Document Comparison
SSF-Qualification-Requirements-for-Assessors-V1.pdf
→
PCI-SSF-Qualification-Requirements-v1_1.pdf
74% similar
77 → 71
Pages
25739 → 26801
Words
147
Content Changes
Content Changes
147 content changes. 98 administrative changes (dates, page numbers) hidden.
Added
p. 2
June 2019 1.0 Initial release of the Software Security Framework Qualification Requirements for Assessors.
Added
p. 6
The Secure SLC Standard provides security requirements with corresponding assessment procedures and guidance for software vendors to integrate security throughout the entire software lifecycle. It is intended for eligible vendors who develop payment software or any software or component software used within a payment environment. (For complete eligibility criteria, refer to the PCI Secure Software Lifecycle Program Guide.) The Secure Software Standard provides security requirements for building secure payment software to help protect the integrity and confidentiality of sensitive data that is stored, processed or transmitted in association with payment transactions. It is intended for vendors that develop payment software that supports or facilitates payment transactions. The Secure Software Standard is a module-based architecture composed of Core Requirements that apply to all payment software submitted for validation under the PCI Software Security Framework, and individual Secure Software Standard modules (each a “Module”) that are function or platform specific to address …
Added
p. 7
1. Qualification of the assessor company itself, and
To initiate the qualification process, the assessor company must submit to PCI SSC its:
Unmodified, completed, and executed SSF Agreement, and Completed and executed SSF Assessor Company Application (Appendix C).
Separate applications are required for SSF Assessor Companies (Appendix C), Secure SLC Assessors (Appendix D), and Secure Software Assessors (Appendix E). All applications must be submitted to PCI SSC.
All application materials and the signed SSF Agreement must be submitted in English. The SSF Agreement is binding in English, even if it is translated and reviewed in another language. All other documentation provided by the SSF Assessor Company (or candidate) in a language other than English must be accompanied by a certified English translation (examples include business licenses and insurance certificates).
Applicants must complete and submit applications to PCI SSC via PCI SSC’s secure web portal. Applications that have not been approved or rejected after 180 days …
To initiate the qualification process, the assessor company must submit to PCI SSC its:
Unmodified, completed, and executed SSF Agreement, and Completed and executed SSF Assessor Company Application (Appendix C).
Separate applications are required for SSF Assessor Companies (Appendix C), Secure SLC Assessors (Appendix D), and Secure Software Assessors (Appendix E). All applications must be submitted to PCI SSC.
All application materials and the signed SSF Agreement must be submitted in English. The SSF Agreement is binding in English, even if it is translated and reviewed in another language. All other documentation provided by the SSF Assessor Company (or candidate) in a language other than English must be accompanied by a certified English translation (examples include business licenses and insurance certificates).
Applicants must complete and submit applications to PCI SSC via PCI SSC’s secure web portal. Applications that have not been approved or rejected after 180 days …
Added
p. 8
Note: PCI SSC reserves the right to reject any application from any applicant that PCI SSC determines has committed, within three (3) years prior to the application date, any conduct that would have been considered a “Violation” (for purposes of Section 6.3 or the SSF Agreement) if committed by an SSF Assessor Company or Assessor-Employee. The period of ineligibility will be a minimum of one (1) year, as determined by PCI SSC in a reasonable and non- discriminatory manner.
Added
p. 8
Section 1: Introduction and overview.
Section 2: SSF Assessor Company Business Requirements includes minimum business requirements that must be demonstrated to PCI SSC by the assessor company.
Section 3: SSF Assessor Company Capability Requirements includes the information and documentation necessary to demonstrate the assessor company’s service expertise.
Section 4: SSF Assessor Company Administrative Requirements includes standards for operating as a SSF Assessor Company.
Section 5: SSF Assessor Company List and Re-Qualification includes the annual re- qualification process for the SSF Assessor Company.
Section 6: Assessor Quality Management Program includes PCI SSC’s assessor quality management process, including remediation and revocation.
SSF Agreement (Appendix A) Insurance Requirements (Appendix B) SSF Assessor Company Application (Appendix C) Secure SLC Assessor Application (Appendix D) Secure Software Assessor Application (Appendix E) Amending SSF Assessor Company Status (Appendix F) 1.2 Related Publications This document should be reviewed along with other applicable PCI SSC publications, including but not limited to the current publicly available …
Section 2: SSF Assessor Company Business Requirements includes minimum business requirements that must be demonstrated to PCI SSC by the assessor company.
Section 3: SSF Assessor Company Capability Requirements includes the information and documentation necessary to demonstrate the assessor company’s service expertise.
Section 4: SSF Assessor Company Administrative Requirements includes standards for operating as a SSF Assessor Company.
Section 5: SSF Assessor Company List and Re-Qualification includes the annual re- qualification process for the SSF Assessor Company.
Section 6: Assessor Quality Management Program includes PCI SSC’s assessor quality management process, including remediation and revocation.
SSF Agreement (Appendix A) Insurance Requirements (Appendix B) SSF Assessor Company Application (Appendix C) Secure SLC Assessor Application (Appendix D) Secure Software Assessor Application (Appendix E) Amending SSF Assessor Company Status (Appendix F) 1.2 Related Publications This document should be reviewed along with other applicable PCI SSC publications, including but not limited to the current publicly available …
Added
p. 14
There are no separate fees charged for the Module training and the first attempt of the exam (see Section 5.3). Additional exam attempts, if needed by individual Secure Software Assessors, are subject to the current failed exam fee listed in the PCI SSC Programs Fee Schedule.
Added
p. 16
An Assessor-Employee only qualified by PCI SSC as a Secure SLC Assessor is authorized to conduct SSF Assessments only against the Secure SLC Standard.
An Assessor-Employee only qualified by PCI SSC as a Secure Software Assessor is only authorized to conduct SSF Assessments against the Secure Software Standard and the specific Module for which that Assessor-Employee has been qualified.
Table 2: Professional Certifications for Secure SLC Assessors Information Security
Performing Secure Software Assessments Verifying the work product addresses all Secure Software Assessment procedure steps and supports the validation status of the payment software Strictly following the Secure Software Standard and PCI Secure Software Assessor Program Guide Producing the final Assessment Report Each Secure Software Assessor performing or managing a Secure Software Assessment must satisfy the following requirements:
Table 3: Professional Certifications for Secure Software Assessors Information Security Software Development
• (ISC)2 Certified Information System Security Professional (CISSP)
Legitimately and successfully complete and pass all required Secure …
An Assessor-Employee only qualified by PCI SSC as a Secure Software Assessor is only authorized to conduct SSF Assessments against the Secure Software Standard and the specific Module for which that Assessor-Employee has been qualified.
Table 2: Professional Certifications for Secure SLC Assessors Information Security
Performing Secure Software Assessments Verifying the work product addresses all Secure Software Assessment procedure steps and supports the validation status of the payment software Strictly following the Secure Software Standard and PCI Secure Software Assessor Program Guide Producing the final Assessment Report Each Secure Software Assessor performing or managing a Secure Software Assessment must satisfy the following requirements:
Table 3: Professional Certifications for Secure Software Assessors Information Security Software Development
• (ISC)2 Certified Information System Security Professional (CISSP)
Legitimately and successfully complete and pass all required Secure …
Added
p. 21
Initial Secure Software Assessor qualification training and exam Annual Secure Software Assessor requalification training and exam Additional Module training(s) and exam(s) issued by PCI SSC as part of the required Secure Software Assessor training within 90 days of training release, at any time, from time to time.
