removed
p. 19
(b) Notwithstanding anything to the contrary in Section A6 of the Agreement or in this Addendum, in order to assist in ensuring the reliability and accuracy of PA-DSS Assessments, within 15 days of any written request by PCI SSC or any Member (each a “Requesting Organization”), QSA hereby agrees to provide to such Requesting Organization with such PA-DSS Assessment results (including ROVs) as such Requesting Organization may reasonably request with respect to (i) if the Requesting Organization is a Member, any Vendor for which QSA has performed a PA-DSS Assessment to the extent such Vendor has provided a Payment Application to a Financial Institution of such Member, an Issuer of such Member, a Merchant authorized to accept such Member's payment cards, an Acquirer of accounts of Merchants authorized to accept such Member's payment cards or a Processor performing services for such Member's Financial Institutions, Issuers, Merchants or Acquirers or (ii) …
Modified
p. 19 → 22
A.7 Term and Termination A.7.1 Term This Addendum shall become effective as of the Addendum Effective Date and, unless earlier terminated in accordance with this Section A7, shall continue for an initial term of one (1) year, and thereafter shall renew for additional subsequent terms of one year, subject to
A.7 Term and Termination A.7.1 Term This Addendum shall become effective as of the Addendum Effective Date and, unless earlier terminated in accordance with this Section A.7, shall continue for an initial term of one (1) year, and thereafter shall renew for additional subsequent terms of one year, subject to QSA's successful completion of qualification and re-qualification requirements for each such one- year term (each a "Contract Year"). This Addendum shall immediately terminate upon termination of the Agreement.
Removed
p. 20
A.7.4 Effect of Termination Upon any termination or expiration of this Addendum: (i) QSA will no longer be identified as a PA-QSA on the QSA List; (ii) QSA shall immediately cease all advertising and promotion of its status as a PA-QSA and all references to the PA-DSS and other PCI Materials; (iii) QSA shall immediately cease soliciting for any further PA-QSA Services and shall only complete PA-QSA Services contracted with Vendors prior to the notice of termination; (iv) QSA will deliver all outstanding ROVs within the time contracted with the Vendor and shall remain responsible after termination for all of the obligations, representations and warranties hereunder with respect to all ROVs submitted prior to or after termination; (v) QSA shall return or destroy, in accordance with the terms of Section A6 of the Agreement, all PCI SSC and third party property and Confidential Information obtained in connection with this Addendum …
Modified
p. 20 → 23
PCI SSC may terminate this Addendum effective as of the end of any Contract Year by providing QSA with written notice of its intent not to renew this Addendum at least sixty (60) days prior to the end of the then current Contract Year. Additionally, PCI SSC may immediately terminate this Addendum (i) with written notice upon QSA's breach of any representation or warranty under this Addendum; or (ii) with fifteen (15) days’ prior written notice following QSA's breach of …
PCI SSC may terminate this Addendum effective as of the end of any Contract Year by providing QSA with written notice of its intent not to renew this Addendum at least sixty (60) days prior to the end of the then-current Contract Year. Additionally, PCI SSC may immediately terminate this Addendum (i) with written notice upon QSA's breach of any representation or warranty under this Addendum; (ii) with fifteen (15) days’ prior written notice following QSA's breach of any other …
Modified
p. 20 → 24
A.8 General Terms While this Addendum is in effect, the terms and conditions set forth herein shall be deemed incorporated into and a part of the Agreement. This Addendum may be signed in two or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. Except as expressly modified by this Addendum, the Agreement shall remain in full force and effect in accordance with its terms.
A.8 General Terms While this Addendum is in effect, the terms and conditions set forth herein shall be deemed incorporated into and a part of the Agreement, and the PA-DSS and PA-QSA Qualification Requirements are hereby deemed incorporated into and a part of this Addendum. This Addendum may be signed in two or more counterparts, any of which may be executed by facsimile or other form of electronic transmission acceptable to PCI SSC, each of which shall be deemed an …
Removed
p. 21
Requirement Confirmation of General Lab Capabilities 1 Install software per vendor’s installation instructions provided to merchant. The common installation of the payment application product on all platforms listed in the PA-DSS report, installed per the vendor’s installation manual provided to merchant.
