Document Comparison
PFI_Qualification_Requirements_v3.2.pdf
→
PFI_Qualification_Requirements_v3.4.pdf
84% similar
37 → 41
Pages
13201 → 14153
Words
63
Content Changes
From Revision History
- November 2012 2.0 Amendments to support remote forensic investigations and minor administrative revisions.
Content Changes
63 content changes. 49 administrative changes (dates, page numbers) hidden.
Added
p. 2
Enhanced Independence requirements.
Updated PFI Company/Employee application process to use online portal.
Enhanced section 4.2 Background Checks.
Clarified that PFI candidate applications must be completed within 12 months.
July 2021 3.3 Added requirement for applicant/candidate PFI Companies to meet with each payment brand as part of the Qualification Review process.
Updated section 3.1.1 to note that after October 28, 2022, a Secure Software Assessor is required to meet the requirement.
June 2024 3.4 Simplified Section 2.3 Independence Requirements.
Added bullet to section 4.6.1 to help clarify where and how PFIs should amend a report if the Payment Brand requests changes.
Updated section 3.1.1 to replace PA-QSA requirement (PA-QSA program closed Oct 2022) with Secure Software Assessor.
Added guidance to section 3.2.1 to help clarify what the PFI must do if EUI fails to cooperate or provide technical support during the investigation.
Added examples to help clarify “or equivalent industry-recognized certifications.” Added checkbox for Subcontractor List in Appendix A, PFI Application …
Updated PFI Company/Employee application process to use online portal.
Enhanced section 4.2 Background Checks.
Clarified that PFI candidate applications must be completed within 12 months.
July 2021 3.3 Added requirement for applicant/candidate PFI Companies to meet with each payment brand as part of the Qualification Review process.
Updated section 3.1.1 to note that after October 28, 2022, a Secure Software Assessor is required to meet the requirement.
June 2024 3.4 Simplified Section 2.3 Independence Requirements.
Added bullet to section 4.6.1 to help clarify where and how PFIs should amend a report if the Payment Brand requests changes.
Updated section 3.1.1 to replace PA-QSA requirement (PA-QSA program closed Oct 2022) with Secure Software Assessor.
Added guidance to section 3.2.1 to help clarify what the PFI must do if EUI fails to cooperate or provide technical support during the investigation.
Added examples to help clarify “or equivalent industry-recognized certifications.” Added checkbox for Subcontractor List in Appendix A, PFI Application …
Added
p. 8
Company Independence PFI Companies and PFI Employees must ensure that no person or entity engages in any activity or conduct (including but not limited to entering into any contract or undertaking) that may directly or indirectly influence, impair, undermine or compromise the independence or integrity of any PFI Investigation.
Added
p. 9
Without limiting the foregoing, PFI Companies must not be involved in a given PFI Investigation where they have either a) been involved with the performance of QSA Assessments resulting in a ROC, AOC or SAQ for the Entity Under Investigation, or b) they have previously provided changes to the Entity Under Investigation's environment.1 Investigator Independence Each PFI Employee shall, and the PFI Company shall ensure that, such PFI Employee performs all PFI Investigations:
• Free from external influence, pressure and/or conflicts of interests.
• In accordance with Section 2.3.1 above.
• Free from external influence, pressure and/or conflicts of interests.
• In accordance with Section 2.3.1 above.
Added
p. 12
Ensure that a Secure Software Assessor (defined in the PCI Software Security Framework
• Qualification Requirements for Assessors) that is in Good Standing as such is available to be assigned to each PFI Investigation, if needed.
• Qualification Requirements for Assessors) that is in Good Standing as such is available to be assigned to each PFI Investigation, if needed.
Added
p. 15
Provide the affected Participating Payment Brands, Entity Under Investigation and their sponsoring financial institution (if applicable) regular updates via all party calls and/or update emails on the status of a PFI Investigation. If the Entity Under Investigation fails to provide the PFI Company thorough logistical and technical support to facilitate timely completion of the PFI Investigation, the PFI Company must immediately inform the affected Participating Payment Brands and the sponsoring financial institution (if applicable).
Added
p. 16
Industry-recognized active incident response certification
• examples include but are not limited to SANS GIAC Certified Incident Handler (GCIH), GIAC Certified Forensics Analyst (GCFA), IACIS Certified Forensic Computer Examiner (CFCE), OpenText EnCase Certified Examiner (EnCE), EC-Council Computer Hacking Forensic Investigator (CHFI)
• or a minimum three (3) years of forensic investigation/incident handling experience.
