Document Comparison
Qualified_PIN_Assessor_(QPA)_Qualification_Requirements%20_V1.0.pdf
→
QPA_Qualification_Requirements_v1.2.pdf
89% similar
61 → 60
Pages
24288 → 24778
Words
171
Content Changes
Content Changes
171 content changes. 68 administrative changes (dates, page numbers) hidden.
Added
p. 2
February 2019 1.01 Errata: Corrected List A industry certificate list in section 3.2.1.1
September 2021 1.1 Clarification to sub-contractor policy Added requirement for QPAs to having training in major release of standard prior to performing assessments Removal of grandfathering exception wording Added requirement for annual internal QA checks Added requirement for QA reviewers to either be QPAs or attend QPA Information Training Removed requirement for QPAs to report CPEs to PCI SSC Added requirement for QPA Companies to ensure QPAs have the necessary skills to perform PIN Assessments Minor wording changes to be consistent with other PCI SSC Programs
Note: PCI SSC does not determine whether entities are required to undergo assessment for compliance against the PCI PIN Standard. That is the responsibility of the Participating Payment Brands’, payment networks’, or acquirers’ compliance programs.
PCI SSC Assessment With respect to a given QPA Company, any …
September 2021 1.1 Clarification to sub-contractor policy Added requirement for QPAs to having training in major release of standard prior to performing assessments Removal of grandfathering exception wording Added requirement for annual internal QA checks Added requirement for QA reviewers to either be QPAs or attend QPA Information Training Removed requirement for QPAs to report CPEs to PCI SSC Added requirement for QPA Companies to ensure QPAs have the necessary skills to perform PIN Assessments Minor wording changes to be consistent with other PCI SSC Programs
Note: PCI SSC does not determine whether entities are required to undergo assessment for compliance against the PCI PIN Standard. That is the responsibility of the Participating Payment Brands’, payment networks’, or acquirers’ compliance programs.
PCI SSC Assessment With respect to a given QPA Company, any …
Added
p. 11
Annual training fee for each QPA Employee (or candidate) 2.5 QPA Agreements 2.5.1 Requirement In order to participate in the QPA Program, PCI SSC requires that all agreements between PCI SSC and the QPA Company (including the QPA Agreement) be signed by a duly authorized officer of the QPA Company and submitted in unmodified form to PCI SSC prior to submitting applicants to the QPA Program. Pursuant to the QPA Agreement, the QPA Company agrees to comply with all applicable QPA Requirements.
Performing the PCI PIN Assessments Verifying the work product addresses all PCI PIN Assessment procedure steps and supports the validation status of the entity being assessed Strictly following the PCI PIN Standard and Testing Procedures Producing the final PIN Report on Compliance (PIN ROC) and PIN Attestation of Compliance (PIN AOC) 3.2.1.1 QPA Employee Skills and Experience Requirements Each QPA Employee performing or managing …
Performing the PCI PIN Assessments Verifying the work product addresses all PCI PIN Assessment procedure steps and supports the validation status of the entity being assessed Strictly following the PCI PIN Standard and Testing Procedures Producing the final PIN Report on Compliance (PIN ROC) and PIN Attestation of Compliance (PIN AOC) 3.2.1.1 QPA Employee Skills and Experience Requirements Each QPA Employee performing or managing …
Added
p. 16
Record of years of relevant work experience and active certifications as outlined in 3.2.1 above Résumé or curriculum vitae (CV) of each candidate QPA Employee Completion and submission of Appendix D for each candidate QPA Employee 3.3 PCI SSC Code of Professional Responsibility 3.3.1 Requirement
Added
p. 19
All quality assurance reviews must be conducted by personnel that are either QPA Employees or have completed QPA Knowledge Training. QPA Knowledge Training must be completed initially and after every major update in the PCI PIN Standard prior to reviewing submissions under the new release.
Upon request by PCI SSC, the QPA Company must annually complete the QPA Annual QA Questionnaire in the Portal.
Upon request by PCI SSC, the QPA Company must annually complete the QPA Annual QA Questionnaire in the Portal.
Added
p. 23
Note: Each QPA Company must ensure that each of its QPA Employees only works on those PCI SSC Assessments for which the QPA Employee is properly qualified by PCI SSC, has appropriate skillincluding technology and languageand has an appropriate understanding of the customer’s/client’s business.
QPA Companies Payment of annual QPA Company fees QPA Employees Proof of maintaining professional certification(s) as required per Section 3.2, “QPA Employee
• Skills and Experience.” Payment of annual re-qualification fees in accordance with the Website
• PCI SSC Programs Fee Schedule.
QPA Companies Payment of annual QPA Company fees QPA Employees Proof of maintaining professional certification(s) as required per Section 3.2, “QPA Employee
• Skills and Experience.” Payment of annual re-qualification fees in accordance with the Website
• PCI SSC Programs Fee Schedule.
Added
p. 25
The PCI AQM team will review the completed QPA Annual QA Questionnaire to monitor the QPA Company’s ongoing adherence to program requirements and provide relevant feedback in the Portal.
Added
p. 26
Failure to meet applicable PCI SSC Program quality standards or comply with applicable QPA Requirements.
Failure to pay applicable PCI SSC Program fees.
Failure to meet applicable PCI SSC Program training requirements (annual or otherwise).
Failure to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates.
Failure to maintain applicable PCI SSC Program insurance requirements.
Failure to submit the QPA Annual QA Questionnaire to PCI SSC via the Portal. Failure to comply with or validate compliance in accordance with applicable Program Qualification Requirements (defined in the QPA Agreement), PCI SSC Standards or program guides, or the terms of the QPA Agreement or supplements or addenda thereto.
Failure to maintain physical, electronic, or procedural safeguards to protect confidential or sensitive information.
Failure to report unauthorized access to any system storing confidential or sensitive information.
Engaging in unprofessional or unethical business conduct, including without limitation, …
Failure to pay applicable PCI SSC Program fees.
Failure to meet applicable PCI SSC Program training requirements (annual or otherwise).
Failure to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates.
Failure to maintain applicable PCI SSC Program insurance requirements.
Failure to submit the QPA Annual QA Questionnaire to PCI SSC via the Portal. Failure to comply with or validate compliance in accordance with applicable Program Qualification Requirements (defined in the QPA Agreement), PCI SSC Standards or program guides, or the terms of the QPA Agreement or supplements or addenda thereto.
Failure to maintain physical, electronic, or procedural safeguards to protect confidential or sensitive information.
Failure to report unauthorized access to any system storing confidential or sensitive information.
Engaging in unprofessional or unethical business conduct, including without limitation, …
Added
p. 50
Insurance Coverage
• 2.3.2 Provisions (continued) The Company hereby certifies to PCI SSC that, along with this application, the Company is providing to PCI SSC a proof-of-coverage statement demonstrating that its insurance coverage matches locally set insurance coverage requirements.1 1 QSA Companies in good standing will have already provided these materials and will not be required to resubmit them as part of the initial QPA Company application process if there have been no changes to such materials since those materials were last submitted to PCI SSC.
• 2.3.2 Provisions (continued) The Company hereby certifies to PCI SSC that, along with this application, the Company is providing to PCI SSC a proof-of-coverage statement demonstrating that its insurance coverage matches locally set insurance coverage requirements.1 1 QSA Companies in good standing will have already provided these materials and will not be required to resubmit them as part of the initial QPA Company application process if there have been no changes to such materials since those materials were last submitted to PCI SSC.
Added
p. 55
Internal Quality Assurance
• 4.3.2 Provisions The Company acknowledges and agrees that all quality assurance reviews must be conducted by personnel qualified by PCI SSC as a QPA Employee or who have completed QPA Knowledge Training.
The Company understands and agrees that it must annually provide to PCI SSC the completed QPA Annual QA Questionnaire in the Portal.
• 4.3.2 Provisions The Company acknowledges and agrees that all quality assurance reviews must be conducted by personnel qualified by PCI SSC as a QPA Employee or who have completed QPA Knowledge Training.
The Company understands and agrees that it must annually provide to PCI SSC the completed QPA Annual QA Questionnaire in the Portal.
Added
p. 58
QPA Employee Skills, Experience and Education Provide examples of work or a description of the Candidate's experience with cryptography and key management (at least three years) in cryptographic techniques including cryptographic algorithms, key management, and key lifecycle:
Removed
p. 2
January 2019 Date Version Description
Removed
p. 4
Note: PCI SSC does not determine whether entities are required to undergo assessment for compliance against the PCI PIN Standard. That is the responsibility of the Participating Payment Brands’, payment networks’ or acquirers’ compliance programs.
Removed
p. 4
PCI SSC Assessment With respect to a given QPA Company, any assessment performed for purposes of validating the compliance of any third party (or any third- party product, application, service or solution) with any PCI SSC Standard for purposes of any PCI SSC Program
Modified
p. 4
PCI PIN Assessment With respect to a given QPA Company, any assessment performed for purposes of validating the compliance of any third party (or any third- party product, application, service or solution) with the PCI PIN Standard for purposes of any PCI QPA Program
PCI PIN Assessment With respect to a given QPA Company, any assessment performed for purposes of validating the compliance of any third party (or any third- party product, application, service, or solution) with the PCI PIN Standard for purposes of the QPA Program
Modified
p. 4
PCI PIN Report on Compliance (PIN ROC) The mandatory template for documenting and reporting the results of a PCI PIN Assessment to Participating Payment Brands, payment networks or acquirers, as made available on the Portal and PCI SSC Website.
PCI PIN Report on Compliance (PIN ROC) The mandatory template for documenting and reporting the results of a PCI PIN Assessment to Participating Payment Brands, payment networks, or acquirers, as made available on the Portal and PCI SSC Website.
Modified
p. 4
PCI PIN Standard The then-current version of (or successor document to) the PIN Security Requirements and Testing Procedures as from time to time amended and made available on the Website.
PCI PIN Standard The then-current version of (or successor document to) the PIN Security Requirements and Testing Procedures as is from time to time amended and made available on the Website.
Modified
p. 4
PCI SSC Program With respect to a given QPA Company, the QPA Program and each other program offered by PCI SSC in which such QPA Company is a participant.
PCI SSC Program With respect to a given QPA Company, the QPA Program, and each other program offered by PCI SSC in which such QPA Company is a participant.
Removed
p. 5
January 2019 Term Meaning
Modified
p. 5
PCI SSC Standard With respect to a given PCI SSC Program, the then-current version of (or successor document to) the corresponding security standards, requirements, and assessment procedures published by PCI SSC from time to time in connection with such PCI SSC Program and made available on the Website, including but not limited to any and all appendices, exhibits, schedules and attachments to any of the foregoing and all materials incorporated therein, in each case, as from time to time amended.
