Document Comparison
PCI-SSF-Qualification-Requirements-v1_1r1.pdf
→
PCI-SSF-Qualification-Requirements-for-Assessors-v1_2.pdf
79% similar
71 → 70
Pages
27447 → 27493
Words
71
Content Changes
Content Changes
71 content changes. 79 administrative changes (dates, page numbers) hidden.
Added
p. 2
December 2022 1.2 Updates to support the addition of the Web Software Module to the Secure Software Standard and to address errata since last publication.
Added requirement that the SSF Company QA staff is either an SSF Assessor or has completed SSF Knowledge Training.
Added requirement that the SSF Company QA staff is either an SSF Assessor or has completed SSF Knowledge Training.
Added
p. 8
• Section 1: Introduction provides an overview of this document’s purpose, intended audience, general structure, and supporting materials.
Added
p. 18
Note: Certifications under programs that have been retired by the issuing entity are considered sufficient for SSF qualification purposes provided that the issuing entity’s public website lists the individual’s certification as active and valid.
Note: Certifications under programs that have been retired by the issuing entity are considered sufficient for SSF qualification purposes provided that the issuing entity’s public website lists the individual’s certification as active and valid.
Note: Certifications under programs that have been retired by the issuing entity are considered sufficient for SSF qualification purposes provided that the issuing entity’s public website lists the individual’s certification as active and valid.
Added
p. 40
A.5.2 Uses of SSF Assessor Name and Designated Marks SSF Assessor grants PCI SSC and each Participating Payment Brand the right to use SSF Assessor’s name and trademarks, as designated in writing by SSF Assessor, to list SSF Assessor on the SSF Assessor List and to include reference to SSF Assessor in publications to Vendors and the public regarding the SSF. Neither PCI SSC nor any Participating Payment Brand shall be required to include any such reference in any materials or publicity regarding the SSF. SSF Assessor warrants and represents that it has authority to grant to PCI SSC and its Participating Payment Brands the right to use its name and designated marks as contemplated by this Agreement.
Added
p. 50
A.10.2 Audit and Financial Statements a. SSF Assessor shall allow PCI SSC or its designated agents access during normal business hours throughout the Term and for six (6) months thereafter to perform audits of SSF Assessor’s facilities, operations, and records of Services to determine whether SSF Assessor has complied with this Agreement. SSF Assessor also shall provide PCI SSC or its designated agents during normal business hours with books, records and supporting
Modified
p. 1
Payment Card Industry (PCI) Software Security Framework Qualification Requirements for Assessors Version 1.1 revision 1
Payment Card Industry (PCI) Software Security Framework Qualification Requirements for Assessors Version 1.2
Modified
p. 6
The Secure SLC Standard provides security requirements with corresponding assessment procedures and guidance for software vendors to integrate security throughout the entire software lifecycle. It is intended for eligible vendors who develop payment software or any software or component software used within a payment environment. (For complete eligibility criteria, refer to the PCI Secure Software Lifecycle Program Guide.) The Secure Software Standard provides security requirements for building secure payment software to help protect the integrity and confidentiality of sensitive data …
The Secure SLC Standard provides security requirements with corresponding assessment procedures and guidance for software vendors to integrate security throughout the entire software lifecycle. It is intended for eligible vendors who develop payment software, or any software or component software used within a payment environment. (For complete eligibility criteria, refer to the PCI Secure Software Lifecycle Program Guide.) The Secure Software Standard provides security requirements for building secure payment software to help protect the integrity and confidentiality of sensitive data …
Modified
p. 7
All SSF Assessor Companies are identified on the Website, including their qualification status and whether they are qualified to perform Secure SLC Assessments, Secure Software Assessments or both.
All SSF Assessor Companies are identified on the Website, including their qualification status and whether they are qualified to perform Secure SLC Assessments, Secure Software Assessments, or both.
Removed
p. 8
• Section 1: Introduction and overview.
• Amending SSF Assessor Company Status (Appendix F) 1.2 Related Publications This document should be reviewed along with other applicable PCI SSC publications, including but not limited to the current publicly available versions of the following, each available on the Website:
• Amending SSF Assessor Company Status (Appendix F) 1.2 Related Publications This document should be reviewed along with other applicable PCI SSC publications, including but not limited to the current publicly available versions of the following, each available on the Website:
Modified
p. 8
• Section 4: SSF Assessor Company Administrative Requirements includes standards for operating as a SSF Assessor Company.
• Section 4: SSF Assessor Company Administrative Requirements includes standards for operating as an SSF Assessor Company.
Modified
p. 9
PCI Software Security Framework (SSF) A collection of software security standards and associated validation and listing programs developed, maintained and operated by PCI SSC, for the secure design, development and maintenance of payment software.