Install and test all software versions listed in PA-DSS report.
Install all common implementations (including region/country specific versions) of the payment application to be tested.
Test all application versions and platforms.
Test all application functionalities.
Test application(s) with all security devices required by PCI DSS.
Install and/or configure, and verify application functions with, all PCI DSS required settings.
Implementation of PCI DSS compliant system settings, patches, etc. for operating systems, system software, and applications used by application.
Test application(s) with of PCI DSS compliant system settings, etc.
Simulate real-world use of the application.
The laboratory simulates the “real world” use of the payment application, including all systems and applications where the payment …
Install and test all software versions listed in PA-DSS report.
Install all common implementations (including region/country specific versions) of the payment application to be tested.
Test all application versions and platforms.
Test all application functionalities.
Test application(s) with all security devices required by PCI DSS.
Install and/or configure, and verify application functions with, all PCI DSS required settings.
Implementation of PCI DSS compliant system settings, patches, etc. for operating systems, system software, and applications used by application.
Test application(s) with of PCI DSS compliant system settings, etc.
Simulate real-world use of the application.
The laboratory simulates the “real world” use of the payment application, including all systems and applications where the payment …
Modified
p. 21 → 25
A5 Requirement A5: Install all PCI DSS required security devices.
Modified
p. 21 → 27
Configure all security devices required by PCI DSS, including: firewalls, routers, anti-virus software, intrusion detection/prevention, and file-integrity monitoring.
Removed
p. 22
Map and determine all output produced by the application in every possible scenario, whether temporary, permanent, error processing, debugging mode, log files, etc.
Simulate and validate all functions of the software, to include generation of all error conditions and log entries using both simulated “live” data and invalid data.
Detail the test architecture and environment in the PA-DSS Report.
Attempt to exploit QWASP vulnerabilities: Attempt to exploit the application(s) per PA-DSS Requirement 5.1.1•5.1.10.
Attempt to execute arbitrary code during the application update process: Run the update process with arbitrary code per PA-DSS requirement 7.2.b.
Use vendor’s lab ONLY after verifying all requirements are met If use of the application vendor’s lab is necessary (e.g., the PA-QSA does not have the mainframe, AS400, or Tandem the application runs on), the PA-QSA can either (1) use equipment on loan from the vendor or (2) use the vendor’s lab facilities, provided that this …
Simulate and validate all functions of the software, to include generation of all error conditions and log entries using both simulated “live” data and invalid data.
Detail the test architecture and environment in the PA-DSS Report.
Attempt to exploit QWASP vulnerabilities: Attempt to exploit the application(s) per PA-DSS Requirement 5.1.1•5.1.10.
Attempt to execute arbitrary code during the application update process: Run the update process with arbitrary code per PA-DSS requirement 7.2.b.
Use vendor’s lab ONLY after verifying all requirements are met If use of the application vendor’s lab is necessary (e.g., the PA-QSA does not have the mainframe, AS400, or Tandem the application runs on), the PA-QSA can either (1) use equipment on loan from the vendor or (2) use the vendor’s lab facilities, provided that this …
Modified
p. 22 → 26
Describe the PA-QSA Company Testing Laboratory capabilities for penetration testing methodologies:
Modified
p. 22 → 26
Use of forensic tools/methods1: Implement the capability for searching all output identified for evidence of sensitive authentication data using commercial tools, scripts, etc., per PA-DSS Requirement 1.1.1•1.1.3.
Removed
p. 23
The QA process verifies that the report accurately presents the results of testing.
Modified
p. 24 → 29
• New Application Process Checklist.
b) For new QSAs also applying to be a PA-QSA, included as part of QSA application per QSA Qualification Requirements Appendix B: Qualified Security Assessor
• New Application Process Checklist.
• New Application Process Checklist.
Modified
p. 24 → 29
• New Application Process Checklist.
b) For new QSAs also applying to be a PA-QSA, included as part of QSA application per QSA Qualification Requirements Appendix B: Qualified Security Assessor
• New Application Process Checklist.
• New Application Process Checklist.