Minor offenses
•for example, misdemeanors or non-US equivalents
•are allowed; but major offenses
•for example, felonies or non-US equivalents within the prior 5-year period
• onboarding requirements for Assessor-Employees
• résumés and current skill sets for Assessor-Employees, and a process for ongoing training, monitoring, and evaluating Assessor-Employees to ensure their skill sets stay current and relevant for SSF Assessments Descriptions of all job functions and responsibilities within the SSF Assessor Company relating to its status and obligations as an SSF Assessor Company Identification of QA manual process owner Approval and sign-off processes for SSF Assessments and respective Assessment Requirements for independent quality review of SSF Assessor Company and Assessor- …
Minor offenses
•for example, misdemeanors or non-US equivalents
•are allowed; but major offenses
•for example, felonies or non-US equivalents within the prior 5-year period
• onboarding requirements for Assessor-Employees
• résumés and current skill sets for Assessor-Employees, and a process for ongoing training, monitoring, and evaluating Assessor-Employees to ensure their skill sets stay current and relevant for SSF Assessments Descriptions of all job functions and responsibilities within the SSF Assessor Company relating to its status and obligations as an SSF Assessor Company Identification of QA manual process owner Approval and sign-off processes for SSF Assessments and respective Assessment Requirements for independent quality review of SSF Assessor Company and Assessor- …
Added
p. 31
All Secure Software Assessors must successfully complete the required training and pass the exam for each additional Module within 90 calendar days from PCI SSC publication and announcement. If the Secure Software Assessor is unable to successfully complete the training and pass the exam for a Module within this 90-day period, they will be Revoked, notified accordingly and removed from the applicable search tool on the Website.
Notwithstanding the foregoing, a Secure Software Assessor that has been Revoked solely because they did not pass the Module exam within ninety (90) calendar days may be restored as a Secure Software Assessor and reinstated in the applicable search tool on the Website, without submitting a new Secure Software Assessor Application (Appendix E), if they meet the following criteria within thirty (30) calendar days past the applicable due date for the required Module training/exam: (i) successfully passes the required Module exam; (ii) submits a …
Notwithstanding the foregoing, a Secure Software Assessor that has been Revoked solely because they did not pass the Module exam within ninety (90) calendar days may be restored as a Secure Software Assessor and reinstated in the applicable search tool on the Website, without submitting a new Secure Software Assessor Application (Appendix E), if they meet the following criteria within thirty (30) calendar days past the applicable due date for the required Module training/exam: (i) successfully passes the required Module exam; (ii) submits a …
Added
p. 32
Secure Software Assessors Complete all required Module training and successfully complete proctored exam.
Added
p. 34
Failure to meet applicable SSF quality standards or comply with applicable SSF Requirements Failure to pay applicable SSF fees Failure to meet applicable SSF training requirements (annual or otherwise) Failure to meet applicable SSF continuing education requirements Failure to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates Failure to maintain applicable SSF insurance requirements Failure to comply with or validate compliance in accordance with applicable SSF Requirements, the applicable SSF Standard, the PCI Secure SLC Program Guide or PCI Secure Software Standard Program Guide (as applicable), or the terms of the SSF Agreement or supplements or addenda thereto Failure to maintain physical, electronic, or procedural safeguards to protect confidential or sensitive information Failure to report unauthorized access to any system storing confidential or sensitive information Engaging in unprofessional or unethical business conduct, including without limitation, plagiarism or other improper use of third-party work …
Added
p. 37
PCI SSC Signature Date
SSF Assessor acknowledges that data security practices exist within a rapidly changing environment and agrees to monitor the Website at least weekly for changes to the SSF Standards and the SSF Qualification Requirements. SSF Assessor will incorporate all such changes into all applicable SSF Assessments initiated on or after the effective date of such changes. SSF Assessor acknowledges and agrees that any Assessment Report or other required report regarding a SSF Assessment that is not conducted in accordance with the applicable SSF Standard as in effect at the initiation date of such SSF Assessment may be rejected.
SSF Assessor acknowledges that data security practices exist within a rapidly changing environment and agrees to monitor the Website at least weekly for changes to the SSF Standards and the SSF Qualification Requirements. SSF Assessor will incorporate all such changes into all applicable SSF Assessments initiated on or after the effective date of such changes. SSF Assessor acknowledges and agrees that any Assessment Report or other required report regarding a SSF Assessment that is not conducted in accordance with the applicable SSF Standard as in effect at the initiation date of such SSF Assessment may be rejected.
Added
p. 40
A.5 Advertising and Promotion - Intellectual Property A.5.1 SSF Assessor List and SSF Assessor Use of PCI Materials and Marks a. So long as SSF Assessor is qualified by PCI SSC as a SSF Assessor Company, PCI SSC may, at its sole discretion, display the identification of SSF Assessor, together with related information regarding SSF Assessor's status as a SSF Assessor Company (including without limitation, good standing, Remediation and/or Revocation defined in Section A.9.5(a) status), in such publicly available lists of SSF Assessor Companies as PCI SSC may maintain and/or distribute from time to time, whether on the Website or otherwise (collectively referred to herein as the "SSF Assessor List"). SSF Assessor shall provide all requested information necessary to ensure to PCI SSC's satisfaction that the identification and information relating to SSF Assessor on the SSF Assessor List is accurate. Without limiting the rights of PCI SSC set forth in …
Added
p. 42
A.5.4 Intellectual Property Rights All Intellectual Property Rights, title and interest in and to the SSF, each SSF Standard and all other PCI Materials, all materials SSF Assessor receives from PCI SSC, and each portion, future version, revision, extension, and improvement of any of the foregoing, are and at all times shall remain solely and exclusively the property of PCI SSC or its licensors, as applicable. Subject to the foregoing and to the restrictions set forth in Section A.6, so long as SSF Assessor is in Good Standing as a SSF Assessor Company or in compliance with Remediation, SSF Assessor may, on a non-exclusive, non-transferable, worldwide, revocable basis, use the PCI Materials (and any portion thereof), provided that such use is solely for SSF Assessor’s internal review purposes or as otherwise expressly permitted in this Agreement or pursuant and subject to the terms of a separate written consent or agreement …
Added
p. 50
A.9.5 Revocation a. Without limiting the rights of PCI SSC as set forth elsewhere in this Agreement, in the event that PCI SSC determines in its sole but reasonable discretion that SSF Assessor meets any condition for Revocation of its Qualification as a SSF Assessor Company as established by PCI SSC from time to time (satisfaction of any such condition, a “Violation”), including without limitation, any of the conditions identified as or described as examples of Violations herein or in the SSF Qualification Requirements, PCI SSC may, effective immediately upon notice of such Violation to SSF Assessor, revoke such Qualification from SSF Assessor (“Revocation”), and such revoked Qualification shall be subject to reinstatement pending a successful appeal in accordance with Section A.9.5(b) and PCI SSC policies and procedures. b. In the event of any Revocation: (i) SSF Assessor will be removed from the SSF Assessor List(s) and/or its listing(s) thereupon …
Added
p. 64
Duly authorized officer signature Date
Added
p. 67
Candidate signature Date
Added
p. 70
Candidate signature Date
Removed
p. 5
• The Secure SLC Standard provides a baseline of requirements with corresponding assessment procedures and guidance to help payment software vendors design, develop, and maintain secure payment software throughout the software lifecycle. Secure Software Core Requirements apply to all types of payment software submitted for validation under the PCI Software Security Framework, regardless of the software’s functionality or underlying technology
• Account Data Protection applies to payment applications that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
• Account Data Protection applies to payment applications that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
Modified
p. 5 → 6
The SSF is a collection of software security standards and associated validation and listing programs developed, maintained and operated by PCI SSC, for the secure design, development and maintenance of payment software. The SSF comprises the following software security standards (each a “SSF Standard”), each of which is available through the
The SSF is a collection of software security standards and associated validation and listing programs developed, maintained, and operated by PCI SSC for the secure design, development, and maintenance of software in payment environments. The SSF is comprised of the following software security standards (each a “SSF Standard”), both of which are available through the Website:
Modified
p. 5 → 6
PCI Secure Software Standard Companies and their employees may choose to qualify to perform assessments using the
PCI Secure Software Standard Companies and their employees may choose to qualify to perform assessments using the PCI Secure SLC Standard, the PCI Secure Software Standard, or both.
Modified
p. 5 → 6
Note: PCI SSC will publish additional modules for the Secure Software Standard (Module A and each such additional module, a “Module”), and will update the SSF Qualification Requirements to address such additional Modules or other matters, at any time and from time to time.
Note: PCI SSC may publish additional Modules, Module updates, and updates the SSF Qualification Requirements to address such Modules or other matters at any time and from time to time.