PCI SSC Standard With respect to a given PCI SSC Program, the then-current version of (or successor document to) the corresponding security standards, requirements, and assessment procedures published by PCI SSC from time to time in connection with such PCI SSC Program and made available on the Website, including but not limited to any and all appendices, exhibits, schedules, and attachments to any of the foregoing and all materials incorporated therein, in each case, as from time to time amended.
Modified
p. 5
Qualified PIN Assessor Agreement (QPA Agreement) The then-current version of (or successor document to) the Qualified PIN Assessor Agreement attached as Appendix A to the PCI PIN Assessor Qualification Requirements.
Qualified PIN Assessor Agreement (QPA Agreement) The then-current version of (or successor document to) the Qualified PIN Assessor Agreement is attached as Appendix A to the PCI PIN Assessor Qualification Requirements.
Modified
p. 5
The then-current list of QPA Companies published by PCI SSC on the Website.
Removed
p. 6
QSA (P2PE) Company A QSA Company that has been additionally qualified, and continues to be additionally qualified, by PCI SSC as a P2PE Assessor Company as part of PCI SSC’s P2PE Assessor Program, described further on the Website.
Modified
p. 6
Website The then-current PCI SSC Web site (and its accompanying Web pages), which is currently available at www.pcisecuritystandards.org.
Website The then-current PCI SSC website (and its accompanying web pages), which is currently available at www.pcisecuritystandards.org.
Modified
p. 6
To initiate the qualification process, the candidate QPA Company must sign the QPA Agreement (Appendix A) in unmodified form and submit it to PCI SSC along with an application for a candidate QPA Employee (Appendix B) in accordance with Section 3.2.2 below.
To initiate the qualification process, the candidate QPA Company must sign the QPA Agreement (Appendix A) in an unmodified form and submit it to PCI SSC along with an application for a candidate QPA Employee (Appendix B) in accordance with Section 3.2.2 below.
Removed
p. 7
January 2019 Important Note: PCI SSC reserves the right to reject any application from any applicant (company or employee) that PCI SSC determines has committed, within two (2) years prior to the application date, any conduct that would have been considered a “Violation” for purposes of the QPA Agreement Requirements if committed by a QPA Company or QPA Employee. The period of ineligibility will be a minimum of one (1) year, as determined by PCI SSC in a reasonable and non-discriminatory manner, in light of the circumstances.
QSA Companies in good standing are deemed to satisfy certain QPA Company requirements (see further details in QPA Company Application (Appendix C hereto)).
• Payment Card Industry (PCI) PIN Security Requirements and Testing Procedures
QSA Companies in good standing are deemed to satisfy certain QPA Company requirements (see further details in QPA Company Application (Appendix C hereto)).
• Payment Card Industry (PCI) PIN Security Requirements and Testing Procedures
Modified
p. 7
Section 2: QPA Company Business Requirements covers minimum business requirements that must prior to becoming a QPA Company.
Section 2: QPA Company Business Requirements cover minimum business requirements that must be satisfied prior to becoming a QPA Company.
Modified
p. 7
Payment Card Industry (PCI) PIN Security Requirements and Testing Procedures Payment Card Industry (PCI) QPA Program Guide 1.5 QPA Application Process This document describes the information that must be provided to PCI SSC as part of the QPA application and qualification process. Each outlined requirement is followed by the information that must be submitted to document that the candidate QPA Company and QPA Employee meet or exceed the stated requirements.
Modified
p. 7
All company applications must include a signed QPA Agreement. (Appendix A), a “QPA Company Application” (Appendix C) and an application for each QPA Employee candidate (Appendix D). All application materials and the signed QPA Agreement must be submitted in English. The QPA Agreement is binding in English even if the QPA Agreement was translated and reviewed in another language. All other documentation provided by the QPA Company (or candidate) in a language other than English must be accompanied by a …
All company applications must include a signed QPA Agreement (Appendix A), a QPA Company Application (Appendix C), and an application for each QPA Employee candidate (Appendix D). All application materials and the signed QPA Agreement must be submitted in English. The QPA Agreement is binding in English even if the QPA Agreement was translated and reviewed in another language. All other documentation provided by the QPA Company (or candidate) in a language other than English must be accompanied by a …
Removed
p. 9
• Copy of current QPA Company (or candidate QPA Company) formation document or equivalent approved by PCI SSC (the “Business License”), including year of incorporation, and location(s) of offices (Refer to the Documents Library on the Website
• Business License Requirements for more information)
• To the extent permitted by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the QPA Company, QPA Company candidate or any principal thereof, and any QPA Employee thereof, and the status and resolution
• Business License Requirements for more information)
• To the extent permitted by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the QPA Company, QPA Company candidate or any principal thereof, and any QPA Employee thereof, and the status and resolution
Modified
p. 9
• Written statements describing any past or present appeals or revocations of any qualification issued by PCI SSC to the QPA Company (or any predecessor entity or, unless prohibited by applicable law, any QPA Employee of any of the foregoing), and the current status and any resolution thereof 2.2 Independence 2.2.1 Requirements The QPA Company must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing …
Copy of current QPA Company (or candidate QPA Company) formation document or equivalent approved by PCI SSC (the “Business License”), including year of incorporation and location(s) of offices (Refer to the Documents Library on the Website
• “Business License Requirements” for more information) To the extent permitted by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the QPA Company, QPA Company candidate or any principal thereof, and any …
• “Business License Requirements” for more information) To the extent permitted by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the QPA Company, QPA Company candidate or any principal thereof, and any …
Modified
p. 9
The QPA Company must adhere to all independence requirements as established by PCI SSC, including without limitation, the following:
The QPA Company must adhere to all independence requirements established by PCI SSC, including without limitation, the following:
Modified
p. 9
The QPA Company will not undertake to perform any PCI PIN Assessment of any entity that it controls, is controlled by, is under common control with, or in which it holds any investment.
Removed
p. 10
• The QPA Company must not (and will not) have offered, been offered, been provided, or have accepted any gift, gratuity, service, or other inducement to any employee of PCI SSC or to any customer, in order to enter into the QPA Agreement or any agreement with a customer, or to provide QPA Company-related services.
• When recommending remediation actions that include one of its own solutions or products, the QPA Company must also recommend other market options that exist.
• When recommending remediation actions that include one of its own solutions or products, the QPA Company must also recommend other market options that exist.
Modified
p. 10
The QPA Company must fully disclose in the PIN Report on Compliance (PIN ROC) if it assesses any customer that uses any security-related device, application, product, or solution that is developed, manufactured, sold, resold, licensed, or otherwise made available to the applicable customer by the QPA Company, or to which the QPA Company owns the rights, or that the QPA Company has configured or manages, including but not limited to the following:
Modified
p. 10
− Application or network firewalls − Intrusion detection/prevention systems − Database or other storage solutions − Encryption solutions − Security audit log solutions − File integrity monitoring solutions − Anti-virus solutions − Vulnerability scanning services or solutions
− Application or network firewalls − Intrusion detection/prevention systems − Database or other storage solutions − Encryption solutions − Security audit log solutions − File integrity monitoring solutions − Anti-virus solutions − Vulnerability scanning services or solutions When recommending remediation actions that include one of its own solutions or products, the QPA Company must also recommend other existing market options.
Modified
p. 10
The QPA Company must have separation-of-duties controls in place to ensure QPA Employees conducting PCI PIN Assessments are independent and not subject to any conflict of interest.
Modified
p. 10
The QPA Company will not use its status as a “listed QPA Company” to market services unnecessary to bring QPA Company clients into compliance with the PCI PIN or any other PCI SSC Standard.
Modified
p. 10
The QPA Company must not misrepresent any requirement of the PCI PIN or any other PCI SSC Standard in connection with its promotion or sales of services to its clients, or state or imply that the PCI PIN or any other PCI SSC Standard requires usage of the QPA Company's products or services.
Modified
p. 10
The QPA Company must notify its QPA Employees of the independence requirements provided for in this document, as well as QPA Company’s independence policy, at least annually.
Modified
p. 11
QPA Company fees Annual QPA Company re-qualification fees for subsequent years
Removed
p. 12
January 2019 2.5 QPA Agreements 2.5.1 Requirement In order to participate in the QPA Program, PCI SSC requires that all agreements between PCI SSC and the QPA Company (including the QPA Agreement) be signed by a duly authorized officer of the QPA Company, submitted in unmodified form to PCI SSC prior to submitting applicants to the QPA Program. Pursuant to the QPA Agreement, the QPA Company agrees to comply with all applicable QPA Requirements.
January 2019 3 QPA Program Capability Requirements 3.1 QPA Company
• Services and Experience 3.1.1 Requirements
• Description of the company's knowledge and expertise of cryptographic techniques.
• Evidence of a dedicated security practice, such as:
• Brief description of other core business offerings
• List of languages supported by the applicant QPA Company
January 2019 3 QPA Program Capability Requirements 3.1 QPA Company
• Services and Experience 3.1.1 Requirements
• Description of the company's knowledge and expertise of cryptographic techniques.
• Evidence of a dedicated security practice, such as:
• Brief description of other core business offerings
• List of languages supported by the applicant QPA Company
Modified
p. 13 → 12
The company must have a dedicated information security practice that includes staff with specific job functions that support the information security practice.
Modified
p. 13 → 12
Each company must have at least one year of experience with direct responsibility for implementing, operating, and/or assessing cryptographic systems and/or key management functions. For example, implementing and managing key management functions, or performing lab evaluations of cryptographic systems against NIST, ANSI, or ISO standards.
Modified
p. 13 → 12
Two client references from relevant security assessment engagements within the last 12 months.
Modified
p. 13 → 12
Description of the applicant QPA Company’s experience and knowledge with information security audit engagements, preferably related to payment systems, equal to at least one year or three separate audits Description of the company's knowledge and expertise of cryptographic techniques Evidence of a dedicated security practice, such as:
Removed
p. 14
• Performing the PCI PIN Assessments.
• Verifying the work product addresses all PCI PIN Assessment procedure steps and supports the validation status of the entity being assessed.
• Strictly following the PCI PIN Standard and Testing Procedures.
• Producing the final PIN Report on Compliance (PIN ROC) and PIN Attestation of Compliance (PIN AOC).
• Possess at least three years of experience in IT auditing or security assessments.