PCI Software Security Framework (SSF) A collection of software security standards and associated validation and listing programs developed, maintained, and operated by PCI SSC, for the secure design, development, and maintenance of payment software.
Modified
p. 9
PCI SSC Program The SSF and each other program offered by PCI SSC under which PCI SSC qualifies or authorizes entities and/or individuals for purposes of evaluating, assessing or validating compliance with any standard published by PCI SSC.
PCI SSC Program The SSF and each other program offered by PCI SSC under which PCI SSC qualifies or authorizes entities and/or individuals for purposes of evaluating, assessing, or validating compliance with any standard published by PCI SSC.
Modified
p. 11
• Copy of current, valid SSF Assessor Company (or candidate SSF Assessor Company) formation document or equivalent approved by PCI SSC (the “Business License”), including year of incorporation, and location(s) of offices (Refer to the Documents Library on the Website • Business License Requirements for more information)
• Copy of current, valid SSF Assessor Company (or candidate SSF Assessor Company) formation document or equivalent approved by PCI SSC (the “Business License”), including year of incorporation, and location(s) of offices (Refer to the Documents Library on the Website
Modified
p. 11
• The SSF Assessor Company must not undertake to perform any SSF Assessment of any entity
• The SSF Assessor Company must not undertake to perform any SSF Assessment of any entity that it controls, is controlled by, is under common control with, or in which it holds any investment.
Removed
p. 12
• The SSF Assessor Company must not (and will not) have offered or been offered, have provided or been provided, or have accepted any gift, gratuity, service, or other inducement to or from any employee of PCI SSC or any Vendor in connection with entering into the SSF Agreement or any agreement with a Vendor, or performing SSF Assessor Company-related services.
Modified
p. 12
• The SSF Assessor Company must not misrepresent any requirement of any SSF Standard, including but not limited to, in connection with its promotion or sales of
• The SSF Assessor Company must not misrepresent any requirement of any SSF Standard, including but not limited to, in connection with its promotion or sales of services to its clients, or state or imply that any SSF Standard requires use of the SSF Assessor Company's products or services.
Modified
p. 13 → 12
• The SSF Assessor Company must notify its Assessor-Employees of the independence requirements provided for in this document, as well as SSF Assessor Company’s independence policy implementing such requirements, at least annually, and ensure compliance therewith.
• The SSF Assessor Company must notify its Assessor-Employees of the independence requirements provided for in this document, as well as the SSF Assessor Company’s independence policy implementing such requirements, at least annually, and ensure compliance therewith.
Modified
p. 16
• Two client references from software security related engagements performed by the applicant SSF Assessor Company within the last 12 months.
• Two client references from software security related engagements performed by the applicant SSF Assessor Company within the last twelve (12) months.
Modified
p. 16
• An Assessor-Employee only qualified by PCI SSC as a Secure Software Assessor is only authorized to conduct SSF Assessments against the Secure Software Standard and the specific Module for which that Assessor-Employee has been qualified.
• An Assessor-Employee only qualified by PCI SSC as a Secure Software Assessor is only authorized to conduct SSF Assessments against the Secure Software Standard and the specific Module(s) for which that Assessor-Employee has been qualified.
Modified
p. 16
If a SSF Assessor Company wishes to hire another company that is not an active SSF Assessor Company to perform any portion of the SSF Assessor Company Services, such hiring is considered to be subcontracting and requires prior written consent by PCI SSC for each subcontracted worker. The SSF Assessor Company must also provide to PCI SSC proof-of- coverage statements covering all such subcontractors to demonstrate that insurance satisfying applicable insurance coverage requirements (see Appendix B) has been purchased and …
If an SSF Assessor Company wishes to hire another company that is not an active SSF Assessor Company to perform any portion of the SSF Assessor Company Services, such hiring is considered to be subcontracting and requires prior written consent by PCI SSC for each subcontracted worker. The SSF Assessor Company must also provide to PCI SSC proof-of- coverage statements covering all such subcontractors to demonstrate that insurance satisfying applicable insurance coverage requirements (see Appendix B) has been purchased and …
Modified
p. 17
• Possess a minimum of one (1) year of experience in each of the following software development disciplines (experience may be acquired concurrently•for example, if the role involved experience in multiple disciplines at the same time):
• Possess a minimum of one (1) year of experience in each of the following software development disciplines (experience may be acquired concurrently
•for example, if the role involved experience in multiple disciplines at the same time):
•for example, if the role involved experience in multiple disciplines at the same time):
Modified
p. 17
• Possess a minimum of three (3) years of experience in each of the following information security disciplines (experience may be acquired concurrently•for example, if the role involved experience in multiple disciplines at the same time):
• Possess a minimum of three (3) years of experience in each of the following information security disciplines (experience may be acquired concurrently
•for example, if the role involved experience in multiple disciplines at the same time):
•for example, if the role involved experience in multiple disciplines at the same time):
Modified
p. 19
• Possess a minimum of three (3) years of experience in each of the following software development disciplines (experience may be acquired concurrently•for example, if the role involved experience in multiple disciplines at the same time):
• Possess a minimum of three (3) years of experience in each of the following software development disciplines (experience may be acquired concurrently
•for example, if the role involved experience in multiple disciplines at the same time):
•for example, if the role involved experience in multiple disciplines at the same time):
Modified
p. 19
• Possess a minimum of three (3) years of experience in each of the following software security disciplines (experience may be acquired concurrently•for example, if the role involved experience in multiple disciplines at the same time):
• Possess a minimum of three (3) years of experience in each of the following software security disciplines (experience may be acquired concurrently
•for example, if the role involved experience in multiple disciplines at the same time):
•for example, if the role involved experience in multiple disciplines at the same time):
Removed
p. 20
Note: Prior to July 1, 2021: List C certification is not required for Secure Software Assessor candidates who (a) successfully complete and pass all requisite Secure Software Assessor training and exams and (b) are qualified by PCI SSC as PA-QSA Employees as of the time they submit their application for Secure Software Assessor qualification.