Modified
p. 24 → 29
• New Application Process Checklist.
b) For new QSAs also applying to be a PA-QSA, included as part of QSA application per QSA Qualification Requirements Appendix B: Qualified Security Assessor
• New Application Process Checklist.
• New Application Process Checklist.
Modified
p. 24 → 29
Initial Processing Fee Initial PA-QSA processing fee, payable to PCI SSC PA-QSA Addendum PA-QSA Addendum signed by company officer 2 This checklist is for PA-QSA Companies and Employees and details the documentation needed to substantiate the PA-QSA Company’s and Employee’s qualifications to perform PA-DSS Assessments. It is also required that PA-QSA Companies and Employees be qualified as QSA Companies and Employees as well, and all PA-QSA documentation must be accompanied by QSA documentation (or that QSA documentation must be previously …
Removed
p. 25
Dates and clients for two previously completed PCI DSS assessments Areas of expertise in application security, application and code reviews, and/or cryptographic techniques 3 This checklist is for PA-QSAs and details the documentation needed to substantiate the PA-QSA’s qualifications to perform PA- DSS Assessments. It is also required that PA-QSAs are qualified as QSAs as well, and all PA-QSA documentation must be accompanied by QSA documentation (or that QSA documentation must be previously submitted to PCI SSC), as stated in the Validation Requirements for Qualified Security Assessors document, Appendix B.
Modified
p. 25 → 30
Description of both relevant experience with and areas of specialization within application security and application and code reviews, preferably related to payment applications and including a description of methodology used to perform such reviews. Description of dates and clients for two previous PCI DSS assessments performed by company Description of cryptographic techniques, including cryptographic algorithms, key management and rotation processes, and secure key storage Two client references from recent application security assessments PA-QSA Company Employee Skills and Experience Meet the …
Description of both relevant experience with and areas of specialization within application security and application and code reviews, preferably related to payment applications and including a description of methodology used to perform such reviews.
Removed
p. 27
Recognition of Client’s Validation Status A statement that PA-QSA will not recognize a client’s validation status until PCI SSC has notified PA-QSA and vendor via an acceptance letter and inclusion of the application on the list of validated applications Company signature on the PA-QSA Addendum 3 This checklist is for PA-QSAs and details the documentation needed to substantiate the PA-QSA’s qualifications to perform PA- DSS Assessments. It is also required that PA-QSAs are qualified as QSAs as well, and all PA-QSA documentation must be accompanied by QSA documentation (or that QSA documentation must be previously submitted to PCI SSC), as stated in the Validation Requirements for Qualified Security Assessors document, Appendix B.
Removed
p. 28
Information collected from the Feedback Form will be held in strict confidence and used for the sole purpose of improving the quality of service provided by the PA-QSA.
This form can be obtained directly from the PA-QSA during the audit, or can be found online in a useable format at www.pcisecuritystandards.org. The client, not the QSA, should submit this form to PCI SSC. Please send this completed form to PCI SSC at: compliance@pcisecuritystandards.org.
PA-QSA Feedback Form Client (software vendor) Payment Application Qualified Security Assessor Company (PA-QSA) Location of Assessment PA-QSA employee(s) who performed Assessment Street Name City Country ID number Telephone State/ Province Postal Code For each statement, please indicate the response that best reflects your experience and provide comments.
This form can be obtained directly from the PA-QSA during the audit, or can be found online in a useable format at www.pcisecuritystandards.org. The client, not the QSA, should submit this form to PCI SSC. Please send this completed form to PCI SSC at: compliance@pcisecuritystandards.org.
PA-QSA Feedback Form Client (software vendor) Payment Application Qualified Security Assessor Company (PA-QSA) Location of Assessment PA-QSA employee(s) who performed Assessment Street Name City Country ID number Telephone State/ Province Postal Code For each statement, please indicate the response that best reflects your experience and provide comments.
Removed
p. 28
1. During the initial engagement, the PA-QSA explained the objectives, timing, and review process, and addressed your questions and concerns.
2. The PA-QSA employee(s) understood your business and technical environment, as well as the cardholder data environment.
2. The PA-QSA employee(s) understood your business and technical environment, as well as the cardholder data environment.