• Verifying the work product addresses all PCI PIN Assessment procedure steps and supports the validation status of the entity being assessed.
• Strictly following the PCI PIN Standard and Testing Procedures.
• Producing the final PIN Report on Compliance (PIN ROC) and PIN Attestation of Compliance (PIN AOC).
• Possess at least three years of experience in IT auditing or security assessments.
Modified
p. 14 → 13
Pass background checks required per Section 4.2.
Modified
p. 14 → 13
Possess a minimum of three years of experience in Cryptography and/or Key Management which includes:
Modified
p. 14 → 13
− Cryptographic techniques including cryptographic algorithms, key management, and key lifecycle − Knowledge of industry standards for cryptographic techniques and key management, including but not limited to ISO 11568 and 13491, ANSI X9.24 and X9.97, and FIPS140-2 − Public key infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA) − Hardware security modules (HSMs) operations, policies, and procedures − Physical security techniques for high-security areas − Point of Interaction (POI) key-injection systems and …
− Cryptographic techniques including cryptographic algorithms, key management, and key lifecycle − Knowledge of industry standards for cryptographic techniques and key management, including but not limited to ISO 11568 and 13491, ANSI X9.24 and X9.97, and FIPS140-2 − Public key infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA) − Hardware security modules (HSMs) operations, policies, and procedures − Physical security techniques for high-security areas − Point of Interaction (POI) key-injection systems and …
Modified
p. 14 → 13
Possess at least three years of experience in IT auditing or security assessments.
Removed
p. 15
• Possess at least one of the following accredited, industry-recognized professional certifications from each list.
Modified
p. 15 → 14
• Be employees of the QPA Company (meaning this work cannot be subcontracted to non-employees) unless PCI SSC has given prior written consent for each subcontracted worker.
• IIA Certified Internal Auditor (CIA) Be employees of the QPA Company (meaning this work cannot be subcontracted to non-employees) unless PCI SSC has given prior written consent for each subcontracted worker.
Modified
p. 15 → 14
To find out if your country has an accreditation body, visit the International Accreditation Forum (IAF) website at www.iaf.nu and use the IAF MLA signatories list to identify an accreditation body in your country or region.
To find out if your country has an accreditation body, visit the International Accreditation Forum (IAF) website at “www.iaf.nu” and use the IAF MLA signatories list to identify an accreditation body in your country or region.
Modified
p. 15 → 14
Verification of company's certification should be addressed to the certification organization in question. You may also wish to contact the ISO member in your country or the country concerned, as they may have a national database of certified companies.
Verification of company's certification should be addressed to the certification organization in question. You may also wish to contact the ISO member in your country or the country concerned, as it may have a national database of certified companies.
Removed
p. 16
Note: Prior to March 1, 2021, subject to their completion of applicable QPA Program training and exam required by PCI SSC, the individual QPA application requirements in 3.2.1.1 shall not apply to:
(a) Individuals who have been certified by Participating Payment Brands as part of their respective PIN security assessor (SA) programs for purposes of performing assessments against the PCI PIN Security Requirements or (b) Assessors with Network Security Compliance for PIN and Key Management training and TR39 CTGA certification.
These assessors are required to have performed technical PIN assessments against PCI PIN Security Requirement’s on external entities in the last two years and Must be an employee of a QPA Company.
After two years, these QPAs will be required to meet all QPA requirements going forward.
• Record of years of relevant work experience and active certifications as outlined in 3.2.1 above.
• Résumé or Curriculum Vitae (CV) of each candidate QPA Employee
• Completion …
(a) Individuals who have been certified by Participating Payment Brands as part of their respective PIN security assessor (SA) programs for purposes of performing assessments against the PCI PIN Security Requirements or (b) Assessors with Network Security Compliance for PIN and Key Management training and TR39 CTGA certification.
These assessors are required to have performed technical PIN assessments against PCI PIN Security Requirement’s on external entities in the last two years and Must be an employee of a QPA Company.
After two years, these QPAs will be required to meet all QPA requirements going forward.
• Record of years of relevant work experience and active certifications as outlined in 3.2.1 above.
• Résumé or Curriculum Vitae (CV) of each candidate QPA Employee
• Completion …
Modified
p. 16
PCI SSC has adopted a Code of Professional Responsibility (the “Code”) to help ensure that QPA Companies and QPA Employees adhere to high standards of ethical and professional conduct. All QPA Companies and QPA Employees must advocate, adhere to, and support the Code (available on the Website).
PCI SSC has adopted the PCI SSC Code of Professional Responsibility (the “Code”) to help ensure that QPA Companies and QPA Employees adhere to high standards of ethical and professional conduct. All QPA Companies and QPA Employees must advocate, adhere to, and support the Code (available on the Website).
Removed
p. 17
January 2019 4 QPA Company Administrative Requirements This section describes the administrative requirements for QPA Companies, including company contacts, background checks, adherence to PCI PIN procedures, quality assurance, and protection of confidential and sensitive information.
Modified
p. 17
Name Job title Address Phone number Fax number E-mail address 4.2 Background Checks 4.2.1 Requirement Each QPA Company must perform background checks that satisfy the provisions described below (to the extent legally permitted within the applicable jurisdiction) with respect to each applicant QPA Employee.
Modified
p. 17
Minor offenses
•for example, misdemeanors or non-US equivalents
•are allowed; but majoroffenses
•for example, felonies or non-US equivalents
•automatically disqualify a candidate from qualifying as an QPA Employee. Upon request, each QPA Company must provide to PCI SSC the background check history for each QPA Employee (or candidate QPA Employee), to the extent legally permitted within the applicable jurisdiction.
•for
•are allowed; but major
•for
•automatically disqualify a candidate from qualifying as an QPA Employee. Upon request, each QPA Company must provide to PCI SSC the background check history for each QPA Employee (or candidate QPA Employee), to the extent legally permitted within the applicable jurisdiction.
Minor offensesfor example, misdemeanors or non-US equivalents
•are allowed; but major offensesfor example, felonies or non-US equivalents
•automatically disqualify a candidate from qualifying as an QPA Employee. Upon request, each QPA Company must provide to PCI SSC the background check history for each QPA Employee (or candidate QPA Employee), to the extent legally permitted within the applicable jurisdiction.
•are allowed; but major offensesfor example, felonies or non-US equivalents
•automatically disqualify a candidate from qualifying as an QPA Employee. Upon request, each QPA Company must provide to PCI SSC the background check history for each QPA Employee (or candidate QPA Employee), to the extent legally permitted within the applicable jurisdiction.
Modified
p. 17
Attestation that its policies and hiring procedures include performing background checks. Examples of background checks include previous employment history, criminal record, credit history, and reference checks.
Removed
p. 18
• A written statement that it successfully completed such background checks for each candidate QPA Employee.
• The QPA Company must adhere to all QPA Program quality assurance requirements described in this document or otherwise established by PCI SSC from time to time.
• The QPA Company must adhere to all QPA Program quality assurance requirements described in this document or otherwise established by PCI SSC from time to time.
Modified
p. 18
A summary description of current QPA employee personnel background check policies and procedures, which must require and include the following:
Modified
p. 18
− Verification of aliases (when applicable) − Comprehensive country and (if applicable) state level review of records of any criminal activity such as felony (or non-US equivalent) convictions or outstanding warrants, within the past five years minimum − Annual background checks consistent with this section for each of its QPA Employees for any change in criminal records, arrests or convictions 4.3 Quality Assurance 4.2.3 Requirements
− Verification of aliases (when applicable) − Comprehensive country and (if applicable) state level review of records of any criminal activity such as felony (or non-US equivalent) convictions or outstanding warrants within the past five years, minimum − Annual background checks consistent with this section for each of its QPA Employees for any change in criminal records, arrests, or convictions 4.3 Internal Quality Assurance 4.3.1 Requirements The QPA Company must adhere to all QPA Program quality-assurance requirements described in …
Modified
p. 18
The QPA Company must have a quality assurance (QA) program documented in its Quality Assurance manual.
Modified
p. 18
The QPA Company must maintain and adhere to a documented quality-assurance process and manual, which includes all of the following:
Removed
p. 19
January 2019 − Distribution and availability of the QA manual − Evidence of annual review by the QA manual process owner − Coverage of all quality assurance activities relevant to the particular PCI SSC Program, and references to the corresponding PCI SSC Qualification Requirements for that program, and to other applicable PCI SSC Program documentation for information concerning other PCI SSC Program-specific requirements − Requirement for all QPA Employees to regularly monitor the Website for updates, guidance and new publications relating to the QPA Program
• The QPA Company must have qualified personnel conduct a quality assurance review of PCI PIN Assessment procedures performed, supporting documentation workpapers retained in accordance with QPA Company’s Workpaper Retention Policy, information documented in the PIN ROC related to the appropriate selection of system components, sampling procedures, remediation recommendations, proper use of payment definitions, consistent findings, and thorough documentation of results.
The QPA Company must maintain the …
• The QPA Company must have qualified personnel conduct a quality assurance review of PCI PIN Assessment procedures performed, supporting documentation workpapers retained in accordance with QPA Company’s Workpaper Retention Policy, information documented in the PIN ROC related to the appropriate selection of system components, sampling procedures, remediation recommendations, proper use of payment definitions, consistent findings, and thorough documentation of results.
The QPA Company must maintain the …
Modified
p. 19
The QPA Company should require all new QPA Employees to shadow an experienced QPA Employee on at least 1 (one) PCI PIN Assessment prior to conducting a PCI PIN Assessment by themselves.
Modified
p. 19
The QPA Company must inform each QPA Assessment client of the QPA Feedback Form (available on the Website) upon commencement of each PCI PIN Assessment.
Modified
p. 19
PCI SSC, at its sole discretion, reserves the right to conduct audits of the QPA Company at any time and further reserves the right to conduct site visits at the expense of the QPA Company.
Modified
p. 19
Upon request, the QPA Company (or applicant) must provide a complete copy of the quality- assurance manual to PCI SSC.