Modified
p. 20
• Process at least one of the following accredited, industry-recognized professional certifications from List C in Table 3.
• Possess at least one of the following accredited, industry-recognized professional certifications from List C in Table 3.
Modified
p. 20
Table 3: Professional Certifications for Secure Software Assessors Information Security Software Development
Table 3: Professional Certifications for Secure Software Assessors Information Security Software Development • (ISC)2 Certified Information System Security Professional (CISSP)
Modified
p. 20
• Legitimately and successfully complete and pass all required Secure Software Assessor training and exams, of his or her own accord without any unauthorized assistance. Each employee who fails to complete or pass any requisite training or exam must not perform or manage any Secure Software Assessment until completing
• Legitimately and successfully complete and pass all required Secure Software Assessor training and exams, of his or her own accord without any unauthorized assistance. Each employee who fails to complete or pass any requisite training or exam must not perform or manage any Secure Software Assessment until completing such training, passing such exam, and establishing or reinstating his or her qualification (as applicable). Required training and exams include:
Modified
p. 21
• Additional Module training(s) and exam(s) issued by PCI SSC as part of the required Secure Software Assessor training within 90 days of training release, at any time, from time to time.
• Additional Module training(s) and exam(s) issued by PCI SSC as part of the required Secure Software Assessor training within ninety (90) days of training release, at any time, from time to time.
Modified
p. 23
• Annual background checks consistent with this section for each of its Assessor- Employees for any change in criminal records, arrests or convictions 4.3 Internal Quality Assurance 4.3.1 Requirement The SSF Assessor Company must adhere to all quality assurance requirements described in this document or otherwise established by PCI SSC from time to time.
• Annual background checks consistent with this section for each of its Assessor- Employees for any change in criminal records, arrests, or convictions 4.3 Internal Quality Assurance 4.3.1 Requirement The SSF Assessor Company must adhere to all quality assurance requirements described in this document or otherwise established by PCI SSC from time to time.
Modified
p. 23
• Approval and sign-off processes for SSF Assessments and respective Assessment
• Approval and sign-off processes for SSF Assessments and respective Assessment Reports
Modified
p. 23
• Requirements for handling and retention of workpapers and other Assessment Results and Related Materials ( defined in the SSF Agreement). See also Section 4.5 for specific Workpaper Retention Policy requirements and specifications.
• Requirements for handling and retention of workpapers and other Assessment Results and Related Materials (defined in the SSF Agreement). See also Section 4.5 for specific Workpaper Retention Policy requirements and specifications.
Modified
p. 25
• Requirements that systems that store, process or transmit information of multiple classifications is classified according to the highest classification of information handled.
• Requirements that systems that store, process, or transmit information of multiple classifications is classified according to the highest classification of information handled.
Modified
p. 25
• Securely storing, transmitting and tracking all confidential and personal information (or the systems/media containing such information).
• Securely storing, transmitting, and tracking all confidential and personal information (or the systems/media containing such information).