Modified
p. 5 → 9
PCI Secure Software Standard
Removed
p. 6
Revocation See SSF Agreement.
Modified
p. 6 → 9
Term Definition Assessor-Employee A Secure SLC Assessor and/or Secure Software Assessor.
Table 1: Glossary of Terms Term Definition Assessor-Employee A Secure SLC Assessor and/or Secure Software Assessor.
Modified
p. 6 → 9
Revocation See SSF Agreement, Section A.9.5a.
Modified
p. 6 → 10
SSF Assessor Company An independent security organization qualified by PCI SSC to validate the compliance of an entity or its payment software against one or more applicable SSF Standards.
Removed
p. 7
• Meeting or exceeding all applicable SSF Requirements.
• Executing the SSF Agreement with PCI SSC.
• Qualifying and maintaining at least one employee as an Assessor-Employee.
• Ensuring that its Assessor-Employees satisfy and continue to meet or exceed all applicable SSF Requirements, including those outlined within this document.
• Executing the SSF Agreement with PCI SSC.
• Qualifying and maintaining at least one employee as an Assessor-Employee.
• Ensuring that its Assessor-Employees satisfy and continue to meet or exceed all applicable SSF Requirements, including those outlined within this document.
Removed
p. 8
1. Qualification of the security company itself, and
To initiate the qualification process, the security company must submit to PCI SSC its:
• Unmodified, completed, and executed SSF Agreement, and
• Completed and executed SSF Assessor Company Application (Appendix C).
Additionally, an application must be completed for each company employee seeking qualification as an Assessor-Employee. Separate applications are required for SSF Assessor Companies (Appendix C), Secure SLC Assessors (Appendix D) and Secure Software Assessors (Appendix E). All applications must be submitted to PCI SSC.
To initiate the qualification process, the security company must submit to PCI SSC its:
• Unmodified, completed, and executed SSF Agreement, and
• Completed and executed SSF Assessor Company Application (Appendix C).
Additionally, an application must be completed for each company employee seeking qualification as an Assessor-Employee. Separate applications are required for SSF Assessor Companies (Appendix C), Secure SLC Assessors (Appendix D) and Secure Software Assessors (Appendix E). All applications must be submitted to PCI SSC.
Removed
p. 8
Section 1: Introduction offers a high-level overview of the application process.
Section 2: SSF Assessor Company Business Requirements covers minimum business requirements that must be demonstrated to PCI SSC by the security company. This
section outlines information and items that must be provided to prove business stability, independence, and insurance coverage.
Section 3: SSF Assessor Company Capability Requirements reviews the information and documentation necessary to demonstrate the security company’s service expertise.
Section 4: SSF Assessor Company Administrative Requirements describes standards for operating as a SSF Assessor Company, including background checks, adherence to
PCI SSC procedures, quality assurance, and evidence retention.
Section 5: SSF Assessor Company List and Re-Qualification outlines the annual re- qualification process for the SSF Assessor Company.
Section 6: Assessor Quality Management Program describes PCI SSC’s assessor quality management process, including remediation and revocation.
• SSF Agreement (Appendix A)
Section 2: SSF Assessor Company Business Requirements covers minimum business requirements that must be demonstrated to PCI SSC by the security company. This
section outlines information and items that must be provided to prove business stability, independence, and insurance coverage.
Section 3: SSF Assessor Company Capability Requirements reviews the information and documentation necessary to demonstrate the security company’s service expertise.
Section 4: SSF Assessor Company Administrative Requirements describes standards for operating as a SSF Assessor Company, including background checks, adherence to
PCI SSC procedures, quality assurance, and evidence retention.
Section 5: SSF Assessor Company List and Re-Qualification outlines the annual re- qualification process for the SSF Assessor Company.
Section 6: Assessor Quality Management Program describes PCI SSC’s assessor quality management process, including remediation and revocation.
• SSF Agreement (Appendix A)
Removed
p. 9
• Insurance Requirements (Appendix B)
• SSF Assessor Company Application (Appendix C)
• Secure SLC Assessor Application (Appendix D)
• Secure Software Assessor Application (Appendix E)
• Amending SSF Assessor Company Status (Appendix F) 1.4 Related Publications This document should be reviewed in conjunction with other relevant PCI SSC publications, including but not limited to the current publicly available versions of the following, each available on the Website:
• PCI Secure Software Life Cycle (Secure SLC) Standard
• PCI Secure Software Standard
• PCI Secure Software Life Cycle (Secure SLC) Standard Program Guide
• PCI Secure Software Standard Program Guide
• PCI SSC Code of Professional Responsibility 1.5 Company Application Process This document describes the information that must be provided to PCI SSC as part of the SSF Assessor Company application and qualification process, as well as ongoing re-qualification requirements. Each outlined requirement is followed by the information (“Provision”) that must be submitted to document how the security company …
• SSF Assessor Company Application (Appendix C)
• Secure SLC Assessor Application (Appendix D)
• Secure Software Assessor Application (Appendix E)
• Amending SSF Assessor Company Status (Appendix F) 1.4 Related Publications This document should be reviewed in conjunction with other relevant PCI SSC publications, including but not limited to the current publicly available versions of the following, each available on the Website:
• PCI Secure Software Life Cycle (Secure SLC) Standard
• PCI Secure Software Standard
• PCI Secure Software Life Cycle (Secure SLC) Standard Program Guide
• PCI Secure Software Standard Program Guide
• PCI SSC Code of Professional Responsibility 1.5 Company Application Process This document describes the information that must be provided to PCI SSC as part of the SSF Assessor Company application and qualification process, as well as ongoing re-qualification requirements. Each outlined requirement is followed by the information (“Provision”) that must be submitted to document how the security company …
Removed
p. 10
Note: PCI SSC reserves the right to reject any application from any applicant that PCI SSC determines has committed, within three (3) years prior to the application date, any conduct that would have been considered a “Violation” (for purposes of Section 6.3 below or the SSF Agreement) if committed by an SSF Assessor Company or Assessor-Employee. The period of ineligibility will be a minimum of one (1) year, as determined by PCI SSC in a reasonable and non-discriminatory manner.
Removed
p. 11
• Unless expressly prohibited by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the SSF Assessor Company, SSF Assessor Company candidate or any principal thereof, and any Assessor-Employee thereof, and the status and resolution.
Modified
p. 11
Copy of current, valid SSF Assessor Company (or candidate SSF Assessor Company) formation document or equivalent approved by PCI SSC (the “Business License”), including year of incorporation, and location(s) of offices (Refer to the Documents Library on the Website • Business License Requirements for more information) Unless expressly prohibited by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the SSF Assessor Company, SSF Assessor Company candidate or any principal …
Modified
p. 11
Written statements describing any past or present appeals or revocations of any qualification issued by PCI SSC to the SSF Assessor Company (or any predecessor entity or, unless expressly prohibited by applicable law, any employee of any of the foregoing), and the current status and any resolution thereof.
Modified
p. 12 → 11
PCI SSC upon request. The SSF Assessor Company’s code-of-conduct policy must
•and never contradict
•the PCI SSC Code of Professional Responsibility.
•and never contradict
•the PCI SSC Code of Professional Responsibility.
The SSF Assessor Company must have a code-of-conduct policy and provide the policy to PCI SSC upon request. The SSF Assessor Company’s code-of-conduct policy must support
•and never contradict
•the PCI SSC Code of Professional Responsibility.
•and never contradict
•the PCI SSC Code of Professional Responsibility.
Modified
p. 12 → 11
The SSF Assessor Company must not undertake to perform any SSF Assessment of any entity
Modified
p. 12
The SSF Assessor Company must not (and will not) have offered or been offered, have provided or been provided, or have accepted any gift, gratuity, service, or other inducement to or from any employee of PCI SSC or any Vendor in connection with entering into the SSF Agreement or any agreement with a Vendor, or performing SSF Assessor Company-related services.