Removed
p. 20
− Systems storing customer data do not reside on Internet accessible systems − Protection of systems storing customer data by network and application layer controls including technologies such as firewall(s) and IDS/IPS − Restricting access (e.g., via locks) to the physical office space − Restricting access (e.g., via locked file cabinets) to paper files − Restricting logical access to electronic files via least-privilege/role-based access control − Strong encryption of customer data when transmitted over public networks − Secure transport and storage of backup media − Strong encryption of customer data on portable devices such as laptops and removable media
• A blank copy of the QPA Company’s confidentiality agreement(s) that each QPA Employee is required to sign 4.5 Evidence (Assessment Workpaper) Retention 4.5.1 Requirement
• A blank copy of the QPA Company’s confidentiality agreement(s) that each QPA Employee is required to sign 4.5 Evidence (Assessment Workpaper) Retention 4.5.1 Requirement
Modified
p. 20
Physical, electronic, and procedural safeguards including:
Modified
p. 20
− Protection of systems storing customer data by network and application layer controls including technologies such as firewall(s) and IDS/IPS − Restricting access (e.g., via locks) to the physical office space − Restricting access (e.g., via locked file cabinets) to paper files − Restricting logical access to electronic files via least-privilege/role-based access control − Strong encryption of customer data when transmitted over public networks − Secure transport and storage of backup media − Strong encryption of customer data on portable …
Modified
p. 20
A blank copy of the QPA Company’s Workpaper Retention Policy agreement that each QPA Employee is required to sign, included as part of the policy, which includes agreement to conform at all times with the Workpaper Retention Policy and the QPA Qualification Requirements.
Modified
p. 21
•including
A requirement that Assessment Results and Related Materials must be retained for at least three (3) years after completion of the applicable PCI PIN Assessment. and must include all digital and hard copy evidence created and/or obtained by or on behalf of the QPA Company during each PCI PIN Assessment•including but not limited to: documentation reviewed (policies, processes, procedures, network and dataflow diagrams), case logs, meeting agendas and notes, evidence of onsite and offsite activities (including interview notes), screenshots, …
Modified
p. 21
Requirements ensuring that the QPA Company has confirmed that all Assessment Results and Related Materials relating to a given PCI PIN Assessment have in fact been retained in accordance with the procedures defined in the Workpaper Retention Policy, prior to releasing the final PIN ROC for that PCI PIN Assessment.
Modified
p. 21
All Assessment Results and Related Materials must be made available to PCI SSC and/or its Affiliates upon request for a minimum of three (3) years after completion of the applicable PCI PIN Assessment.
Modified
p. 21
The QPA Company must provide a copy of the Workpaper Retention Policy and related procedures to PCI SSC upon request, including copies of any other policies and procedures referenced within any of the foregoing documents, such as general confidential and sensitive data-protection handling policies for the QPA Company.
Removed
p. 22
January 2019 Companies and QPA Employees are required to be familiar with the obligations for reporting Incidents to each of the Participating Payment Brands.
Modified
p. 22
No QPA Company or QPA Employee shall take any action after an Incident that is reasonably likely to diminish the integrity of, or otherwise interfere with or negatively affect the ability of a PFI to perform, any PFI Investigation (see the PCI Forensic Investigator (PFI) Program Guide for additional details).
No QPA Company or QPA Employee shall take any action after an Incident that is reasonably likely to diminish the integrity of, or otherwise interfere with or negatively affect the ability of a PCI Forensic Investigator (PFI) to perform any PFI Investigation (see the PCI Forensic Investigator (PFI) Program Guide on the Website for additional details).
Modified
p. 22
Instructions and procedures for notifying customers of Incidents discovered during or in connection with the performance of any PCI PIN Assessment or other QPA Program-related services and documenting those Incidents and related information in accordance with Section 4.6.1.
Modified
p. 22
Retention requirement for all incident-related documentation, notices, and reports, with the same protections as those noted for work-paper retention in the QPA Company’s evidence- retention policy and procedures.
Removed
p. 23
January 2019 5 QPA List and Annual Re-Qualification This section describes what happens after initial qualification, and activities related to annual re- qualification.
Modified
p. 23
Once an individual has met applicable QPA Requirements, PCI SSC will add the QPA Employee to the applicable QPA Employee search tool on the Website.
Once an individual has met applicable QPA Requirements, PCI SSC will add the QPA Employee to the applicable QPA Employee listing on the Website.
Modified
p. 23
Only those QPA Companies and QPA Employees on the QPA List or in such search tool (as applicable) are recognized by PCI SSC to perform or support PCI PIN Assessments.
Only those QPA Companies and QPA Employees on the QPA List or in such listing (as applicable) are recognized by PCI SSC to perform or support PCI PIN Assessments.
Modified
p. 23
If, at any time, a QPA Company and/or QPA Employee does not meet the applicable QPA Requirements (including without limitation, payment or documentation requirements), PCI SSC reserves the right to immediately remove the QPA Company and/or QPA Employee from the respective list(s) or tool(s) on the Website, regardless of Remediation or Revocation. PCI SSC will notify the QPA Company of the removal in accordance with the QPA Agreement, typically via registered or overnight mail and/or e-mail. Refer to Sections 6.2 …
If, at any time, a QPA Company and/or QPA Employee does not meet the applicable QPA Requirements (including without limitation, payment or documentation requirements), PCI SSC reserves the right to immediately remove the QPA Company and/or QPA Employee from the respective listing(s) or search tools on the Website, regardless of Remediation or Revocation. PCI SSC will notify the QPA Company of the removal in accordance with the QPA Agreement, typically via registered or overnight mail and/or e-mail. Refer to Sections …
Modified
p. 23
Additionally, each QPA Employee must be re-qualified by PCI SSC on an annual basis. The annual re-qualification date is based upon the QPA Employee’s previous qualification date. Re- qualification requires proof of CPEs as noted in Section 5.2.2, proof of training successfully completed, payment of annual training and re-qualification fees, and continued compliance with applicable QPA Requirements.
Additionally, each QPA Employee must be re-qualified by PCI SSC on an annual basis. The annual re-qualification date is based upon the QPA Employee’s previous qualification date. Re- qualification of QPA Employees requires proof of at least two accredited, industry-recognized professional certifications in accordance with Section 3.2.1 above. Requalification also requires proof of training successfully completed, payment of annual training and re-qualification fees, and continued compliance with applicable QPA Requirements.
Modified
p. 23
Negative feedback from QPA Company clients, PCI SSC, Participating Payment Brands, or others may impact QPA Company and/or QPA Employee eligibility for re-qualification.
Negative feedback from QPA Company clients, PCI SSC, Participating Payment Brands, or others may impact a QPA Company and/or QPA Employee eligibility for re-qualification.
Removed
p. 24
January 2019 5.2.2 Provisions The following must be provided to PCI SSC during the annual re-qualification process:
• Payment of annual fee for requalification QPA Employees
• Proof of information systems security training within the last 12 months in accordance with the current version of the PCI SSC CPE Maintenance Guide
• Maintaining professional certification(s) as required per Section 3.2, “QPA Employee
• Skills and Experience.” PCI SSC reserves the right to request proof of current professional certifications at any time.
• Payment of annual re-qualification fees in accordance with the Website
• Payment of annual fee for requalification QPA Employees
• Proof of information systems security training within the last 12 months in accordance with the current version of the PCI SSC CPE Maintenance Guide
• Maintaining professional certification(s) as required per Section 3.2, “QPA Employee
• Skills and Experience.” PCI SSC reserves the right to request proof of current professional certifications at any time.
• Payment of annual re-qualification fees in accordance with the Website
Removed
p. 26
January 2019 6.3 QPA Revocation Process Each event below is an example of a “Violation” (defined in the QPA Agreement), and accordingly, regardless of prior warning or Remediation, may result in revocation of QPA Company and/or QPA Employee qualification (and/or other PCI SSC Program qualifications). This list is not exhaustive. Among other things, any qualification under any PCI SSC Program may be revoked if PCI SSC determines that either the QPA Company or any of its QPA Employees has breached any provision of the QPA Agreement or otherwise failed to satisfy any applicable QPA Requirement (each also a Violation), including but not limited to.
• Failure to meet applicable PCI SSC Program quality standards or comply with applicable QPA Requirements
• Failure to pay applicable PCI SSC Program fees
• Failure to meet applicable PCI SSC Program training requirements (annual or otherwise)
• Failure to meet applicable PCI SSC Program continuing education requirements
• Failure …
• Failure to meet applicable PCI SSC Program quality standards or comply with applicable QPA Requirements
• Failure to pay applicable PCI SSC Program fees
• Failure to meet applicable PCI SSC Program training requirements (annual or otherwise)
• Failure to meet applicable PCI SSC Program continuing education requirements
• Failure …
Modified
p. 27
Providing false or intentionally incomplete or misleading information to the Council in any application or other materials.
Modified
p. 27
Failure to be in Good Standing (as defined in the QPA Agreement) as a QPA Company or to be in Good Standing (as defined in the applicable Program Qualification Requirements) with respect to any other PCI SSC qualification then held by such QPA Company or QPA Employee (as applicable), in each case including but not limited to failure to successfully complete applicable quality assurance audits and/or comply with all applicable requirements, policies, and procedures of PCI SSC's quality assurance, …
Modified
p. 27
Appeals must be submitted within 30 days from the date of the notification to the QPA Program Manager by postal mail to the following address (e-mail submissions will not be accepted):
Appeals must be submitted within 30 calendar days from the date of the notification to the QPA Program Manager by postal mail to the following address (e-mail submissions will not be accepted):
Modified
p. 27
The QPA Company and/or QPA Employee (as applicable) name will be removed from the relevant QPA List and/or search tool (as applicable).
Modified
p. 27
PCI SSC may notify third parties.