Modified
p. 26 → 25
• Physical, electronic, and procedural safeguards for protecting the transmission of confidential or personal information between authorized parties, systems or custodians, including:
• Physical, electronic, and procedural safeguards for protecting the transmission of confidential or personal information between authorized parties, systems, or custodians, including:
Modified
p. 26
• Assessment Results and Related Materials (defined in the SSF Agreement), including but not limited to SSF Assessment workpapers and related materials, represent the evidence generated and/or gathered by an SSF Assessor Company and its Assessor- Employee(s) to support the contents of each Assessment Report. Retention of Assessment Results and Related Materials is required and the Assessment Results and Related Materials relating to a given SSF Assessment should represent all steps of the SSF Assessment from end-to-end. Such Assessment Results …
• Assessment Results and Related Materials (defined in the SSF Agreement), including but not limited to SSF Assessment workpapers and related materials, represent the evidence generated and/or gathered by an SSF Assessor Company and its Assessor- Employee(s) to support the contents of each Assessment Report. Retention of Assessment Results and Related Materials is required and the Assessment Results and Related Materials relating to a given SSF Assessment should represent all steps of the SSF Assessment from end-to-end. Such Assessment Results …
Modified
p. 27
• The SSF Assessor Company must provide a copy of the Workpaper Retention Policy and related procedures to PCI SSC upon request, including copies of any other policies and procedures referenced within any of the foregoing documents, such as general confidential and sensitive 4.5.2 Provisions The applicant SSF Assessor Company must provide a completed version of Appendix C to PCI SSC.
• The SSF Assessor Company must provide a copy of the Workpaper Retention Policy and related procedures to PCI SSC upon request, including copies of any other policies and procedures referenced within any of the foregoing documents, such as general confidential and sensitive.
Modified
p. 30 → 29
If, at any time, an SSF Assessor Company and/or Assessor-Employee does not meet the applicable SSF Requirements (including without limitation, payment or documentation requirements), PCI SSC reserves the right to remove the SSF Assessor Company and/or Assessor-Employee immediately from the respective list(s) or tool(s) on the Website, regardless of Remediation or Revocation. PCI SSC will notify the SSF Assessor Company of each such removal in accordance with the SSF Agreement, typically via registered or overnight mail and/or e-mail. Refer to …
If, at any time, an SSF Assessor Company and/or Assessor-Employee does not meet the applicable SSF Requirements (including without limitation, payment, or documentation requirements), PCI SSC reserves the right to remove the SSF Assessor Company and/or Assessor-Employee immediately from the respective list(s) or tool(s) on the Website, regardless of Remediation or Revocation. PCI SSC will notify the SSF Assessor Company of each such removal in accordance with the SSF Agreement, typically via registered or overnight mail and/or e-mail. Refer to …
Modified
p. 31 → 30
• Payment of annual re-qualification fee in accordance with the Website • PCI SSC Programs Fee Schedule.
• Payment of annual re-qualification fee in accordance with the Website
Modified
p. 31 → 30
• Maintaining professional certification(s) as required per Section 3.2, Assessor- Employee • Skills and Experience. PCI SSC reserves the right to request proof of current professional certifications at any time.
• Maintaining professional certification(s) as required per Section 3.2, Assessor- Employee
Modified
p. 31 → 30
• Payment of annual re-qualification fees in accordance with the Website Programs Fee Schedule.
• Payment of annual re-qualification fees in accordance with the Website
Modified
p. 31 → 30
All Secure Software Assessors must successfully complete the required training and pass the exam for each additional Module within 90 calendar days from PCI SSC publication and announcement. If the Secure Software Assessor is unable to successfully complete the training and pass the exam for a Module within this 90-day period, they will be Revoked, notified accordingly and removed from the applicable search tool on the Website.
All Secure Software Assessors must successfully complete the required training and pass the exam for each additional Module within ninety (90) calendar days from PCI SSC publication and announcement. If the Secure Software Assessor is unable to successfully complete the training and pass the exam for a Module within this 90-day period, they will be Revoked, notified accordingly, and removed from the applicable search tool on the Website.
Modified
p. 34 → 33
• Engaging in unprofessional or unethical business conduct, including without limitation, plagiarism or other improper use of third-party work product in Assessment Reports
• Engaging in unprofessional or unethical business conduct, including without limitation, plagiarism, or other improper use of third-party work product in Assessment Reports
Modified
p. 34 → 33
• Failure to be in Good Standing (as defined in the SSF Agreement) as an SSF Assessor Company, including but not limited to failure to successfully complete applicable quality assurance audits and/or comply with all applicable requirements, policies, and procedures of
• Failure to be in Good Standing (as defined in the SSF Agreement) as an SSF Assessor Company, including but not limited to failure to successfully complete applicable quality assurance audits and/or comply with all applicable requirements, policies, and procedures of PCI SSC's quality assurance, Remediation, and oversight programs and initiatives as established or imposed from time to time by PCI SSC in its sole discretion
Modified
p. 34 → 33
• Failure to promptly notify PCI SSC of any event described above that occurred within three (3) years prior to the SSF Assessor Company’s or Assessor-Employee’s initial SSF Assessor qualification date
• Failure to promptly notify PCI SSC of any event described above that occurred within three (3) years prior to the SSF Assessor Company’s or Assessor-Employee’s initial SSF Assessor qualification date Each Violation constitutes a breach of the SSF Agreement, and a failure to comply with applicable SSF Requirements, and may result in Revocation of SSF Assessor Company and/or Assessor- Employee qualification(s) and/or termination of the SSF Agreement.