Modified
p. 12
The SSF Assessor Company must fully disclose in its Assessment Reports, if it assesses any Vendor that uses any security-related device, application, product, solution or software testing tool that is developed, manufactured, sold, resold, licensed, or otherwise made available to the applicable Vendor, directly or indirectly, by the SSF Assessor Company, or to which the SSF Assessor Company owns the rights, or that the SSF Assessor Company has configured or manages, including but not limited to the following:
Modified
p. 12
• When recommending remediation actions that include one of its own solutions or products, the SSF Assessor Company must also recommend other market options that exist.
• Source code versioning and management solutions When recommending remediation actions that include one of its own solutions or products, the SSF Assessor Company must also recommend other market options that exist.
Modified
p. 13 → 12
The SSF Assessor Company must ensure that its Assessor-Employees conducting or assisting with SSF Assessments are not subject to any conflict of interest, including by imposing and enforcing appropriate requirements regarding independence and separation of duties to limit sources of influence that might compromise independent judgment in performing SSF Assessments.
Modified
p. 13 → 12
The SSF Assessor Company will not use its status as an SSF Assessor Company to market services unnecessary to bring their clients into compliance with any SSF Standard.
Modified
p. 13 → 12
The SSF Assessor Company must not misrepresent any requirement of any SSF Standard, including but not limited to, in connection with its promotion or sales of
Modified
p. 13
The SSF Assessor Company must notify its Assessor-Employees of the independence requirements provided for in this document, as well as SSF Assessor Company’s independence policy implementing such requirements, at least annually, and ensure compliance therewith.
Modified
p. 13
The SSF Assessor Company must adhere to all requirements for insurance coverage required by PCI SSC, including without limitation the requirements in Appendix B, “Insurance Coverage,” which includes details of required insurance coverage.
The SSF Assessor Company must adhere to all requirements for insurance coverage required by PCI SSC, including without limitation the requirements in Appendix B, Insurance Coverage which includes details of required insurance coverage.
Removed
p. 14
• Annual re-qualification fees for subsequent years
Modified
p. 14 → 13
Qualification fees Annual re-qualification fees for subsequent years Annual training fee(s) for each Assessor-Employee (or candidate)
Modified
p. 15
The SSF Assessor Company must have a dedicated software security practice that includes staff with specific job functions that support the software security practice.
Modified
p. 15
The SSF Assessor Company must have demonstrated competence in cryptographic techniques, to include cryptographic algorithms, key management and rotation processes, and secure key storage.
Modified
p. 15
The SSF Assessor Company must have demonstrated competence in using application penetration-testing methodologies, to include use of forensic tools/methods, ability to exploit common software vulnerabilities, and ability to execute arbitrary code to test processes.
Modified
p. 15
Description of the applicant SSF Assessor Company’s software security knowledge and assessment experience, including code review and a description of the methodology used to perform such reviews, preferably related to payment systems, equal to at least one year or three separate assessments.
Modified
p. 15
Evidence of a dedicated software security practice, such as:
Modified
p. 15
• The total number of employees on staff and the number of those performing software security assessments
• The total number of employees on staff and the number of those performing software security assessments.
Removed
p. 16
• Description of the applicant SSF Assessor Company’s experience using application- penetration testing methodologies, to include use of forensic tools/methods, ability to exploit common software vulnerabilities, and ability to execute arbitrary code to test processes.
PCI SSC as a Secure SLC Assessor or a Secure Software Assessor. While in good standing or in Remediation, for SSF purposes, an Assessor-Employee is only authorized to conduct SSF Assessments against the specific SSF Standard(s) and Module(s) for which that Assessor-Employee has been qualified by PCI SSC, and no others. For example, an Assessor-Employee only qualified by PCI SSC as a Secure SLC Assessor is authorized to conduct SSF Assessments only against the Secure SLC Standard; and an Assessor- Employee only qualified by PCI SSC as a Secure Software Assessor is only authorized to conduct SSF Assessments against the Secure Software Standard and the specific Module for which that Assessor-Employee has been qualified. An Assessor-Employee …
PCI SSC as a Secure SLC Assessor or a Secure Software Assessor. While in good standing or in Remediation, for SSF purposes, an Assessor-Employee is only authorized to conduct SSF Assessments against the specific SSF Standard(s) and Module(s) for which that Assessor-Employee has been qualified by PCI SSC, and no others. For example, an Assessor-Employee only qualified by PCI SSC as a Secure SLC Assessor is authorized to conduct SSF Assessments only against the Secure SLC Standard; and an Assessor- Employee only qualified by PCI SSC as a Secure Software Assessor is only authorized to conduct SSF Assessments against the Secure Software Standard and the specific Module for which that Assessor-Employee has been qualified. An Assessor-Employee …
Modified
p. 16
Two client references from software security related engagements performed by the applicant SSF Assessor Company within the last 12 months.
Modified
p. 16
Adhere to the PCI SSC Code of Professional Responsibility.
Modified
p. 16
Be an employee of the SSF Assessor Company (meaning this work cannot be subcontracted to non-employees).
Modified
p. 16
Performing Secure SLC Assessments.
Modified
p. 16
Verifying the work product addresses all Secure SLC Assessment procedure steps and supports the validation status of the Vendor.
Modified
p. 16
Strictly following the Secure SLC Standard and PCI Secure SLC Program Guide.
Modified
p. 17 → 16
Producing the final Assessment Report.
Modified
p. 17 → 16
Possess substantial information security knowledge and experience to conduct technically complex security assessments.
Modified
p. 17
• Possess a minimum of three (3) years of experience in each of the following information security disciplines (experience may be acquired concurrently
•for example, if the role involved experience in multiple disciplines at the same time):
•for
• Software/Systems Testing Possess a minimum of three (3) years of experience in each of the following information security disciplines (experience may be acquired concurrently•for example, if the role involved experience in multiple disciplines at the same time):
Modified
p. 17
• Threat & vulnerability detection and management
• Threat and vulnerability detection and management
Modified
p. 17
• Possess at least one of the following accredited, industry-recognized professional certifications from each of List A and List B.
• Cryptography and Key Management Possess at least one of the following accredited, industry-recognized professional certifications from each of List A and List B in Table 2.
Removed
p. 18
• Possess knowledge about the Secure SLC Standard and all applicable documents on the Website.
Modified
p. 18
• (ISC)2 Certified Information Security Manager (CISM)
• ISACA Certified Information Security Manager (CISM)
Modified
p. 18
• (ISC)2 Certified Software Security Life Cycle Professional (CSSLP)
• (ISC)2 Certified Software Security Lifecycle Professional (CSSLP)
Modified
p. 18
• IIA Certified Internal Auditor (CIA)
• IIA Certified Internal Auditor (CIA) Possess knowledge about the Secure SLC Standard and all applicable documents on the Website.
Modified
p. 18
Legitimately and successfully complete and pass all required annual Secure SLC Assessor training and exams provided as part of the SSF, of his or her own accord without any unauthorized assistance. Failure to pass any such exam automatically disqualifies the individual as a Secure SLC Assessor and, accordingly, the employee must not perform or manage any Secure SLC Assessment until successfully passing the exam and reinstating his or her qualification.
Removed
p. 19
• Résumé or Curriculum Vitae (CV), and;
• Certificates or other evidence of completion of industry-recognized professional certification.
• Performing Secure Software Assessments.
• Verifying the work product addresses all Secure Software Assessment procedure steps and supports the validation status of the payment software.
• Strictly following the Secure Software Standard and PCI Secure Software Assessor Program Guide.
• Producing the final Assessment Report Each Secure Software Assessor performing or managing a Secure Software Assessment must satisfy the following requirements:
• Possess substantial information security knowledge and experience to conduct technically complex security assessments.
• Certificates or other evidence of completion of industry-recognized professional certification.
• Performing Secure Software Assessments.
• Verifying the work product addresses all Secure Software Assessment procedure steps and supports the validation status of the payment software.
• Strictly following the Secure Software Standard and PCI Secure Software Assessor Program Guide.
• Producing the final Assessment Report Each Secure Software Assessor performing or managing a Secure Software Assessment must satisfy the following requirements:
• Possess substantial information security knowledge and experience to conduct technically complex security assessments.
Modified
p. 19
A record of working experience and responsibilities outlined in Section 3.2.1 by completing and submitting Appendix D, Résumé or Curriculum Vitae (CV), and Certificates or other evidence of completion of industry-recognized professional certification.