Modified
p. 29 → 30
QPA acknowledges that data security practices exist within a rapidly changing environment and agrees to monitor the Website at least weekly for changes to the PCI PIN Standard, other applicable PCI SSC Standards, QPA Qualification Requirements and other applicable Program Qualification Requirements (defined in Section A.3.4 below). QPA will incorporate all such changes into all applicable PCI SSC Assessments initiated by QPA on or after the effective date of such changes. QPA acknowledges and agrees that any PIN ROC or …
QPA acknowledges that data security practices exist within a rapidly changing environment and agrees to monitor the Website at least weekly for changes to the PCI PIN Standard, other applicable PCI SSC Standards, QPA Qualification Requirements, and other applicable Program Qualification Requirements (defined in Section A.3.4 below). QPA will incorporate all such changes into all applicable PCI SSC Assessments initiated by QPA on or after the effective date of such changes. QPA acknowledges and agrees that any PIN ROC or …
Modified
p. 30 → 31
A.3.3 QPA Service Staffing QPA shall ensure that a QPA Employee that is fully qualified in accordance with all applicable QPA Requirements supervises all aspects of each engagement to perform PCI PIN Assessments, including without limitation, being present onsite for the duration of each PCI SSC Assessment, reviewing the work product that supports QPA's PCI PIN Assessment procedures, and ensuring adherence to all applicable QPA Requirements and the PCI PIN Standard. Employees performing the following tasks must also be qualified …
A.3.3 QPA Service Staffing QPA shall ensure that a QPA Employee that is fully qualified in accordance with all applicable QPA Requirements supervises all aspects of each engagement to perform PCI PIN Assessments, including without limitation, being present onsite for the duration of each PCI SSC Assessment (or monitoring remotely in accordance with the PCI SSC Remote Assessment Guidelines and Procedures), reviewing the work product that supports QPA's PCI PIN Assessment procedures, and ensuring adherence to all applicable QPA Requirements …
Modified
p. 30 → 31
A.3.4 QPA Requirements QPA agrees to comply with all QPA Requirements, including without limitation, QPA’s responsibilities and obligations pursuant to this Agreement, all quality assurance and Remediation requirements, and all requirements applicable to QPA pursuant to the QPA Qualification Requirements and the then-current versions of (or successor documents to) the qualification and/or validation requirements published by PCI SSC with respect to each PCI SSC Program in which QPA is a participant, as from time to time amended and made available …
A.3.4 QPA Requirements QPA agrees to comply with all QPA Requirements, including without limitation, QPA’s responsibilities and obligations pursuant to this Agreement, all quality assurance and Remediation requirements, and all requirements applicable to QPA pursuant to the QPA Qualification Requirements and the then-current versions of (or successor documents to) the qualification and/or validation requirements published by PCI SSC with respect to each PCI SSC Program in which QPA is a participant, as from time to time amended and made available …
Modified
p. 31 → 32
QPA acknowledges that PCI SSC may review and modify its Fees at any time and from time to time. Whenever a change in Fees occurs, PCI SSC shall notify QPA in accordance with the terms of Section A.10.1. Such change(s) will be effective immediately after the date of such notification. However, should QPA not agree with such change(s), QPA shall have the right to terminate this Agreement (or, if such change only applies to a Related PCI SSC Program, the …
QPA acknowledges that PCI SSC may review and modify its Fees at any time and from time to time. Whenever a change in Fees occurs, PCI SSC shall notify QPA in accordance with the terms of Section A.10.1. Such change(s) will be effective immediately after the date of such notification. However, should QPA not agree with such change(s), QPA shall have the right to terminate this Agreement (or, if such change only applies to a Related PCI SSC Program, the …
Modified
p. 32 → 33
(b) In advertising or promoting its Services, so long as QPA is in Good Standing as a QPA Company, QPA may make reference to the fact that QPA is listed in the QPA List, provided that it may do so only during such times as QPA actually appears in the QPA List.
Modified
p. 32 → 33
(c) Except as expressly authorized herein, QPA shall not use any PCI SSC trademark, service mark, certification mark, logo or other indicator of origin or source (each a “Mark”) without the prior written consent of PCI SSC in each instance. Without limitation of the foregoing, absent the prior written consent of PCI SSC in each instance and except as otherwise expressly authorized herein, QPA shall have no authority to make, and consequently shall not make, any statement that would constitute …
(c) Except as expressly authorized herein, QPA shall not use any PCI SSC trademark, service mark, certification mark, logo or other indicator of origin or source (each a “Mark”) without the prior written consent of PCI SSC in each instance. Without limitation of the foregoing, absent the prior written consent of PCI SSC in each instance and except as otherwise expressly authorized herein, QPA shall have no authority to make, and consequently shall not make, any statement that would constitute …
Removed
p. 33
January 2019 dissemination or use of promotional or other materials or publicity in violation of Section A.5 shall be deemed a material breach of this Agreement and upon any such violation, PCI SSC may remove QPA's name from the QPA List and/or terminate this Agreement in its sole discretion.
Modified
p. 33 → 34
A.5.2 Uses of QPA Name and Designated Marks QPA grants PCI SSC and each Participating Payment Brand the right to use QPA's name and trademarks, as designated in writing by QPA, to list QPA on the relevant QPA List and to include reference to QPA in publications to Financial Institutions, Issuers, Merchants, Acquirers, Processors, and the public regarding applicable PCI SSC Programs. Neither PCI SSC nor any Participating Payment Brand shall be required to include any such reference in any …
A.5.2 Uses of QPA Name and Designated Marks QPA grants PCI SSC and each Participating Payment Brand the right to use QPA's name and trademarks, as designated in writing by QPA, to list QPA on the relevant QPA List, and to include reference to QPA in publications to Financial Institutions, Issuers, Merchants, Acquirers, Processors, and the public regarding applicable PCI SSC Programs. Neither PCI SSC nor any Participating Payment Brand shall be required to include any such reference in any …
Modified
p. 33 → 34
A.5.3 No Other Rights Granted Except as expressly stated in this Section A.5, no rights to use any party's or Member’s marks or other Intellectual Property Rights (as defined below) are granted herein, and each party respectively reserves all of its rights therein. Without limitation of the foregoing, except as expressly provided in this Agreement, no rights are granted to QPA with respect to any Intellectual Property Rights in the PCI PIN Standard or any other PCI Materials.
A.5.3 No Other Rights Granted Except as expressly stated in this Section, A.5, no rights to use any party's or Member’s marks or other Intellectual Property Rights (as defined below) are granted herein, and each party respectively reserves all of its rights therein. Without limitation of the foregoing, except as expressly provided in this Agreement, no rights are granted to QPA with respect to any Intellectual Property Rights in the PCI PIN Standard or any other PCI Materials.
Modified
p. 33 → 34
A.5.4 Intellectual Property Rights (a) All Intellectual Property Rights, title and interest in and the PCI SSC Programs, the PCI PIN Standard and all other PCI Materials, all materials QPA receives from PCI SSC, and each portion, future version, revision, extension, and improvement of any of the foregoing, are and at all times shall remain solely and exclusively the property of PCI SSC or its licensors, as applicable. Subject to the foregoing and to the restrictions set forth in Section …
A.5.4 Intellectual Property Rights (a) All Intellectual Property Rights, title and interest in and to the PCI SSC Programs, the PCI PIN Standard, and all other PCI Materials, all materials QPA receives from PCI SSC, and each portion, future version, revision, extension, and improvement of any of the foregoing, are and at all times shall remain solely and exclusively the property of PCI SSC or its licensors, as applicable. Subject to the foregoing and to the restrictions set forth in …
Modified
p. 33 → 34
(b) All right, title and interest in and to the Intellectual Property Rights in all materials generated by or on behalf of PCI SSC with respect to QPA are and at all times shall remain the property of PCI SSC. Subject to the provisions of Section A.6, QPA may use and disclose such materials solely for the purposes expressly permitted by this Agreement. QPA shall not revise, abridge, modify, or alter any such materials.
Modified
p. 33 → 34
(c) QPA shall not during or at any time after the completion, expiry or termination of this Agreement in any way question or dispute PCI SSC's or its licensors’ (as applicable) Intellectual Property Rights in any PCI SSC Program or any of the PCI Materials.
(c) QPA shall not during or at any time after the completion, expiry, or termination of this Agreement in any way question or dispute PCI SSC's or its licensors’ (as applicable) Intellectual Property Rights in any PCI SSC Program or any of the PCI Materials.
Modified
p. 34
(d) Except as otherwise expressly agreed by the parties, as between PCI SSC and QPA, all Intellectual Property Rights, title and interest in and to the materials created by QPA and submitted by QPA to PCI SSC in connection with its performance under this Agreement are and at all times shall remain vested in QPA, or its licensors.
Modified
p. 35
A.6.2 General Restrictions (a) Each party (the "Receiving Party") agrees that all Confidential Information received from the other party (the "Disclosing Party") shall: (i) be treated as confidential; (ii) be disclosed only to those Members, officers, employees, legal advisers, accountants, representatives and agents of the Receiving Party who have a need to know and be used solely as required in connection with (A) the performance of this Agreement and/or (B) the operation of such party's or its Members’ respective payment …
Modified
p. 35
(b) Except with regard to Personal Information, such confidentiality obligation shall not apply to information which: (i) is in the public domain or is publicly available or becomes publicly available otherwise than through a breach of this Agreement; (ii) has been lawfully obtained by the Receiving Party from a third party; (iii) is known to the Receiving Party prior to disclosure by the Disclosing Party without confidentiality restriction; or (iv) is independently developed by a member of the Receiving Party's …
Removed
p. 36
January 2019 disclosure by PCI SSC and its Participating Payment Brands. As between any Member, on the one hand, and QPA or any QPA Company client, on the other hand, the confidentiality of PIN ROCs and any other information provided to Members by QPA or any QPA Company client is outside the scope of this Agreement and may be subject to such confidentiality arrangements as may be established from time to time between such Member, on the one hand, and QPA or such QPA Company client (as applicable), on the other hand.