Modified
p. 38 → 37
SSF Assessor acknowledges that data security practices exist within a rapidly changing environment and agrees to monitor the Website at least weekly for changes to the SSF Standards and the SSF Qualification Requirements. SSF Assessor will incorporate all such changes into all applicable SSF Assessments initiated on or after the effective date of such changes. SSF Assessor acknowledges and agrees that any Assessment Report or other required report regarding a SSF Assessment that is not conducted in accordance with the …
SSF Assessor acknowledges that data security practices exist within a rapidly changing environment and agrees to monitor the Website at least weekly for changes to the SSF Standards and the SSF Qualification Requirements. SSF Assessor will incorporate all such changes into all applicable SSF Assessments initiated on or after the effective date of such changes. SSF Assessor acknowledges and agrees that any Assessment Report or other required report regarding an SSF Assessment that is not conducted in accordance with the …
Modified
p. 38 → 37
A.3.2 Performance of Services SSF Assessor warrants, represents and agrees that it will only perform SSF Assessments for which it has been and is then qualified by PCI SSC, and that it will perform each such SSF Assessment in strict compliance with the applicable SSF Standard(s) as in effect as of the commencement date of such SSF Assessment. SSF Assessor acknowledges and agrees that SSF Assessor is only authorized to conduct SSF Assessments against the specific SSF
A.3.2 Performance of Services SSF Assessor warrants, represents, and agrees that it will only perform SSF Assessments for which it has been and is then qualified by PCI SSC, and that it will perform each such SSF Assessment in strict compliance with the applicable SSF Standard(s) as in effect as of the commencement date of such SSF Assessment. SSF Assessor acknowledges and agrees that SSF Assessor is only authorized to conduct SSF Assessments against the specific SSF
Modified
p. 40 → 39
SSF Assessor acknowledges that PCI SSC may review and modify its Fees at any time and from time to time. Whenever a change in Fees occurs, PCI SSC shall notify SSF Assessor in accordance with the terms of Section A.10.1. Such change(s) will be effective immediately after the date of such notification. However, should SSF Assessor not agree with such change(s), SSF Assessor shall have the right to terminate this Agreement upon written notice to PCI SSC in accordance with …
SSF Assessor acknowledges that PCI SSC may review and modify its Fees at any time and from time to time. Whenever a change in Fees occurs, PCI SSC shall notify SSF Assessor in accordance with the terms of Section A.10.1. Such change(s) will be effective immediately after the date of such notification. However, should SSF Assessor not agree with such change(s), SSF Assessor shall have the right to terminate this Agreement upon written notice to PCI SSC in accordance with …
Modified
p. 40 → 39
A.5 Advertising and Promotion - Intellectual Property A.5.1 SSF Assessor List and SSF Assessor Use of PCI Materials and Marks a. So long as SSF Assessor is qualified by PCI SSC as a SSF Assessor Company, PCI SSC may, at its sole discretion, display the identification of SSF Assessor, together with related information regarding SSF Assessor's status as a SSF Assessor Company (including without limitation, good standing, Remediation and/or Revocation defined in Section A.9.5(a) status), in such publicly available lists …
A.5 Advertising and Promotion - Intellectual Property A.5.1 SSF Assessor List and SSF Assessor Use of PCI Materials and Marks a. So long as SSF Assessor is qualified by PCI SSC as an SSF Assessor Company, PCI SSC may, at its sole discretion, display the identification of SSF Assessor, together with related information regarding SSF Assessor's status as an SSF Assessor Company (including without limitation, good standing, Remediation and/or Revocation defined in Section A.9.5(a) status), in such publicly available lists …
Modified
p. 42 → 41
A.5.4 Intellectual Property Rights All Intellectual Property Rights, title and interest in and to the SSF, each SSF Standard and all other PCI Materials, all materials SSF Assessor receives from PCI SSC, and each portion, future version, revision, extension, and improvement of any of the foregoing, are and at all times shall remain solely and exclusively the property of PCI SSC or its licensors, as applicable. Subject to the foregoing and to the restrictions set forth in Section A.6, so …
A.5.4 Intellectual Property Rights All Intellectual Property Rights, title, and interest in and to the SSF, each SSF Standard and all other PCI Materials, all materials SSF Assessor receives from PCI SSC, and each portion, future version, revision, extension, and improvement of any of the foregoing, are and at all times shall remain solely and exclusively the property of PCI SSC or its licensors, as applicable. Subject to the foregoing and to the restrictions set forth in Section A.6, so …
Modified
p. 43 → 42
A.6.2 General Restrictions a. Each party (the "Receiving Party") agrees that all Confidential Information received from the other party (the "Disclosing Party") shall: (i) be treated as confidential; (ii) be disclosed only to those Members, officers, employees, legal advisers, accountants, representatives and agents of the Receiving Party who have a need to know and be used solely as required in connection with (A) the performance of this Agreement and/or (B) the operation of such party's or its Members’ respective payment …