Modified
p. 19
•for
Possess substantial information security knowledge and experience to conduct technically complex security assessments Possess a minimum of three (3) years of experience in each of the following software development disciplines (experience may be acquired concurrently•for example, if the role involved experience in multiple disciplines at the same time):
Removed
p. 20
• (ISC)2 Certified Information Security Manager (CISM)
Modified
p. 20 → 19
• Possess a minimum of three (3) years of experience in each of the following software security disciplines (experience may be acquired concurrently
•for example, if the role involved experience in multiple disciplines at the same time):
•for
• Software/Systems Testing Possess a minimum of three (3) years of experience in each of the following software security disciplines (experience may be acquired concurrently•for example, if the role involved experience in multiple disciplines at the same time):
Modified
p. 20
• (ISC)2 Certified Software Security Life Cycle Professional (CSSLP)
• (ISC)2 Certified Software Security Lifecycle Professional (CSSLP)
Modified
p. 20
Possess at least one of the following accredited, industry-recognized professional certifications from List C in Table 3.
Modified
p. 20
• Process at least one of the following accredited, industry-recognized professional certifications from List C.
• Incident detection and response Possess at least one of the following accredited, industry-recognized professional certifications from List A or List B in Table 3.
Modified
p. 20
• (ISC)2 Certified Information System Security Professional (CISSP)
• ISACA Certified Information Security Manager (CISM)
Removed
p. 21
• Résumé or Curriculum Vitae (CV), and;
• Certificates or other evidence of completion of industry-recognized professional certification.
• Legitimately and successfully complete and pass all required annual Secure Software Assessor training and exams provided as part of the SSF, of his or her own accord without any unauthorized assistance. Failure to pass any such exam, automatically disqualifies the individual as a Secure Software Assessor and, accordingly, the employee must not perform or manage any Secure Software Assessment until successfully passing the exam and reinstating his or her qualification.
• Certificates or other evidence of completion of industry-recognized professional certification.
• Legitimately and successfully complete and pass all required annual Secure Software Assessor training and exams provided as part of the SSF, of his or her own accord without any unauthorized assistance. Failure to pass any such exam, automatically disqualifies the individual as a Secure Software Assessor and, accordingly, the employee must not perform or manage any Secure Software Assessment until successfully passing the exam and reinstating his or her qualification.
Modified
p. 21 → 20
Possess knowledge about the Secure Software Standard and all applicable documents on the PCI SSC Website.
Modified
p. 21
A record of working experience and responsibilities outlined in Section 3.2.3 by completing and submitting Appendix E, Résumé or Curriculum Vitae (CV), and Certificates or other evidence of completion of industry-recognized professional certification.
Modified
p. 21
PCI SSC has adopted a Code of Professional Responsibility (the “Code”) to help ensure that SSF Assessor Companies and Assessor-Employees adhere to high standards of ethical and professional conduct. All SSF Assessor Companies and Assessor-Employees must advocate, adhere to, and support the Code (available on the Website).
PCI SSC has adopted a Code of Professional Responsibility to help ensure that SSF Assessor Companies and Assessor-Employees adhere to high standards of ethical and professional conduct. All SSF Assessor Companies and Assessor-Employees must advocate, adhere to, and support the Code of Professional Responsibility (available on the Website).
Modified
p. 22
Phone number Fax number E-mail address 4.2 Background Checks 4.2.1 Requirement Each SSF Assessor Company must perform background checks that satisfy the provisions described below (to the extent legally permitted within the applicable jurisdiction) with respect to each applicant Assessor-Employee.
Modified
p. 22
•for example, misdemeanors or non-US equivalents
•are allowed; but major
•for example, felonies or non-US equivalents within the prior 5-year period
• automatically disqualify a candidate from qualifying as an Assessor-Employee. Upon request, each SSF Assessor Company must provide to PCI SSC the background check history for each Assessor-Employee (or candidate Assessor-Employee), to the extent legally permitted within the applicable jurisdiction.
Modified
p. 23 → 22
Attestation that its policies and hiring procedures include performing background checks: Examples of background checks include previous employment history, criminal record, credit history, and reference checks
Modified
p. 23
• Annual background checks consistent with this section for each of its Assessor- Employees for any change in criminal records, arrests or convictions 4.3 Internal Quality Assurance Requirement The SSF Assessor Company must adhere to all quality assurance requirements described in this document or otherwise established by PCI SSC from time to time.
• Annual background checks consistent with this section for each of its Assessor- Employees for any change in criminal records, arrests or convictions 4.3 Internal Quality Assurance 4.3.1 Requirement The SSF Assessor Company must adhere to all quality assurance requirements described in this document or otherwise established by PCI SSC from time to time.
Modified
p. 23
Company name List of PCI SSC Programs in which the SSF Assessor Company participates A resource planning policy and process for SSF Assessments which includes:
Removed
p. 24
• Descriptions of all job functions and responsibilities within the SSF Assessor Company relating to its status and obligations as an SSF Assessor Company
• Identification of QA manual process owner
• Approval and sign-off processes for SSF Assessments and respective Assessment Reports
• Requirements for independent quality review of SSF Assessor Company and Assessor-Employee work product
• Requirements for handling and retention of workpapers and other Assessment Results and Related Materials (defined in the SSF Agreement; see also Section 4.5 for specific Workpaper Retention Policy requirements and specifications)
• Distribution and availability of the QA manual
• Evidence of annual review by the QA manual process owner
• Coverage of all activities relevant to the SSF, including references to applicable SSF Qualification Requirements and to other applicable SSF documentation
• Requirement for all Assessor-Employees to regularly monitor the Website for updates, guidance and new publications relating to the SSF.
• Identification of QA manual process owner
• Approval and sign-off processes for SSF Assessments and respective Assessment Reports
• Requirements for independent quality review of SSF Assessor Company and Assessor-Employee work product
• Requirements for handling and retention of workpapers and other Assessment Results and Related Materials (defined in the SSF Agreement; see also Section 4.5 for specific Workpaper Retention Policy requirements and specifications)
• Distribution and availability of the QA manual
• Evidence of annual review by the QA manual process owner
• Coverage of all activities relevant to the SSF, including references to applicable SSF Qualification Requirements and to other applicable SSF documentation
• Requirement for all Assessor-Employees to regularly monitor the Website for updates, guidance and new publications relating to the SSF.
Modified
p. 25
Requirements that systems that store, process or transmit information of multiple classifications is classified according to the highest classification of information handled.
Modified
p. 25
Physical, electronic, and procedural safeguards for protecting the acquisition and handling of confidential and personal information, including:
Modified
p. 26 → 25
Physical, electronic, and procedural safeguards for protecting the storage of and access to confidential and personal information, including:
Modified
p. 26
Physical, electronic, and procedural safeguards for protecting the transmission of confidential or personal information between authorized parties, systems or custodians, including:
Modified
p. 27 → 26
Requirements for establishing legal agreements with authorized third-parties with access to confidential or personal information that include provisions mandating adherence to these requirements.
Modified
p. 27 → 26
A blank copy of the SSF Assessor Company’s confidentiality agreement(s) that each Assessor-Employee is required to sign.
Modified
p. 27
A blank copy of the SSF Assessor Company’s Workpaper Retention Policy agreement that each Assessor-Employee is required to sign, included as part of the policy, which includes agreement to conform at all times with the Workpaper Retention Policy and all applicable SSF Requirements.
Modified
p. 27
A requirement that all Assessment Results and Related Materials must be classified as confidential and handled accordingly, with detailed instructions describing how Assessor-Employees are to comply with this requirement. If the classification and handling of confidential and personal information is addressed in other confidential and sensitive data protection handling policies of the SSF Assessor Company, this should be clearly noted within the Workpaper Retention Policy.
Modified
p. 28 → 27
Requirements ensuring that the SSF Assessor Company has confirmed that all Assessment Results and Related Materials relating to a given SSF Assessment has in fact been retained in accordance with the procedures defined in the Workpaper Retention Policy, prior to releasing the final Assessment Report for that SSF Assessment.