Modified
p. 36
A.6.4 Personal Information In the event that QPA receives Personal Information from PCI SSC or any Member or QPA Company client in the course of providing Services or otherwise in connection with this Agreement, in addition to the obligations set forth elsewhere in this Agreement, QPA will at all times during the Term (as defined in Section A.9.1) maintain such data protection handling practices as may be required by PCI SSC from time to time, including without limitation, as a …
A.6.4 Personal Information In the event that QPA receives Personal Information from PCI SSC or any Member or QPA Company client in the course of providing Services or otherwise in connection with this Agreement, in addition to the obligations set forth elsewhere in this Agreement, QPA will at all times during the Term (as defined in Section A.9.1) maintain such data protection handling practices as may be required by PCI SSC from time to time, including without limitation, as a …
Modified
p. 36 → 37
A.6.5 Return Within fourteen (14) days after notice of termination of this Agreement or demand by PCI SSC, QPA promptly shall return to PCI SSC all property and Confidential Information of PCI SSC and of all third parties to the extent provided or made available by PCI SSC; provided, however, that QPA may retain copies of Confidential Information of PCI SSC to the extent the same were, prior to such notice of termination or demand, either automatically generated archival copies …
A.6.5 Return Within fourteen (14) days after notice of termination of this Agreement or demand by PCI SSC, QPA promptly shall return to PCI SSC all property and Confidential Information of PCI SSC and of all third parties to the extent provided or made available by PCI SSC; provided, however, that QPA may retain copies of Confidential Information of PCI SSC to the extent the same were, prior to such notice of termination or demand, either automatically generated archival copies …
Modified
p. 37
A.6.6 Remedies In the event of a breach of Section A.6.2 by the Receiving Party, the Receiving Party acknowledges that the Disclosing Party will likely suffer irreparable damage that cannot be fully remedied by monetary damages. Therefore, in addition to any remedy that the Disclosing Party may possess pursuant to applicable law, the Disclosing Party retains the right to seek and obtain injunctive relief against any such breach in any court of competent jurisdiction. In the event any such breach …
Modified
p. 37
A.7 Indemnification and Limitation of Liability A.7.1 Indemnification QPA shall defend, indemnify, and hold harmless PCI SSC and its Members, and their respective subsidiaries, and all affiliates, subsidiaries, directors, officers, employees, agents, representatives, independent contractors, attorneys, successors, and assigns of any of the foregoing (collectively, including without limitation, PCI SSC and its Members, "Indemnified Parties") from and against any and all claims, losses, liabilities, damages, suits, actions, government proceedings, taxes, penalties or interest, associated auditing and legal expenses and other …
A.7 Indemnification and Limitation of Liability A.7.1 Indemnification QPA shall defend, indemnify, and hold harmless PCI SSC and its Members, and their respective subsidiaries, and all affiliates, subsidiaries, directors, officers, employees, agents, representatives, independent contractors, attorneys, successors, and assigns of any of the foregoing (collectively, including without limitation, PCI SSC and its Members, "Indemnified Parties") from and against any and all claims, losses, liabilities, damages, suits, actions, government proceedings, taxes, penalties or interest, associated auditing and legal expenses and other …
Modified
p. 37 → 38
A.7.2 Indemnification Procedure QPA's indemnity obligations are contingent on the Indemnified Party's providing notice of the claim or liability to QPA, provided that the failure to provide any such notice shall not relieve QPA of such indemnity obligations except and to the extent such failure has materially and adversely affected QPA's ability to defend against such claim or liability. Upon receipt of such notice, QPA will be entitled to control, and will assume full responsibility for, the defense of such …
A.7.2 Indemnification Procedure QPA's indemnity obligations are contingent on the Indemnified Party's providing notice of the claim or liability to QPA, provided that the failure to provide any such notice shall not relieve QPA of such indemnity obligations except and to the extent such failure has materially and adversely affected QPA's ability to defend against such claim or liability. Upon receipt of such notice, QPA will be entitled to control, and will assume full responsibility for, the defense of such …
Removed
p. 38
January 2019 investigation, trial and defense and any appeal arising therefrom or assume the defense of any Indemnified Party. In any event, PCI SSC and/or its Members will each have the right to approve counsel engaged by QPA to represent any Indemnified Party affiliated therewith, which approval shall not be unreasonably withheld. QPA will not enter into any settlement of a claim that imposes any obligation or liability on PCI SSC or any other Indemnified Party without the express prior written consent of PCI SSC or such Indemnified Party, as applicable.
Modified
p. 38
(b) PCI SSC MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT, INCLUDING WITHOUT LIMITATION, ANY PCI SSC PROGRAM, THE PCI MATERIALS OR ANY MATERIALS OR SERVICES PROVIDED UNDER OR IN CONNECTION WITH THIS AGREEMENT OR ANY PCI SSC PROGRAM. PCI SSC SPECIFICALLY DISCLAIMS, AND QPA EXPRESSLY WAIVES, ALL REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THIS AGREEMENT, EACH PCI SSC PROGRAM, THE PCI MATERIALS, ANY MATERIALS OR SERVICES PROVIDED …
Modified
p. 38 → 39
(c) In particular, without limiting the foregoing, QPA acknowledges and agrees that the accuracy, completeness, sequence or timeliness of the PCI Materials or any portion thereof cannot be guaranteed. In addition, PCI SSC makes no representation or warranty whatsoever, expressed or implied, and assumes no liability, and shall not be liable in any respect to QPA regarding (i) any delay or loss of use of any of the PCI Materials, or (ii) system performance and effects on or damages to …
(c) In particular, without limiting the foregoing, QPA acknowledges and agrees that the accuracy, completeness, sequence, or timeliness of the PCI Materials or any portion thereof cannot be guaranteed. In addition, PCI SSC makes no representation or warranty whatsoever, expressed or implied, and assumes no liability, and shall not be liable in any respect to QPA regarding: (i) any delay or loss of use of any of the PCI Materials; or (ii) system performance and effects on or damages to …
Modified
p. 39
(d) EXCEPT FOR DAMAGES CAUSED BY THE GROSS NEGLIGENCE OR WILLFUL MISCONDUCT OF A PARTY, AND EXCEPT FOR THE OBLIGATIONS OF QPA UNDER SECTIONS A.5 OR A.6, IN NO EVENT SHALL EITHER PARTY OR ANY MEMBER BE LIABLE TO THE OTHER FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, OR SPECIAL DAMAGES, HOWEVER CAUSED, WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY DOES …
Modified
p. 39
(f) Except as otherwise expressly provided in this Agreement, neither PCI SSC nor any Participating Payment Brand shall be liable vis-à-vis QPA for any other damage incurred by QPA under this Agreement or in connection with any PCI SSC Program, including but not limited to, loss of business, revenue, goodwill, anticipated savings or other commercial or economic loss of any kind arising in any way out of the use of any PCI SSC Program (regardless of whether such damages are …
(f) Except as otherwise expressly provided in this Agreement, neither PCI SSC nor any Participating Payment Brand shall be liable vis-à-vis QPA for any other damage incurred by QPA under this Agreement or in connection with any PCI SSC Program, including but not limited to, loss of business, revenue, goodwill, anticipated savings, or other commercial or economic loss of any kind arising in any way out of the use of any PCI SSC Program (regardless of whether such damages are …
Modified
p. 39
A.7.4 Insurance At all times while this Agreement is in effect, QPA shall maintain insurance in such amounts, with such insurers, coverages, exclusions and deductibles which, at a minimum, meet the applicable insurance requirements for companies participating in each of the PCI SSC Programs in which QPA is a participant. QPA acknowledges and agrees that if it is a non-U.S. and non-European Union QPA Company, unless otherwise expressly agreed by PCI SSC in writing, at all times while this Agreement …
A.7.4 Insurance At all times while this Agreement is in effect, QPA shall maintain insurance in such amounts, with such insurers, coverages, exclusions, and deductibles which, at a minimum, meet the applicable insurance requirements for companies participating in each of the PCI SSC Programs in which QPA is a participant. QPA acknowledges and agrees that if it is a non-U.S. and non-European Union QPA Company, unless otherwise expressly agreed by PCI SSC in writing, at all times while this Agreement …
Modified
p. 40
A.9 Term and Termination A.9.1 Term This Agreement shall commence as of the Effective Date and, unless earlier terminated in accordance with this Section A.9, continue for an initial term of one (1) year (the "Initial Term") and thereafter, for additional subsequent terms of one year (each a "Renewal Term" and together with the Initial Term, the "Term"), subject to QPA's successful completion of all applicable re- qualification requirements for each Renewal Term.
Modified
p. 40
A.9.2 Termination by QPA QPA may terminate this Agreement at any time upon thirty (30) days’ written notice to PCI SSC. Notwithstanding Section A.10.1 below, any notice or other written communication (including by electronic mail) from QPA pursuant to which or to the effect that QPA requests, notifies, elects, opts, chooses, decides or otherwise indicates its desire to cease participation in the QPA Program, be removed from the QPA List or terminate this Agreement shall be deemed to constitute notice …
A.9.2 Termination by QPA QPA may terminate this Agreement at any time upon thirty (30) days’ written notice to PCI SSC. Notwithstanding Section A.10.1 below, any notice or other written communication (including by electronic mail) from QPA pursuant to which or to the effect that QPA requests, notifies, elects, opts, chooses, decides, or otherwise indicates its desire to cease participation in the QPA Program, be removed from the QPA List, or terminate this Agreement shall be deemed to constitute notice …
Modified
p. 42
PCI SSC may establish from time to time for the QPA Program, PCI SSC will review all relevant evidence submitted by QPA and each complainant (if any) in connection with therewith, and PCI SSC shall determine whether termination of QPA Program Qualification is warranted or, in the alternative, no action, or specified remedial actions shall be required. All determinations of PCI SSC regarding Revocation and any related termination or appeals shall be final and binding upon QPA. If PCI SSC …
(c) All Revocation appeal proceedings will be conducted in accordance with such procedures as PCI SSC may establish from time to time for the QPA Program. PCI SSC will review all relevant evidence submitted by QPA and each complainant (if any) in connection with therewith, and PCI SSC shall determine whether termination of QPA Program Qualification is warranted or, in the alternative, no action, or specified remedial actions shall be required. All determinations of PCI SSC regarding Revocation and any …
Modified
p. 43
A.10.2 Audit and Financial Statements (a) QPA shall allow PCI SSC or its designated agents access during normal business hours throughout the Term and for six (6) months thereafter to perform audits of QPA's facilities, operations and records of Services to determine whether QPA has complied with this Agreement. QPA also shall provide PCI SSC or its designated agents during normal business hours with books, records and supporting documentation adequate to evaluate QPA's performance hereunder. Upon request, QPA shall provide …
A.10.2 Audit and Financial Statements (a) QPA shall allow PCI SSC or its designated agents access during normal business hours throughout the Term and for six (6) months thereafter to perform audits of QPA's facilities, operations and records of Services to determine whether QPA has complied with this Agreement. QPA also shall provide PCI SSC or its designated agents during normal business hours with books, records, and supporting documentation adequate to evaluate QPA's performance hereunder. Upon request, QPA shall provide …
Modified
p. 43
(b) Notwithstanding anything to the contrary in Section A.6 of this Agreement, in order to assist in ensuring the reliability and accuracy of QPA's PCI PIN Assessments, QPA hereby agrees to comply with all quality assurance procedures and requirements established or imposed by PCI SSC from time to time in connection with the QPA Program (including but not limited to conditions and requirements imposed in connection with remediation, revocation or any other Qualification status) and that, within 15 days of …
Modified
p. 44
A.10.3 Governing Law; Severability Any dispute in any way arising out of or in connection with the interpretation or performance of this Agreement, which cannot be amicably settled within thirty (30) days of the written notice of the dispute given to the other party by exercising the best efforts and good faith of the parties, shall be finally settled by the courts of Delaware (United States of America) in accordance with Delaware law without resort to its conflict of laws …
A.10.3 Governing Law; Severability Any dispute in any way arising out of or in connection with the interpretation or performance of this Agreement, which cannot be amicably settled within thirty (30) days of the written notice of the dispute given to the other party by exercising the best efforts and good faith of the parties, shall be finally settled by the courts of Delaware (United States of America) in accordance with Delaware law without resort to its conflict-of-laws provisions. Each …
Modified
p. 44
A.10.4 Entire Agreement; Modification; Waivers The parties agree that this Agreement, including the QPA Qualification Requirements and any other documents, addenda, supplements, amendments, appendices, exhibits, schedules or other materials incorporated herein by reference (each of which is hereby incorporated into and made a part of this Agreement by this reference), is the exclusive statement of the agreement between the parties with respect to the subject matter hereof, which supersedes and merges all prior proposals, understandings and all other agreements, oral …
A.10.4 Entire Agreement; Modification; Waivers The parties agree that this Agreement, including the QPA Qualification Requirements and any other documents, addenda, supplements, amendments, appendices, exhibits, schedules, or other materials incorporated herein by reference (each of which is hereby incorporated into and made a part of this Agreement by this reference), is the exclusive statement of the agreement between the parties with respect to the subject matter hereof, which supersedes and merges all prior proposals, understandings, and all other agreements, oral …
Removed
p. 45
January 2019 upon thirty (30) days’ written notice to QPA, provided, however, that if QPA does not agree with such unilateral modification, alteration or amendment, QPA shall have the right, exercisable at any time within the aforementioned thirty (30) day period, to terminate this Agreement upon written notice of its intention to so terminate to PCI SSC. Any such unilateral modification, alteration or amendment will be effective as of the end of such 30-day period unless the Agreement is earlier terminated by QPA pursuant to the preceding sentence. The waiver or failure of either party to exercise in any respect any right provided for in this Agreement shall not be deemed a waiver of any further right under this Agreement.