A.6.2 General Restrictions a. Each party (the "Receiving Party") agrees that all Confidential Information received from the other party (the "Disclosing Party") shall: (i) be treated as confidential; (ii) be disclosed only to those Members, officers, employees, legal advisers, accountants, representatives and agents of the Receiving Party who have a need to know and be used solely as required in connection with (A) the performance of this Agreement and/or (B) the operation of such party's or its Members’ respective payment …
Modified
p. 44 → 43
A.6.4 Personal Information In the event that SSF Assessor receives Personal Information from PCI SSC or any Member or SSF Assessor Company client in the course of providing Services or otherwise in connection with this Agreement, in addition to the obligations set forth elsewhere in this Agreement, SSF Assessor will at all times during the Term (as defined in Section A.9.1) maintain such data protection handling practices as may be required by PCI SSC from time to time, including without …
A.6.4 Personal Information In the event that SSF Assessor receives Personal Information from PCI SSC or any Member or SSF Assessor Company client in the course of providing Services or otherwise in connection with this Agreement, in addition to the obligations set forth elsewhere in this Agreement, SSF Assessor will at all times during the Term (as defined in Section A.9.1) maintain such data protection handling practices as may be required by PCI SSC from time to time, including without …
Modified
p. 45 → 43
SSF Assessor acknowledges and agrees that information relating to an identified or identifiable natural person (“Personal Data”) submitted to PCI SSC by or on behalf of SSF Assessor in connection with SSF or any other PCI SSC program is governed by the Privacy Policy available on the Website. If such Personal Data relates to a person resident or located in the European Union or European Economic Area, that person may have certain rights under the General Data Protection Regulation (“GDPR”) …
SSF Assessor acknowledges and agrees that information relating to an identified or identifiable natural person (“Personal Data”) submitted to PCI SSC by or on behalf of SSF Assessor in connection with SSF or any other PCI SSC program is governed by the Privacy Policy available
Modified
p. 45 → 44
A.6.5 Return Within fourteen (14) days after notice of termination of this Agreement or demand by PCI SSC, SSF Assessor promptly shall return to PCI SSC all property and Confidential Information of PCI SSC and of all third parties to the extent provided or made available by PCI SSC; provided, however, that SSF Assessor may retain copies of Confidential Information of PCI SSC to the extent the same were, prior to such notice of termination or demand, either automatically generated …
A.6.5 Return Within fourteen (14) days after notice of termination of this Agreement or demand by PCI SSC, SSF Assessor promptly shall return to PCI SSC all property and Confidential Information of PCI SSC and of all third parties to the extent provided or made available by PCI SSC; provided, however, that SSF Assessor may retain copies of Confidential Information of PCI SSC to the extent the same were, prior to such notice of termination or demand, either automatically generated …
Modified
p. 45 → 44
A.6.6 Remedies In the event of a breach of Section A.6.2 by the Receiving Party, the Receiving Party acknowledges that the Disclosing Party will likely suffer irreparable damage that cannot be fully remedied by monetary damages. Therefore, in addition to any remedy that the Disclosing Party may possess pursuant to applicable law, the Disclosing Party retains the right to seek and obtain injunctive relief against any such breach in any court of competent jurisdiction. In the event any such breach …
A.6.6 Remedies In the event of a breach of Section A.6.2 by the Receiving Party, the Receiving Party acknowledges that the Disclosing Party will likely suffer irreparable damage that cannot be fully remedied by monetary damages. Therefore, in addition to any remedy that the Disclosing Party may possess pursuant to applicable law, the Disclosing Party retains the right to seek and obtain injunctive relief against any such breach in any court of competent jurisdiction. In the event any such breach …
Modified
p. 48 → 47
A.7.4 Insurance At all times while this Agreement is in effect, SSF Assessor shall maintain insurance in such amounts, with such insurers, coverages, exclusions and deductibles which, at a minimum, meet the applicable insurance requirements for U.S. or European Union SSF Assessor Companies (as applicable) participating in the SSF, including without limitation, the insurance requirements for SSF Assessor Companies set forth in Appendix B of the SSF Qualification Requirements. SSF Assessor acknowledges and agrees that if it is a non-U.S. …
A.7.4 Insurance At all times while this Agreement is in effect, SSF Assessor shall maintain insurance in such amounts, with such insurers, coverages, exclusions, and deductibles which, at a minimum, meet the applicable insurance requirements for U.S. or European Union SSF Assessor Companies (as applicable) participating in the SSF, including without limitation, the insurance requirements for SSF Assessor Companies set forth in Appendix B of the SSF Qualification Requirements. SSF Assessor acknowledges and agrees that if it is a non-U.S. …
Modified
p. 49 → 48