Modified
p. 28 → 27
All Assessment Results and Related Materials must be made available to PCI SSC upon request for a minimum of three (3) years after completion of the applicable SSF Assessment.
Modified
p. 28 → 27
The SSF Assessor Company must provide a copy of the Workpaper Retention Policy and related procedures to PCI SSC upon request, including copies of any other policies and procedures referenced within any of the foregoing documents, such as general confidential and sensitive 4.5.2 Provisions The applicant SSF Assessor Company must provide a completed version of Appendix C to PCI SSC.
Modified
p. 29 → 28
After becoming aware of an Incident, the SSF Assessor Company and its Assessor- Employees shall not take any action that is reasonably likely to diminish the integrity of, or otherwise interfere with or negatively affect the ability of a PCI Forensic Investigator (PFI) to perform any PFI Investigation (see the PCI Forensic Investigator (PFI) Program Guide on the Website for additional details).
After becoming aware of an Incident, the SSF Assessor Company and its Assessor-Employees shall not take any action that is reasonably likely to diminish the integrity of, or otherwise interfere with or negatively affect the ability of a PCI Forensic Investigator (PFI) to perform any PFI Investigation (see the PCI Forensic Investigator (PFI) Program Guide on the Website for additional details).
Modified
p. 29 → 28
Failure to provide such written notification to the Vendor or otherwise comply with any of the above (or any other) SSF Requirements constitutes a “Violation” (see Section 6.3 below) and may result in Remediation, Revocation of PCI SSC qualifications, and/or termination of the SSF Agreement.
Failure to provide such written notification to the Vendor or otherwise comply with any of the above (or any other) SSF Requirements constitutes a “Violation” (see Section 6.3) and may result in Remediation, Revocation of PCI SSC qualifications, and/or termination of the SSF Agreement.
Modified
p. 29 → 28
Instructions and procedures for notifying Vendors of Incidents discovered during or in connection with the performance of an SSF Assessment or other SSF-related services and documenting those Incidents and related information in accordance with Section 4.6.1.
Modified
p. 29 → 28
Retention requirements for all Incident-related documentation, notices, and reports, with the same protections as those noted for work-paper retention in the SSF Assessor Company’s evidence-retention policy and procedures.
Modified
p. 30 → 29
PCI SSC has added a corresponding listing on the applicable list on the Website.
Modified
p. 30 → 29
A statement that the SSF Assessor Company will not recognize validation status in connection with either the Secure Software Standard or the Secure SLC Standard until PCI SSC has (a) notified the SSF Assessor Company and the applicable Vendor via a notification of acceptance and (b) added a corresponding listing on the applicable list on the Website.
Modified
p. 31 → 30
After an individual meets all applicable SSF Qualification Requirements to be qualified as an Assessor-Employee, PCI SSC will add the Assessor-Employee to the applicable search tool on the Website.
Modified
p. 31 → 30
If, at any time, an SSF Assessor Company and/or Assessor-Employee does not meet the applicable SSF Requirements (including without limitation, payment or documentation requirements), PCI SSC reserves the right to remove the SSF Assessor Company and/or Assessor-Employee immediately from the respective list(s) or tool(s) on the Website, regardless of Remediation or Revocation. PCI SSC will notify the SSF Assessor Company of each such removal in accordance with the SSF Agreement, typically via registered or overnight mail and/or e-mail. Refer to …
If, at any time, an SSF Assessor Company and/or Assessor-Employee does not meet the applicable SSF Requirements (including without limitation, payment or documentation requirements), PCI SSC reserves the right to remove the SSF Assessor Company and/or Assessor-Employee immediately from the respective list(s) or tool(s) on the Website, regardless of Remediation or Revocation. PCI SSC will notify the SSF Assessor Company of each such removal in accordance with the SSF Agreement, typically via registered or overnight mail and/or e-mail. Refer to …
Modified
p. 31 → 30
Note: The SSF Assessor Company List on the Website indicates the type of SSF Assessment the company is qualified to perform.
Note: The SSF Assessor Company List on the Website indicates the type of SSF Assessment(s) the company is qualified to perform.
Removed
p. 32
• Maintaining professional certification(s) as required per Section 3.2 “Assessor-Employee
Modified
p. 32 → 30
All Assessor-Employees must be re-qualified by PCI SSC on an annual basis. The annual re-qualification date is based upon the Assessor-Employee’s previous qualification or re- qualification date. Re-qualification requires proof of training successfully completed, payment of annual training and re-qualification fees, and continued compliance with all applicable SSF Requirements.
All Assessor-Employees must be re-qualified by PCI SSC on an annual basis. The annual re- qualification date is based upon the Assessor-Employee’s previous qualification or re- qualification date. Re-qualification requires proof of training successfully completed, payment of annual training and re-qualification fees, and continued compliance with all applicable SSF Requirements.
Modified
p. 32 → 31
Payment of annual re-qualification fees in accordance with the Website • PCI SSC Programs Fee Schedule.
Modified
p. 32 → 31
• Skills and Experience”. PCI SSC reserves the right to request proof of current professional certifications at any time.
Assessor-Employees Maintaining professional certification(s) as required per Section 3.2, Assessor- Employee
• Skills and Experience. PCI SSC reserves the right to request proof of current professional certifications at any time.
• Skills and Experience. PCI SSC reserves the right to request proof of current professional certifications at any time.
Modified
p. 32 → 31
SSF Assessor Companies Payment of annual re-qualification fee in accordance with the Website • PCI SSC Programs Fee Schedule.
Modified
p. 32 → 31
Note: PCI SSC may from time to time request that SSF Assessor Companies and/or Assessor-Employees submit additional information or materials in order to demonstrate adherence to applicable requirements or as part of the applicable qualification or re-qualification process.
Note: From time to time, PCI SSC may request that SSF Assessor Companies and/or Assessor-Employees submit additional information or materials in order to demonstrate adherence to applicable requirements or as part of the applicable qualification or re-qualification process.
Removed
p. 34
Among other things, any qualification under the SSF may be revoked if PCI SSC determines that either the SSF Assessor Company or any of its Assessor-Employees has breached any provision of the SSF Agreement or otherwise failed to satisfy any applicable SSF Requirement (each also a Violation), including but not limited to.
• Failure to meet applicable SSF quality standards or comply with applicable SSF Requirements
• Failure to pay applicable SSF fees
• Failure to meet applicable SSF training requirements (annual or otherwise)
• Failure to meet applicable SSF continuing education requirements
• Failure to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates
• Failure to maintain applicable SSF insurance requirements
• Failure to comply with or validate compliance in accordance with applicable SSF Requirements, the applicable SSF Standard, the PCI Secure SLC Standard Program Guide or PCI Secure Software Standard Program Guide (as applicable), or the terms of …
• Failure to meet applicable SSF quality standards or comply with applicable SSF Requirements
• Failure to pay applicable SSF fees
• Failure to meet applicable SSF training requirements (annual or otherwise)
• Failure to meet applicable SSF continuing education requirements
• Failure to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates
• Failure to maintain applicable SSF insurance requirements
• Failure to comply with or validate compliance in accordance with applicable SSF Requirements, the applicable SSF Standard, the PCI Secure SLC Standard Program Guide or PCI Secure Software Standard Program Guide (as applicable), or the terms of …
Removed
p. 35
• Failure to comply with any provision or obligation regarding non-disclosure or use of confidential information or materials
• Cheating on any exam in connection with PCI SSC Program training; submitting exam work in connection with any PCI SSC Program training that is not the work of the individual candidate taking the exam; theft of or unauthorized access to any PCI SSC Program exam content; use of an alternate, stand-in or proxy during any PCI SSC Program exam; use of any prohibited or unauthorized materials, notes or computer programs during any such exam; or providing or communicating in any way any unauthorized information to another person, device or other resource during any PCI SSC Program exam
• Providing false or intentionally incomplete or misleading information to the Council in any application or other materials
• Failure to be in Good Standing (as defined in the SSF Agreement) as an SSF Assessor Company, including …
• Cheating on any exam in connection with PCI SSC Program training; submitting exam work in connection with any PCI SSC Program training that is not the work of the individual candidate taking the exam; theft of or unauthorized access to any PCI SSC Program exam content; use of an alternate, stand-in or proxy during any PCI SSC Program exam; use of any prohibited or unauthorized materials, notes or computer programs during any such exam; or providing or communicating in any way any unauthorized information to another person, device or other resource during any PCI SSC Program exam
• Providing false or intentionally incomplete or misleading information to the Council in any application or other materials
• Failure to be in Good Standing (as defined in the SSF Agreement) as an SSF Assessor Company, including …
Modified
p. 36 → 35
The SSF Assessor Company and/or Assessor-Employee (as applicable) name will be removed from the relevant SSF Assessor Company List and/or search tool (as applicable).