[remainder of page intentionally left blank]
[remainder of page intentionally left blank]
Modified
p. 46 → 45
A.10.10 No Third-Party Beneficiaries Except as expressly provided herein, the provisions of this Agreement are for the benefit of the parties hereto only, no third-party beneficiaries are intended, and no third party may seek to enforce or benefit from the provisions hereof.
Removed
p. 47
• WORKERS’ COMPENSATION: Statutory Workers Compensation as required by applicable law and
• EMPLOYER’S LIABILITY with a limit of $1,000,000
• EMPLOYER’S LIABILITY with a limit of $1,000,000
Modified
p. 47 → 46
WORKERS’ COMPENSATION: Statutory Workers Compensation as required by applicable law and EMPLOYER’S LIABILITY with a limit of $1,000,000 COMMERCIAL GENERAL LIABILITY INSURANCE including PRODUCTS, COMPLETED OPERATIONS, ADVERTISING INJURY, PERSONAL INJURY, and CONTRACTUAL LIABILITY INSURANCE with the following minimum limits for Bodily Injury and Property Damage on an Occurrence basis: $1,000,000 per occurrence and $2,000,000 annual aggregate. PCI SSC to be added as “Additional Insured.” The policy Coverage Territory must include the entire Region(s) in which the QPA …
Modified
p. 47 → 46
COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non-owned autos subject to minimum limits of $1,000,000 per accident.
Modified
p. 47 → 46
CRIME/FIDELITY BOND including first-party employee dishonesty, robbery, fraud, theft, forgery, alteration, mysterious disappearance, and destruction. Coverage must also include third-party employee dishonestyi.e., coverage for claims made by the QPA Company’s client against the QPA Company for theft committed by the QPA Company’s employees. The minimum limit shall be $1,000,000 each loss and annual aggregate. The policy Coverage Territory must include the entire Region(s) in which the QPA Company is qualified to operate.
Modified
p. 47 → 46
TECHNOLOGY ERRORS & OMISSIONS, CYBER-RISK and PRIVACY LIABILITY INSURANCE covering liabilities for financial loss resulting or arising from acts, errors, or omissions in rendering computer or information technology Services, or from data damage/destruction/corruption, including without limitation, failure to protect privacy, unauthorized access, unauthorized use, virus transmission, denial of service, and loss of income from network security failures in connection with the Services provided under this agreement with a minimum limit of two million dollars ($2,000,000) each claim and annual …
Modified
p. 47 → 46
If any of the above insurance is written on a claims-made basis, then Security Assessor shall maintain such insurance for five (5) years after the termination of this agreement. The limits shown in the appendix may be written in other currencies, but should be the equivalent of the limits in US dollars shown here.
If any of the above insurance is written on a claims-made basis, then Security Assessor shall maintain such insurance for five (5) years after the termination of this agreement. The limits shown in the appendix may be written in other currencies but should be the equivalent of the limits in US dollars shown here.
Modified
p. 47 → 46
Without limiting Security Assessor’s indemnification duties as outlined in the Indemnification Section herein, PCI SSC shall be named as an additional insured under the Commercial General Liability for any claims and losses arising out of, allegedly arising out of or in any way connected to the Security Assessor’s performance of the Services under this agreement. The insurers shall agree that the Security Assessor’s insurance is primary and any insurance maintained by CPS SSC shall be excess and non- contributing to …
Without limiting Security Assessor’s indemnification duties as outlined in the Indemnification Section herein, PCI SSC shall be named as an additional insured under the Commercial General Liability for any claims and losses arising out of, allegedly arising out of, or in any way connected to the Security Assessor’s performance of the Services under this agreement. The insurers shall agree that the Security Assessor’s insurance is primary and any insurance maintained by CPS SSC shall be excess and non- contributing to …
Modified
p. 49 → 48
• Section 1 Company Name:
The Company certifies it is currently a PCI QSA Company in good standing. (“Exempt from” items are indicated by footnote “1” as part of initial QPA Company Application process) Applicant QPA Company (the “Company”) Information
• Section 1 Company Name:
• Section 1 Company Name:
Modified
p. 49 → 48
The Company acknowledges and agrees that in order to participate as a QPA Company in the QPA Program, it must satisfy all of the requirements specified in the QPA Qualification Requirements and supporting documents
The Company acknowledges and agrees that in order to participate as a QPA Company in the QPA Program, it must satisfy all of the requirements specified in the QPA Qualification Requirements and supporting documents.
Modified
p. 50 → 49
The Company certifies that it is providing to PCI SSC herewith a copy of its current formation document or equivalent (the “Business License”). (Refer to the Documents Library on the Website
• Business License Requirements for more information.) 1 Year of incorporation/formation of Company:
• Business License Requirements for more information.) 1 Year of incorporation/formation of Company:
The Company certifies that it is providing to PCI SSC herewith a copy of its current formation document or equivalent (the “Business License”). (Refer to the Documents Library on the Website
• PCI SSC Business License Requirements for more information.) 1 Year of incorporation/formation of Company:
• PCI SSC Business License Requirements for more information.) 1 Year of incorporation/formation of Company:
Removed
p. 51
January 2019 QPA Company Business Requirements
• Section 2 (continued) Independence
• 2.2.2 Provisions (continued) The Company hereby:
• Agrees to maintain and adhere to a code-of-conduct policy and provide the policy to PCI SSC upon request.
• Agrees not to undertake to perform any PCI PIN Assessment of any entity that it controls, is controlled by, is under common control with, or in which it holds any investment.
• Agrees that it has not and will not have offered or provided (and has not and will not hav e been offered or received) to (or from) any employee of PCI SSC or any customer, any gift, gratuity, service, or other inducement (other than compensation in an arm’s-length transaction), in order to enter into the QPA Agreement or any agreement with a customer, or to provide QPA-related services.
• Agrees not to use its status as a “listed QPA” to market services unnecessary to bring clients …
• Section 2 (continued) Independence
• 2.2.2 Provisions (continued) The Company hereby:
• Agrees to maintain and adhere to a code-of-conduct policy and provide the policy to PCI SSC upon request.
• Agrees not to undertake to perform any PCI PIN Assessment of any entity that it controls, is controlled by, is under common control with, or in which it holds any investment.
• Agrees that it has not and will not have offered or provided (and has not and will not hav e been offered or received) to (or from) any employee of PCI SSC or any customer, any gift, gratuity, service, or other inducement (other than compensation in an arm’s-length transaction), in order to enter into the QPA Agreement or any agreement with a customer, or to provide QPA-related services.
• Agrees not to use its status as a “listed QPA” to market services unnecessary to bring clients …
Modified
p. 51 → 50
Agrees to maintain and adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing PCI PIN Assessments. Agrees to maintain and adhere to a code-of-conduct policy and provide the policy to PCI SSC upon request.
Modified
p. 51 → 50
Agrees to adhere to all independence requirements as established by PCI SSC, including without limitation, all items listed in Section 2.2.1 of the QPA Qualification Requirements.
Modified
p. 51 → 50
Agrees not to undertake to perform any PCI PIN Assessment of any entity that it controls, is controlled by, is under common control with, or in which it holds any investment. Agrees that it has not and will not have offered or provided (and has not and will not have been offered or received) to (or from) any employee of PCI SSC or any customer, any gift, gratuity, service, or other inducement (other than compensation in an arm’s-length …
Modified
p. 51 → 50
Agrees that when any of its QPA Employees recommends remediation actions that include any solution or product of the Company, the QPA Employee will also recommend other existing market options.
Modified
p. 51 → 50
Agrees that the Company has and will maintain separation of duties controls in place to ensure that its QPA Employees conducting PCI PIN Assessments are independent and not subject to any conflict of interest.
Modified
p. 51 → 50
Agrees that its QPA Employees will be employed by only one QPA Company at any given time. Agrees not to use its status as a “listed QPA” to market services unnecessary to bring clients into compliance with the PCI PIN Standard.
Modified
p. 51 → 50
Agrees not to misrepresent any requirement of the PCI PIN Standard in connection with its promotion or sales of services to clients, and not to state or imply that the PCI PIN Standard requires usage of any of the Company’s products or services.
Modified
p. 51 → 50
Insurance Coverage
• 2.3.2 Provisions The Company agrees thatat all times while its QPA Agreement is in effect, Company will maintain sufficient insurance, insurers, coverage, exclusions, and deductibles that PCI SSC reasonably requests to adequately insure the Company for its obligations and liabilities under the QPA Agreement, including without limitation the Company's indemnification obligations.
• 2.3.2 Provisions The Company agrees that
Insurance Coverage
• 2.3.2 Provisions The Company agrees that while its QPA Agreement is in effect, Company will maintain sufficient insurance, insurers, coverage, exclusions, and deductibles that PCI SSC reasonably requests to adequately insure the Company for its obligations and liabilities under the QPA Agreement, including without limitation the Company's indemnification obligations.