A.9.4 Effect of Termination Upon any termination or expiration of this Agreement: (i) SSF Assessor will be removed from the SSF Assessor List; (ii) SSF Assessor shall immediately cease all advertising and promotion of its Qualification and status as a SSF Assessor Company and its listing(s) on the SSF Assessor List, and ensure that it and its employees do not state or imply that any employee of SSF Assessor is an “Assessor-Employee,” a “SSF Assessor” or otherwise qualified by PCI …
A.9.4 Effect of Termination Upon any termination or expiration of this Agreement: (i) SSF Assessor will be removed from the SSF Assessor List; (ii) SSF Assessor shall immediately cease all advertising and promotion of its Qualification and status as an SSF Assessor Company and its listing(s) on the SSF Assessor List, and ensure that it and its employees do not state or imply that any employee of SSF Assessor is an “Assessor-Employee,” an “SSF Assessor” or otherwise qualified by PCI …
Modified
p. 50 → 49
A.9.5 Revocation a. Without limiting the rights of PCI SSC as set forth elsewhere in this Agreement, in the event that PCI SSC determines in its sole but reasonable discretion that SSF Assessor meets any condition for Revocation of its Qualification as a SSF Assessor Company as established by PCI SSC from time to time (satisfaction of any such condition, a “Violation”), including without limitation, any of the conditions identified as or described as examples of Violations herein or in …
A.9.5 Revocation a. Without limiting the rights of PCI SSC as set forth elsewhere in this Agreement, in the event that PCI SSC determines in its sole but reasonable discretion that SSF Assessor meets any condition for Revocation of its Qualification as an SSF Assessor Company as established by PCI SSC from time to time (satisfaction of any such condition, a “Violation”), including without limitation, any of the conditions identified as or described as examples of Violations herein or in …
Modified
p. 51 → 50
A.10 General Terms A.10.1 Notices All notices required under this Agreement shall be in writing and shall be deemed given when delivered (a) personally, (b) by overnight delivery upon written verification of receipt, (c) by facsimile or electronic mail transmission upon electronic transmission confirmation or delivery receipt, or (d) by certified or registered mail, return receipt requested, five (5) days after the date of mailing. Notices from PCI SSC to SSF Assessor shall be sent to the attention of the …
A.10 General Terms A.10.1 Notices All notices required under this Agreement shall be in writing and shall be deemed given when delivered (a) personally, (b) by overnight delivery upon written verification of receipt, (c) by facsimile or electronic mail transmission upon electronic transmission confirmation or delivery receipt, or (d) by certified or registered mail, return receipt requested, five (5) days after the date of mailing. Notices from PCI SSC to SSF Assessor shall be sent to the attention of the …
Removed
p. 52
A.10.2 Audit and Financial Statements a. SSF Assessor shall allow PCI SSC or its designated agents access during normal business hours throughout the Term and for six (6) months thereafter to perform audits of SSF Assessor’s facilities, operations and records of Services to determine whether SSF Assessor has complied with this Agreement. SSF Assessor also shall provide PCI SSC or its designated agents during normal business hours with books, records and supporting documentation adequate to evaluate SSF Assessor’s performance hereunder. Upon request, SSF Assessor shall provide PCI SSC with a copy of its most recent audited financial statements or those of its parent company which include financial results of SSF Assessor, a letter from SSF Assessor’s certified public accountant, or other documentation acceptable to PCI SSC setting out SSF Assessor’s current financial status and warranted by SSF Assessor to be complete and accurate. PCI SSC acknowledges that any such statements …
Modified
p. 53 → 52
A.10.4 Entire Agreement; Modification; Waivers The parties agree that this Agreement, including the SSF Qualification Requirements and any other documents, addenda, supplements, amendments, appendices, exhibits, schedules or other materials incorporated herein by reference (each of which is hereby incorporated into and made a part of this Agreement by this reference), is the exclusive statement of the agreement between the parties with respect to the subject matter hereof, which supersedes and merges all prior proposals, understandings and all other agreements, oral …
A.10.4 Entire Agreement; Modification; Waivers The parties agree that this Agreement, including the SSF Qualification Requirements and any other documents, addenda, supplements, amendments, appendices, exhibits, schedules or other materials incorporated herein by reference (each of which is hereby incorporated into and made a part of this Agreement by this reference), is the exclusive statement of the agreement between the parties with respect to the subject matter hereof, which supersedes and merges all prior proposals, understandings and all other agreements, oral …
Modified
p. 54 → 52
A.10.5 Assignment SSF Assessor may not assign this Agreement, or assign, delegate or subcontract any of its rights and/or obligations under this Agreement (including but not limited to by subcontracting any of the foregoing to a related party or affiliate), without the prior written consent of PCI SSC, which consent PCI SSC may grant or withhold in its absolute discretion.