Only PFI Employees who satisfy the above requirements are authorized to perform, manage or otherwise be involved with any technical aspects of any PFI Investigation. Approved Subcontractors are not permitted to include, and no PFI Company shall permit any of its Subcontractors to include any company logo or reference to a company other than the responsible PFI Company, in any PFI report or other materials in connection with work performed as a Subcontractor for the PFI. Upon reasonable request of PCI SSC, each PFI Employee may be required (and agrees) to demonstrate the aforementioned skills (and …
• examples include but are not limited to SANS GIAC Certified Incident Handler (GCIH), GIAC Certified Forensics Analyst (GCFA), IACIS Certified Forensic Computer Examiner (CFCE), OpenText EnCase Certified Examiner (EnCE), EC-Council Computer Hacking Forensic Investigator (CHFI)
• or a minimum three (3) years of forensic investigation/incident handling experience.
Only PFI Employees who satisfy the above requirements are authorized to perform, manage or otherwise be involved with any technical aspects of any PFI Investigation. Approved Subcontractors are not permitted to include, and no PFI Company shall permit any of its Subcontractors to include any company logo or reference to a company other than the responsible PFI Company, in any PFI report or other materials in connection with work performed as a Subcontractor for the PFI. Upon reasonable request of PCI SSC, each PFI Employee may be required (and agrees) to demonstrate the aforementioned skills (and …
Added
p. 22
• Accurately reflect, include and are based solely upon the factual evidence as gathered, discovered and determined to be relevant to the PFI Investigation by the PFI Company in its sole discretion during the course of that PFI Investigation
• Reflect the independent judgments, findings and conclusions of the PFI Company and its PFI Employees only, acting in their sole discretion; and
• Were not in any manner influenced, directed, controlled, modified, provided or subjected to any prior approval by the subject Entity Under Investigation, any contractor, representative, professional advisor, agent or affiliate thereof, or any other person or entity other than the PFI Company and its PFI Employees.
• Reflect the independent judgments, findings and conclusions of the PFI Company and its PFI Employees only, acting in their sole discretion; and
• Were not in any manner influenced, directed, controlled, modified, provided or subjected to any prior approval by the subject Entity Under Investigation, any contractor, representative, professional advisor, agent or affiliate thereof, or any other person or entity other than the PFI Company and its PFI Employees.
Added
p. 23
Any information that is requested to be
• added to the Final PFI Report by the affected Payment Brands should be noted in the revision log by the PFI Employee (rather than modifying the PFI Employee’s findings in the body of the report) unless the information requested to be
• added is incorrect or unsupported by information collected during the PFI Investigation.
• added to the Final PFI Report by the affected Payment Brands should be noted in the revision log by the PFI Employee (rather than modifying the PFI Employee’s findings in the body of the report) unless the information requested to be
• added is incorrect or unsupported by information collected during the PFI Investigation.
Added
p. 25
Subcontractor List If applicable, a list of all Subcontractors that the PFI Company reasonably anticipates engaging or subcontracting to assist the PFI Company in the performance of its PFI Investigations. Note: all Subcontractors must be PFI Companies in Good Standing with PCI SSC.
Added
p. 29
D. SMEs and Subcontractors. Notwithstanding anything to the contrary in the Agreement, Company may engage appropriate third-party subject matter experts (SMEs) and Subcontractors to assist Company in connection with its performance of specific aspects of a PFI Investigations where necessary, subject to the following terms:
Added
p. 30
2. SMEs. Subject to and without limiting Section 3(D)(1) above, Company may engage with SMEs at its discretion and without the consent of PCI SSC; provided, however, that Company shall not use any SME in connection with a given PFI Investigation where the SME would have authority or the ability to access, impact, or cause any change to the payment environment or chain of evidence or custody associated with the applicable Entity Under Investigation or PFI Investigation.
3. Subcontractors. Company shall only use Subcontractors in connection with a given PFI Investigation as follows: (a) such use shall comply with Section 3(D)(1) above; (b) Company may not use any Subcontractor without first obtaining the written consent of PCI SSC pursuant to a corresponding PFI Subcontractor Utilization Agreement signed by PCI SSC; (c) Company shall promptly notify PCI SSC of each such anticipated engagement via electronic mail to pfi@pcisecuritystandards.org and shall promptly notify …
3. Subcontractors. Company shall only use Subcontractors in connection with a given PFI Investigation as follows: (a) such use shall comply with Section 3(D)(1) above; (b) Company may not use any Subcontractor without first obtaining the written consent of PCI SSC pursuant to a corresponding PFI Subcontractor Utilization Agreement signed by PCI SSC; (c) Company shall promptly notify PCI SSC of each such anticipated engagement via electronic mail to pfi@pcisecuritystandards.org and shall promptly notify …
Added
p. 39
Secure Software Assessor An individual who is employed by an SSF Assessor Company and satisfies and continues to satisfy all SSF Requirements applicable to individuals who are qualified by PCI SSC to conduct Secure Software Assessments.