Removed
p. 29
3. The PA-QSA employee(s) had sufficient security and technical skills to effectively perform this assessment.
4. The PA-QSA sufficiently understood the Payment Application Data Security Standard and Audit Procedures.
5. The PA-QSA effectively minimized interruptions to operations and schedules. 1-5
6. The PA-QSA provided an accurate estimate for time and resources needed. 1-5
7. The PA-QSA provided an accurate estimate for report delivery. 1-5
8. The PA-QSA did not attempt to market products or services for your company to attain PA-DSS compliance.
9. The PA-QSA did not imply that use of a specific brand of commercial product or service was necessary to achieve compliance.
10. In situations where remediation was required, the PA-QSA presented product and/or solution options that were not exclusive to their own product set.
11. The PA-QSA used secure transmission to send any confidential reports or data. 1-5
12. The PA-QSA demonstrated courtesy, professionalism, and a constructive and positive approach.
13. There was sufficient opportunity for you …
4. The PA-QSA sufficiently understood the Payment Application Data Security Standard and Audit Procedures.
5. The PA-QSA effectively minimized interruptions to operations and schedules. 1-5
6. The PA-QSA provided an accurate estimate for time and resources needed. 1-5
7. The PA-QSA provided an accurate estimate for report delivery. 1-5
8. The PA-QSA did not attempt to market products or services for your company to attain PA-DSS compliance.
9. The PA-QSA did not imply that use of a specific brand of commercial product or service was necessary to achieve compliance.
10. In situations where remediation was required, the PA-QSA presented product and/or solution options that were not exclusive to their own product set.
11. The PA-QSA used secure transmission to send any confidential reports or data. 1-5
12. The PA-QSA demonstrated courtesy, professionalism, and a constructive and positive approach.
13. There was sufficient opportunity for you …
Removed
p. 30
For each statement, please indicate the response that best reflects your experience and provide comments.
Removed
p. 30
1. The PA-QSA clearly understood how to notify your payment brand about compliance and non- compliance issues, and the status of merchants and service providers.
2. The Client had a positive and professional experience with the PA-QSA. 1-5
3. The PA-QSA demonstrated sufficient understanding of the PCI Payment Application Data Security Standard Security Audit Procedures.
4. The PA-QSA appropriately documented the results related to their findings. 1-5
5. From your understanding, the PA-QSA appropriately scoped the payment application’s role cardholder data environment.
2. The Client had a positive and professional experience with the PA-QSA. 1-5
3. The PA-QSA demonstrated sufficient understanding of the PCI Payment Application Data Security Standard Security Audit Procedures.
4. The PA-QSA appropriately documented the results related to their findings. 1-5
5. From your understanding, the PA-QSA appropriately scoped the payment application’s role cardholder data environment.
Removed
p. 31
All fee checks should be made payable to PCI SSC and mailed with the completed PA-QSA application package. See Section 1.6 of this document for the mailing address.
Initial Processing Fee* Qualification Annual Re-qualification Fee Training Fee per individual Asia Pacific 500 USD 2,000 USD 1,000 USD 500 USD Canada 500 USD 5,000 USD 2,500 USD 1250 USD Central Europe, Middle East, and Africa 500 USD 2,000 USD 1,000 USD 500 USD Europe 500 USD 5,000 USD 2,500 USD 1250 USD Latin America and the Caribbean 500 USD 2,000 USD 1,000 USD 500 USD USA 500 USD 5,000 USD 2,500 USD 1250 USD * The Initial Processing Fee will be credited toward the Qualification Fee when a company is qualified as a PA-QSA.
Initial Processing Fee* Qualification Annual Re-qualification Fee Training Fee per individual Asia Pacific 500 USD 2,000 USD 1,000 USD 500 USD Canada 500 USD 5,000 USD 2,500 USD 1250 USD Central Europe, Middle East, and Africa 500 USD 2,000 USD 1,000 USD 500 USD Europe 500 USD 5,000 USD 2,500 USD 1250 USD Latin America and the Caribbean 500 USD 2,000 USD 1,000 USD 500 USD USA 500 USD 5,000 USD 2,500 USD 1250 USD * The Initial Processing Fee will be credited toward the Qualification Fee when a company is qualified as a PA-QSA.