Modified
p. 36 → 35
PCI SSC may notify third parties.
Modified
p. 36 → 35
The revoked company and/or individual (as applicable) can reapply for qualification after 180 days; provided however, that (i) if revoked in connection with Remediation, an election not to participate in Remediation when offered, or due to failure to satisfy applicable quality assurance standards set by PCI SSC, such company and/or individual shall be ineligible to re-apply as an SSF Assessor for a period of two (2) years, and (ii) acceptance of qualification applications after Revocation is determined at the Council’s …
Modified
p. 38 → 37
Applicant’s Officer Signature Date Job Title:
Applicant’s Officer Signature Date Job Title:
Removed
p. 39
PCI SSC in accordance with its governing documents (status as a PCI SSC “Participating Organization” does not establish that an entity is a “Member”); (v) “Participating Payment Brand” means a payment card brand that is then a Member and owner of PCI SSC (or an affiliate of such a payment card brand); (vi) “Qualification” means a qualification granted by
PCI SSC as part of the SSF, authorizing the recipient SSF Assessor Company to perform security assessments of subject payment applications or Vendors (as applicable), for purposes of validating compliance against the specific SSF Standard and/or Module for which such Qualification was granted; and (vii) unless otherwise indicated, all other capitalized terms used in this Agreement without definition shall have the meanings ascribed to them in the SSF Qualification Requirements. The SSF Qualification Requirements are hereby incorporated into this Agreement, and SSF Assessor acknowledges and agrees that it has reviewed the current …
PCI SSC as part of the SSF, authorizing the recipient SSF Assessor Company to perform security assessments of subject payment applications or Vendors (as applicable), for purposes of validating compliance against the specific SSF Standard and/or Module for which such Qualification was granted; and (vii) unless otherwise indicated, all other capitalized terms used in this Agreement without definition shall have the meanings ascribed to them in the SSF Qualification Requirements. The SSF Qualification Requirements are hereby incorporated into this Agreement, and SSF Assessor acknowledges and agrees that it has reviewed the current …
Modified
p. 41 → 39
A.3.4 SSF Requirements SSF Assessor agrees to comply with all SSF Requirements, including without limitation, SSF Assessor’s responsibilities and obligations pursuant to this Agreement, all SSF quality assurance and Remediation requirements, and all requirements applicable to SSF Assessor pursuant to the SSF Qualification Requirements. Without limiting the foregoing, SSF Assessor agrees to comply with all requirements of, make all provisions provided for in, and ensure that its Assessor-Employees comply with all applicable SSF Qualification Requirements, agrees to comply with all …
A.3.4 SSF Requirements SSF Assessor agrees to comply with all SSF Requirements, including without limitation, SSF Assessor’s responsibilities and obligations pursuant to this Agreement, all SSF quality assurance and Remediation requirements, and all requirements applicable to SSF Assessor pursuant to the SSF Qualification Requirements. Without limiting the foregoing, SSF Assessor agrees to comply with all requirements of, make all provisions provided for in, and ensure that its Assessor-Employees comply with all applicable SSF Qualification Requirements, agrees to comply with all …
Modified
p. 42 → 40
SSF Assessor acknowledges that PCI SSC may review and modify its Fees at any time and from time to time. Whenever a change in Fees occurs, PCI SSC shall notify SSF Assessor in accordance with the terms of Section A.10.1. Such change(s) will be effective immediately after the date of such notification. However, should SSF Assessor not agree with such change(s), SSF Assessor shall have the right to terminate this Agreement upon written notice to PCI SSC in accordance with …
SSF Assessor acknowledges that PCI SSC may review and modify its Fees at any time and from time to time. Whenever a change in Fees occurs, PCI SSC shall notify SSF Assessor in accordance with the terms of Section A.10.1. Such change(s) will be effective immediately after the date of such notification. However, should SSF Assessor not agree with such change(s), SSF Assessor shall have the right to terminate this Agreement upon written notice to PCI SSC in accordance with …
Removed
p. 44
A.5.2 Uses of SSF Assessor Name and Designated Marks SSF Assessor grants PCI SSC and each Participating Payment Brand the right to use SSF Assessor’s name and trademarks, as designated in writing by SSF Assessor, to list SSF Assessor on the SSF Assessor List and to include reference to SSF Assessor in publications to Vendors and the public regarding the SSF. Neither PCI SSC nor any Participating Payment Brand shall be required to include any such reference in any materials or publicity regarding the SSF. SSF Assessor warrants and represents that it has authority to grant to PCI SSC and its Participating Payment Brands the right to use its name and designated marks as contemplated by this Agreement.
Modified
p. 49 → 45
A.6.6 Remedies In the event of a breach of Section A.6.2 by the Receiving Party, the Receiving Party acknowledges that the Disclosing Party will likely suffer irreparable damage that cannot be fully remedied by monetary damages. Therefore, in addition to any remedy that the Disclosing Party may possess pursuant to applicable law, the Disclosing Party retains the right to seek and obtain injunctive relief against any such breach in any court of competent jurisdiction. In the event any such breach …
A.6.6 Remedies In the event of a breach of Section A.6.2 by the Receiving Party, the Receiving Party acknowledges that the Disclosing Party will likely suffer irreparable damage that cannot be fully remedied by monetary damages. Therefore, in addition to any remedy that the Disclosing Party may possess pursuant to applicable law, the Disclosing Party retains the right to seek and obtain injunctive relief against any such breach in any court of competent jurisdiction. In the event any such breach …
Modified
p. 52 → 48
A.7.4 Insurance At all times while this Agreement is in effect, SSF Assessor shall maintain insurance in such amounts, with such insurers, coverages, exclusions and deductibles which, at a minimum, meet the applicable insurance requirements for U.S. or European Union SSF Assessor Companies (as applicable) participating in the SSF, including without limitation, the insurance requirements for SSF Assessor Companies set forth in Appendix B of the SSF Qualification Requirements. SSF Assessor acknowledges and agrees that if it is a non-U.S. …
A.7.4 Insurance At all times while this Agreement is in effect, SSF Assessor shall maintain insurance in such amounts, with such insurers, coverages, exclusions and deductibles which, at a minimum, meet the applicable insurance requirements for U.S. or European Union SSF Assessor Companies (as applicable) participating in the SSF, including without limitation, the insurance requirements for SSF Assessor Companies set forth in Appendix B of the SSF Qualification Requirements. SSF Assessor acknowledges and agrees that if it is a non-U.S. …
Modified
p. 54 → 49
PCI SSC may terminate this Agreement: (i) with written notice upon SSF Assessor’s voluntary or involuntary bankruptcy, receivership, reorganization dissolution or liquidation under state or federal law that is not otherwise dismissed within thirty (30) days; (ii) with written notice upon SSF Assessor’s breach of any representation or warranty under this Agreement; (iii) with fifteen (15) days’ prior written notice following SSF Assessor’s breach of any other term or provision of this Agreement (including without limitation, SSF Assessor’s failure to …
PCI SSC may terminate this Agreement effective as of the end of the then-current Term by providing SSF Assessor with written notice of its intent to terminate or not to renew this Agreement at least sixty (60) days prior to the end of the then-current Term. Additionally, PCI SSC may terminate this Agreement: (i) with written notice upon SSF Assessor’s voluntary or involuntary bankruptcy, receivership, reorganization dissolution or liquidation under state or federal law that is not otherwise dismissed within …
Modified
p. 57 → 52
A.10.2 Audit and Financial Statements a. SSF Assessor shall allow PCI SSC or its designated agents access during normal business hours throughout the Term and for six (6) months thereafter to perform audits of SSF Assessor’s facilities, operations and records of Services to determine whether SSF Assessor has complied with this Agreement. SSF Assessor also shall provide PCI SSC or its designated agents during normal business hours with books, records and supporting documentation adequate to evaluate SSF Assessor’s performance hereunder. …
A.10.2 Audit and Financial Statements a. SSF Assessor shall allow PCI SSC or its designated agents access during normal business hours throughout the Term and for six (6) months thereafter to perform audits of SSF Assessor’s facilities, operations and records of Services to determine whether SSF Assessor has complied with this Agreement. SSF Assessor also shall provide PCI SSC or its designated agents during normal business hours with books, records and supporting documentation adequate to evaluate SSF Assessor’s performance hereunder. …
Removed
p. 61
• WORKERS’ COMPENSATION: Statutory Workers Compensation as required by applicable law and
• EMPLOYER’S LIABILITY with a limit of $1,000,000
• COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non- owned autos subject to minimum limits of $1,000,000 per accident
• EMPLOYER’S LIABILITY with a limit of $1,000,000
• COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non- owned autos subject to minimum limits of $1,000,000 per accident
Modified
p. 61 → 55
WORKERS’ COMPENSATION: Statutory Workers Compensation as required by applicable law EMPLOYER’S LIABILITY with a limit of $1,000,000 COMMERCIAL GENERAL LIABILITY INSURANCE including PRODUCTS, COMPLETED OPERATIONS, ADVERTISING INJURY, PERSONAL INJURY and CONTRACTUAL LIABILITY INSURANCE with the following minimum limits for Bodily Injury and Property Damage on an Occurrence basis: $1,000,000 per occurrence and $2,000,000 annual aggregate. PCI SSC to be added as “Additional Insured.” The policy Coverage Territory must global.