Software Security Framework (SSF) A collection of software security standards and associated validation and listing programs developed, maintained and operated by PCI SSC, for the secure design, development and maintenance of payment software.
Software Security Framework (SSF) Assessor Company An independent security organization qualified by PCI SSC to validate the compliance of an entity or its payment software against one or more applicable SSF Standards Subcontractor With respect to a given PFI Company (the Prime PFI Company), a separate company that (a) is in good standing as a PFI Company and (b) is engaged by the Prime PFI Company to assist in the performance of PFI Investigations by the Prime PFI Company, pursuant to a PFI …
Software Security Framework (SSF) A collection of software security standards and associated validation and listing programs developed, maintained and operated by PCI SSC, for the secure design, development and maintenance of payment software.
Software Security Framework (SSF) Assessor Company An independent security organization qualified by PCI SSC to validate the compliance of an entity or its payment software against one or more applicable SSF Standards Subcontractor With respect to a given PFI Company (the Prime PFI Company), a separate company that (a) is in good standing as a PFI Company and (b) is engaged by the Prime PFI Company to assist in the performance of PFI Investigations by the Prime PFI Company, pursuant to a PFI …
Added
p. 40
• under any circumstances
• evaluate their own work or that of their colleagues in their own organization.
Any independence concerns and conflicts of interest (perceived or actual) should be discussed with the affected Payment Brands as early as possible to help avoid disruptions or potential violations later in the investigation.
1. The following is a non-exhaustive list of specific situations that are likely, on their own (and regardless of surrounding facts and circumstances), to constitute violations of the independence requirements of Section 2.3 The PFI Company provides PCI Assessment services that result in a ROC, AOV or SAQ (e.g., PCI DSS QSA, PCI QPA, PCI CPSA, etc.) and has performed such assessments for the same client during the year in which the data breach is suspected to have occurred or otherwise in any of the three years prior to such investigation.
The PFI Company has provided security consulting or PCI Standards …
• evaluate their own work or that of their colleagues in their own organization.
Any independence concerns and conflicts of interest (perceived or actual) should be discussed with the affected Payment Brands as early as possible to help avoid disruptions or potential violations later in the investigation.
1. The following is a non-exhaustive list of specific situations that are likely, on their own (and regardless of surrounding facts and circumstances), to constitute violations of the independence requirements of Section 2.3 The PFI Company provides PCI Assessment services that result in a ROC, AOV or SAQ (e.g., PCI DSS QSA, PCI QPA, PCI CPSA, etc.) and has performed such assessments for the same client during the year in which the data breach is suspected to have occurred or otherwise in any of the three years prior to such investigation.
The PFI Company has provided security consulting or PCI Standards …
Added
p. 41
2. The following is a non-exhaustive list of specific situations that are unlikely, on their own (and depending on surrounding facts and circumstances), to constitute violations of the independence requirements of Section 2.3:
The PFI Company has signed a retainer agreement with the same client to conduct investigations (PFI or other). Retainer agreements do not automatically disqualify a PFI Company from conducting a PFI Investigation, absent other concerns (such as the situations described in Section 1 of this Appendix).
The PFI Company is already in an entity’s environment performing incident response and such service does not result in or from separate violations of applicable independence requirements. In this situation, absent other concerns, the PFI Company and PFI Employee are likely free from a conflict of interest and would be able to convert the incident response into a PFI Investigation without violating independence.
• If applicable, the PFI Company must convert the …
The PFI Company has signed a retainer agreement with the same client to conduct investigations (PFI or other). Retainer agreements do not automatically disqualify a PFI Company from conducting a PFI Investigation, absent other concerns (such as the situations described in Section 1 of this Appendix).
The PFI Company is already in an entity’s environment performing incident response and such service does not result in or from separate violations of applicable independence requirements. In this situation, absent other concerns, the PFI Company and PFI Employee are likely free from a conflict of interest and would be able to convert the incident response into a PFI Investigation without violating independence.
• If applicable, the PFI Company must convert the …
Modified
p. 2
November 2012 2.0 Amendments to support remote forensic investigations and minor administrative revisions
November 2012 2.0 Amendments to support remote forensic investigations and minor administrative revisions.
Modified
p. 2
June 2019 3.2 Added “within 18 months” to Section 3.1.2 for the redacted report submittals when applying to be a PFI Company Enhanced section 4.2 Background Checks Clarified that PFI candidate applications must be completed within 12 months
June 2019 3.2 Added “within 18 months” to Section 3.1.2 for the redacted report submittals when applying to be a PFI Company.