• 2.3.2 Provisions The Company agrees that while its QPA Agreement is in effect, Company will maintain sufficient insurance, insurers, coverage, exclusions, and deductibles that PCI SSC reasonably requests to adequately insure the Company for its obligations and liabilities under the QPA Agreement, including without limitation the Company's indemnification obligations.
Modified
p. 52 → 51
A copy of the Company’s bound insurance coverage is attached to this application.1 Fees
• 2.4.1 Requirements The Company acknowledges that it will be charged an application processing fee, a QPA Companyfee and annual fees for each QPA’s PCI SSC training.
• 2.4.1 Requirements The Company acknowledges that it will be charged an application processing fee, a QPA Company
A copy of the Company’s bound insurance coverage is attached to this application.1 Fees
• 2.4.1 Requirements The Company acknowledges that it will be charged an application processing fee, a QPA Company fee, and annual fees for each QPA’s PCI SSC training.
• 2.4.1 Requirements The Company acknowledges that it will be charged an application processing fee, a QPA Company fee, and annual fees for each QPA’s PCI SSC training.
Removed
p. 53
January 2019 QPA Capability Requirements
• Section 3 QPA Company Skills and Experience
• 3.1.2 Provisions 3.1 QPA Company Services and Experience
Total time: Years Months Knowledge of Hardware Security Modules (HSMs) operations, policies, and procedures:
• Section 3 QPA Company Skills and Experience
• 3.1.2 Provisions 3.1 QPA Company Services and Experience
Total time: Years Months Knowledge of Hardware Security Modules (HSMs) operations, policies, and procedures:
Modified
p. 53 → 52
Describe the company's knowledge and expertise of cryptographic techniques and the Company's role ((e.g., implementation, developer, management, etc.). For example, the types of cryptography, such as hashing, symmetric, asymmetric; the algorithms, such as AES, TDES, RSA, Diffie-Hellman, elliptic curve, key management implementations or assessments including descriptions of how keys are stored, access privileges, expected incident response when/if keys were compromised; and lifecycle management (rotation, destruction, revocation).
Describe the company's knowledge and expertise of cryptographic techniques and the Company's role ((e.g., implementation, developer, management, etc.). For example, the types of cryptography, such as hashing, symmetric, asymmetric; the algorithms, such as AES, TDES, RSA, Diffie-Hellman, elliptic curve, key-management implementations or assessments including descriptions of how keys are stored, access privileges, expected incident response when/if keys were compromised; and lifecycle management (rotation, destruction, revocation).
Modified
p. 53 → 52
Describe the Company's expertise and direct responsibility for implementing, operating, and/or assessing cryptographic systems and/or key management functions. For example, implementing and managing key - management functions, or performing lab evaluations of cryptographic systems against NIST, ANSI, or ISO standards.
Describe the Company's expertise and direct responsibility for implementing, operating, and/or assessing cryptographic systems and/or key management functions. For example, implementing and managing key- management functions, or performing lab evaluations of cryptographic systems against NIST, ANSI, or ISO standards.
Modified
p. 54 → 53
• Section 3 (continued)
Total time: Years Months Knowledge of POI key-injection systems and techniques including Key Loading Devices (KLDs) and key management methods, such as "Master/Session Key," "DUKPT":
Modified
p. 54 → 53
Total time: Years Months Company acknowledgements The Company acknowledges and agrees that all of the above skill sets will be present and fully utilized on every
Total time: Years Months Company acknowledgements The Company acknowledges and agrees that all of the above skill sets will be present and fully utilized on every PCI PIN Assessment.
Modified
p. 54 → 53
The Company acknowledges and agrees that it must fulfill all QPA Qualification Requirements, all QPA Company Requirements, and comply with all terms and provisions of the QPA Agreement, any other agreements executed with PCI SSC, and all other applicable policies and requirements of the QPA Program, as mand ated or imposed by PCI SSC from time to time, including but not limited to all requirements in connection with PCI SSC's quality assurance initiatives, remediation, and revocation.
The Company acknowledges and agrees that it must fulfill all QPA Qualification Requirements, all QPA Company Requirements, and comply with all terms and provisions of the QPA Agreement, any other agreements executed with PCI SSC, and all other applicable policies and requirements of the QPA Program, as mandated or imposed by PCI SSC from time to time, including but not limited to all requirements in connection with PCI SSC's quality assurance initiatives, remediation, and revocation.
Modified
p. 55 → 54
Describe any additional evidence of a dedicated security practice within the Company 1:
Describe any additional evidence of a dedicated security practice within the Company1:
Modified
p. 56 → 55
Verification of aliases (when applicable) Reviewing records of any criminal activity, such as felony (or non-US equivalent) convictions or outstanding warrants Annually review records of any criminal activity, such as felony (or non -US equivalent) convictions or outstanding warrants Minor offenses (for example, misdemeanors or non-US equivalents) are allowed, but major offenses (for example, felonies or non-US equivalents) automatically disqualify an employee from serving as a QPA Employee The Company understands and agrees that, upon request, it must provide to …
Verification of aliases (when applicable) Reviewing records of any criminal activity, such as felony (or non-US equivalent) convictions or outstanding warrants Annually review records of any criminal activity, such as felony (or non-US equivalent) convictions or outstanding warrants Minor offenses (for example, misdemeanors or non-US equivalents) are allowed, but major offenses (for example, felonies or non-US equivalents) automatically disqualify an employee from serving as a QPA Employee The Company understands and agrees that, upon request, it must provide to PCI …
Modified
p. 56 → 55
• 4.3.2 Provisions
The Company acknowledges and agrees that it must adhere to all quality assurance requirements described in the QPA Qualification Requirements and supporting documentation, must have a quality assurance program, documented in its Quality Assurance manual, and must maintain and adhere to a documented quality assurance process and manual that includes all items described in Section 4.3.1 of the QPA Qualification Requirements.
Modified
p. 56 → 55
The Company acknowledges and agrees that its internal quality assurance reviews must be performed by qualified personnel and must cover assessment procedures performed, supporting documentation, information documented in the PIN ROC related to the appropriate selection of system components, sampling procedures, compensating controls, remediation recommendations, proper use of payment definitions, consistent findings, and thorough documentation of results.
The Company acknowledges and agrees that its internal quality assurance reviews must be performed by qualified personnel (independent of the assessing and/or authoring QPA Employee) and must cover assessment procedures performed, supporting documentation, information documented in the PIN ROC related to the appropriate selection of system components, sampling procedures, compensating controls, remediation recommendations, proper use of payment definitions, consistent findings, and thorough documentation of results.
Removed
p. 57
January 2019 QPA Administrative Requirements
• Section 4 (continued) The Company acknowledges and agrees that as a QPA Company, it must at its sole cost and expense:
• Section 4 (continued) The Company acknowledges and agrees that as a QPA Company, it must at its sole cost and expense:
Modified
p. 57 → 56
Conduct all PCI PIN Security Assessments on-site at the applicable client’s facilities.
Conduct all PCI PIN Security Assessments on-site at the applicable client’s facilities or remotely according to the PCI SSC Remote Assessment Guidelines.
Modified
p. 57 → 56
The Company agrees to provide PCI SSC a blank copy of the confidentiality agreement that it requires each QPA to sign (include a blank copy of such confidentiality agreement with th is application)1.
The Company agrees to provide PCI SSC a blank copy of the confidentiality agreement that it requires each QPA to sign (include a blank copy of such confidentiality agreement with this application).1.
Removed
p. 59
January 2019 Appendix D: QPA Employee Application For each individual applying for qualification as a QPA Employee (each a “Candidate”), the QPA Company or applicant QPA Company employing such individual (the “Company”) must submit to PCI SSC a copy of this QPA Employee Application, completed and executed by such Candidate.
The applicant is an existing PIN Assessor for a Participating Payment Brand or an assessor with Network Security Compliance for PIN and key management training with a current TR39 CTGA certification and
• Have performed technical PIN assessments against PCI PIN Security Requirements on external entities in the last two (2) years.
• Are employed by a QPA Company.
(If yes, this applicant will be exempt from Sections 3.2.1.1. of the QPA Qualifications Requirements until March 1, 2021. Ple ase complete this form for information purposes only) QPA Employee Skills, Experience and Education Provide examples of work or a description of the Candidate's experience …
The applicant is an existing PIN Assessor for a Participating Payment Brand or an assessor with Network Security Compliance for PIN and key management training with a current TR39 CTGA certification and
• Have performed technical PIN assessments against PCI PIN Security Requirements on external entities in the last two (2) years.
• Are employed by a QPA Company.
(If yes, this applicant will be exempt from Sections 3.2.1.1. of the QPA Qualifications Requirements until March 1, 2021. Ple ase complete this form for information purposes only) QPA Employee Skills, Experience and Education Provide examples of work or a description of the Candidate's experience …
Modified
p. 59 → 58
Examples of work or description of the Candidate's experience with cryptography:
Examples of work or description of the Candidate's experience with cryptography: Describe the types of cryptography the Candidate has used, such as hashing, symmetric, asymmetric, and algorithms used such as AES. TDES, RSA, Diffie-Hellman, elliptic curve.
Modified
p. 59 → 58
From (date): To (date): Total time: Years Months Examples of work or description of the Candidate's experience with key management:
From (date): To (date): Total time: Years Months Provide examples of work or a description of the Candidate's knowledge and experience with cryptography and key management with a minimum of three years of the following disciplines:
Modified
p. 59 → 58
Describe the Candidate's knowledge of implementing key management, for example, key storage, access control, incident response in the event of compromise, and lifecycle management (rotation, destruction, revocation).
From (date): To (date): Total time: Years Months Examples of work or description of the Candidate's experience with key management: Describe the Candidate's knowledge of implementing key management, for example, key storage, access control, incident response in the event of compromise, and lifecycle management (rotation, destruction, revocation).
Removed
p. 60
January 2019 QPA Employee Skills, Experience and Education Provide examples of work or a description of the Candidate's knowledge and experience with cryptography and key management with a minimum of three years of the following disciplines:
Modified
p. 60 → 59
From (date): To (date): Total time: Years Months
From (date): To (date): Total time: Years Months Candidate Professional Certifications (check all that apply):
Modified
p. 61 → 60
(a) The information provided above is true, accurate and complete; (b) I have read and understand the QPA Qualification Requirements and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will ad vocate, continuously adhere to and support the terms and provisions thereof.
(a) The information provided above is true, accurate, and complete; (b) I have read and understand the QPA Qualification Requirements and will comply with the terms thereof; and (c) I have read and understand the PCI SSC Code of Professional Responsibility, and will advocate, continuously adhere to, and support the terms and provisions thereof.