Modified
p. 61 → 55
COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non-owned autos subject to minimum limits of $1,000,000 per accident CRIME/FIDELITY BOND including first-party employee dishonesty, robbery, fraud, theft, forgery, alteration, mysterious disappearance and destruction. Coverage must also include third-party employee dishonesty, i.e., coverage for claims made by the Security Assessor’s client against the Security Assessor for theft committed by the Security Assessor employees.
Modified
p. 61 → 55
TECHNOLOGY ERRORS & OMISSIONS, CYBER-RISK and PRIVACY LIABILITY INSURANCE covering liabilities for financial loss resulting or arising from acts, errors or omissions in rendering computer or information technology Services, or from data damage/destruction/corruption, including without limitation, failure to protect privacy, unauthorized access, unauthorized use, virus transmission, denial of service and loss of income from network security failures in connection with the Services provided under this agreement with a minimum limit of two million dollars ($2,000,000) each claim and annual aggregate. …
Removed
p. 62
section of the Agreement, PCI SSC shall be named as an additional insured under the Commercial General Liability for any claims and losses arising out of, allegedly arising out of or in any way connected to the Security Assessor’s performance of the Services under the Agreement. The insurers shall agree that the Security Assessor’s insurance is primary and any insurance maintained by PCI SSC shall be excess and non-contributing to the Security Assessor’s insurance.
Modified
p. 62 → 55
Without limiting Security Assessor’s indemnification duties as outlined in the indemnification
Without limiting Security Assessor’s indemnification duties as outlined in the indemnification section of the Agreement, PCI SSC shall be named as an additional insured under the Commercial General
Modified
p. 64 → 58
• 2.2.2 Provisions The Company hereby acknowledges and agrees that it must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing SSF Assessments.
Independence
• 2.2.2 Provisions The Company hereby acknowledges and agrees that it must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing SSF Assessments.
• 2.2.2 Provisions The Company hereby acknowledges and agrees that it must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing SSF Assessments.
Modified
p. 66 → 60
The Company represents and warrants that it currently possesses (and at all times while it is a SSF Assessor Company will continue to possess) technical security assessment experience similar or related to SSF Assessments, and that it has (and must have) a dedicated software security practice that includes staff with specific job functions that support the software security practice.
Modified
p. 66 → 60
Knowledge of cryptographic techniques including cryptographic algorithms, key management and rotation processes, and secure key storage: Describe the company's knowledge and expertise of cryptographic techniques and the Company's role ((e.g., implementation, developer, management, etc.). For example, the types of cryptography, such as hashing, symmetric, asymmetric; the algorithms, such as AES, TDES, RSA, Diffie-Hellman, elliptic curve, key management implementations or assessments including descriptions of how keys are stored, access privileges, expected incident response when/if keys were compromised; and lifecycle management (rotation, …
Knowledge of cryptographic techniques including cryptographic algorithms, key management and rotation processes, and secure key storage: Describe the company's knowledge and expertise of cryptographic techniques and the Company's role (e.g., implementation, developer, management, etc.). For example, the types of cryptography, such as hashing, symmetric, asymmetric; the algorithms, such as AES, TDES, RSA, Diffie-Hellman, elliptic curve, key management implementations or assessments including descriptions of how keys are stored, access privileges, expected incident response when/if keys were compromised; and lifecycle management (rotation, …
Modified
p. 67 → 61
_______________________________ 1 QSA Companies in good standing will have already provided these materials and will not be required to resubmit them as part of the initial SSF Assessor Company application process if there have been no changes to such materials since those materials were last submitted to PCI SSC. .
_______________________________ 1 QSA Companies in good standing will have already provided these materials and will not be required to resubmit them as part of the initial SSF Assessor Company application process if there have been no changes to such materials since those materials were last submitted to PCI SSC.
Modified
p. 72 → 66
From (date): To (date): Total time: Years Months Examples of work or description of the Candidate's experience with Threat & vulnerability detection and management:
Modified
p. 73 → 67
(a) The information provided above is true, accurate and complete; (b) I have read and understand the SSFQualification Requirements for Assessors and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.
(a) The information provided above is true, accurate, and complete; (b) I have read and understand the SSF Qualification Requirements for Assessors and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.
Modified
p. 75 → 69
From (date): To (date): Total time: Years Months Examples of work or description of the Candidate's experience with Threat & vulnerability detection and management:
From (date): To (date): Total time: Years Months Examples of work or description of the Candidate's experience with Incident detection and response:
Modified
p. 75 → 69
From (date): To (date): Total time: Years Months Examples of work or description of the Candidate's experience with Software penetration testing From (date): To (date): Total time: Years Months Examples of work or description of the Candidate's experience with Incident detection and response:
From (date): To (date): Total time: Years Months Examples of work or description of the Candidate's experience with Software penetration testing:
Modified
p. 76 → 70
(a) The information provided above is true, accurate, and complete; (b) I have read and understand the SSF Qualification Requirements for Assessors and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to and support the terms and provisions thereof.
Removed
p. 77
Section 3.2 Assessor-Employees Skills and Experience.
Modified
p. 77 → 71
An SSF Assessor Company in Good Standing qualified to perform Secure Software Assessments may additionally qualify to perform Secure SLC Assessments by having one or more of its Assessor-Employees qualify as a Secure SLC Assessor in accordance with
An SSF Assessor Company in Good Standing qualified to perform Secure Software Assessments may additionally qualify to perform Secure SLC Assessments by having one or more of its Assessor- Employees qualify as a Secure SLC Assessor in accordance with Section 3.2, Assessor-Employees Skills and Experience.
Modified
p. 77 → 71
An SSF Assessor Company in Good Standing qualified to perform Secure SLC Assessments may additionally qualify to perform Secure Software Assessments by having one or more of its Assessor-Employees qualify as a Secure SLC Assessor in accordance with Section 3.2 Assessor-Employees Skills and Experience.
An SSF Assessor Company in Good Standing qualified to perform Secure SLC Assessments may additionally qualify to perform Secure Software Assessments by having one or more of its Assessor- Employees qualify as a Secure SLC Assessor in accordance with Section 3.2, Assessor-Employees Skills and Experience.