A.10.5 Assignment SSF Assessor may not assign this Agreement, or assign, delegate, or subcontract any of its rights and/or obligations under this Agreement (including but not limited to by subcontracting any of the foregoing to a related party or affiliate), without the prior written consent of PCI SSC, which consent PCI SSC may grant or withhold in its absolute discretion.
Modified
p. 55 → 54
• WORKERS’ COMPENSATION: Statutory Workers Compensation as required by applicable law
• WORKERS’ COMPENSATION: Statutory Workers Compensation as required by applicable law and
Modified
p. 55 → 54
• CRIME/FIDELITY BOND including first-party employee dishonesty, robbery, fraud, theft, forgery, alteration, mysterious disappearance and destruction. Coverage must also include third-party employee dishonesty, i.e., coverage for claims made by the Security Assessor’s client against the Security Assessor for theft committed by the Security Assessor employees.
• CRIME/FIDELITY BOND including first-party employee dishonesty, robbery, fraud, theft, forgery, alteration, mysterious disappearance, and destruction. Coverage must also include third-party employee dishonesty, i.e., coverage for claims made by the Security Assessor’s client against the Security Assessor for theft committed by the Security Assessor employees. The minimum limit shall be $1,000,000 each loss and annual aggregate. The policy Coverage Territory must be global.
Modified
p. 55 → 54
Without limiting Security Assessor’s indemnification duties as outlined in the indemnification section of the Agreement, PCI SSC shall be named as an additional insured under the Commercial General
Without limiting Security Assessor’s indemnification duties as outlined in the indemnification section of the Agreement, PCI SSC shall be named as an additional insured under the Commercial General Liability for any claims and losses arising out of, allegedly arising out of or in any way connected to the Security Assessor’s performance of the Services under the Agreement. The insurers shall agree that the Security Assessor’s insurance is primary and any insurance maintained by PCI SSC shall be excess and non-contributing …
Modified
p. 60 → 59
The Company represents and warrants that it currently possesses (and at all times while it is a SSF Assessor Company will continue to possess) technical security assessment experience similar or related to SSF Assessments, and that it has (and must have) a dedicated software security practice that includes staff with specific job functions that support the software security practice.
The Company represents and warrants that it currently possesses (and at all times while it is an SSF Assessor Company will continue to possess) technical security assessment experience similar or related to SSF Assessments, and that it has (and must have) a dedicated software security practice that includes staff with specific job functions that support the software security practice.
Modified
p. 60 → 59
Total time: Years Months Company acknowledgements The Company acknowledges and agrees that all of the above skill sets will be present and fully utilized on every SSF Assessment.
Total time: Years Months Company acknowledgments The Company acknowledges and agrees that all of the above skill sets will be present and fully utilized on every SSF Assessment.
Modified
p. 61 → 60
Additional Deliverables for SSF Assessor Companies Two client references from relevant security engagements within the last 12 months1:
Additional Deliverables for SSF Assessor Companies Two client references from relevant security engagements within the last twelve (12) months1:
Modified
p. 65 → 64
The applicant is an existing QSA Employee, employed by a QSA Company (If yes, this applicant may be eligible for computer based training) Candidate Skills, Experience and Education Examples of work or description of the Candidate's experience with Software/Systems Design:
The applicant is an existing QSA Employee, employed by a QSA Company (If yes, this applicant may be eligible for computer-based training) Candidate Skills, Experience and Education Examples of work or description of the Candidate's experience with Software/Systems Design:
Modified
p. 67 → 66
(a) The information provided above is true, accurate, and complete; (b) I have read and understand the SSF Qualification Requirements for Assessors and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.
(a) The information provided above is true, accurate, and complete; (b) I have read and understand the SSF Qualification Requirements for Assessors and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to, and support the terms and provisions thereof.
Modified
p. 70 → 69
(a) The information provided above is true, accurate, and complete; (b) I have read and understand the SSF Qualification Requirements for Assessors and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.
(a) The information provided above is true, accurate, and complete; (b) I have read and understand the SSF Qualification Requirements for Assessors and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to, and support the terms and provisions thereof.