Modified
p. 4 → 5
The PFI Program represents a streamlining of requirements for forensic investigators, and is intended to help simplify and expedite procedures and requirements for being qualified as, and engaging with, forensic investigators.
The PFI Program represents a streamlining of requirements for forensic investigators and is intended to help simplify and expedite procedures and requirements for being qualified as, and engaging with, forensic investigators.
Modified
p. 4 → 5
This document is intended for candidate and existing PFI Companies and PFI Employees, as well as Approving Organizations, and sets forth the additional requirements that must be satisfied by a given QSA Company and its employees in order to be qualified as a PFI Company, PFI Employee, Core Forensic Investigator or Lead Investigator (as applicable) under the PCI SSC PFI Program.
This document is intended for candidate and existing PFI Companies and PFI Employees, as well as Approving Organizations, and sets forth the additional requirements that must be satisfied by a given
Modified
p. 4 → 5
Qualification as a PFI Company or PFI Employee requires that the company in question at all times be a PCI SSC-qualified QSA Company. Accordingly, qualification as a PFI Company will immediately and automatically terminate if the underlying QSA Company qualification is revoked, cancelled, withdrawn or terminated.
Note: Qualification as a PFI Company or PFI Employee requires that the company in question at all times be a PCI SSC-qualified QSA Company. Accordingly, qualification as a PFI Company will immediately and automatically terminate if the underlying QSA Company qualification is revoked, cancelled, withdrawn or terminated.
Modified
p. 4 → 6
Interested entities must meet or exceed all applicable PFI Requirements in order to be qualified as a PFI IMPORTANT NOTE:
Interested entities must meet or exceed all applicable PFI Requirements in order to be qualified as a PFI Company or PFI Employee and maintain Good Standing as such.
Modified
p. 7 → 8
PFI Companies and PFI Employees must ensure that no person or entity is enabled, permitted or authorized to
Modified
p. 7 → 8
Note: Any agreement, relationship or restriction that materially impairs (or has the appearance of so impairing) the PFI Company’s or PFI Employee’s independence, professional judgment, integrity, objectivity, impartiality, or professional skepticism in rendering its findings, conclusions or PFI Reports, without appropriate disclosure and countervailing measures, is deemed to violate these independence requirements
Note: Any agreement, relationship or restriction that materially impairs (or has the appearance of so impairing) the PFI Company’s or PFI Employee’s independence, professional judgment, integrity, objectivity, impartiality, or professional skepticism in rendering its findings, conclusions or PFI Reports, without appropriate disclosure and countervailing measures, is deemed to violate these independence requirements.
Removed
p. 8
With respect to each PFI Investigation, the PFI Company must enter into a written agreement directly with the applicable Entity Under Investigation, which at a minimum: (a) expressly includes such terms and provisions as may be necessary, reasonable or appropriate, or otherwise required by PCI SSC for purposes of enabling the PFI Company and its PFI Employees to perform such PFI Investigation, and render and deliver all associated PFI Services, conclusions, findings and PFI Reports, in each case, in a professional, unfettered manner, without delay, and in accordance with all applicable PFI Requirements (including without limitation, the requirements specified in this Section 2.3 regarding independence, professional judgment, integrity, objectivity, impartiality and professional skepticism), and (b) establishes that such terms and provisions shall govern to the exclusion of any conflicting terms of any other provisions or agreements between or among the PFI Company, such Entity Under Investigation and/or any third …
Removed
p. 9
PFI Companies may be engaged to perform services pertaining to the anticipated investigation outside of the PFI Region(s) for which they have been qualified by PCI SSC only with prior written consent of PCI SSC for each engagement for which there may be lack of available PFI Companies in the region.
Modified
p. 9 → 10
The PFI Company shall provide to the Approving Organization proof of coverage statements for all Subcontractors identified on the Subcontractor List (defined in Section 3.2 below, and Appendix B), demonstrating to the Approving Organization's satisfaction that all such Subcontractors are covered under the PFI Company's insurance or that such Subcontractors have in effect their own insurance coverage satisfying all insurance requirements of the PFI Program as they apply to PFI Companies.
Modified
p. 9 → 10
Note: In accordance with the QSA Qualification Requirements, the PFI Company must also provide to PCI SSC insurance proof-of-coverage statements covering all such subcontractors to demonstrate that insurance satisfying applicable insurance coverage requirements has been purchased and is maintained for all such subcontractors.
Note: In accordance with the QSA Qualification Requirements, the PFI Company must also provide to PCI SSC insurance proof-of-coverage statements covering all such Subcontractors to demonstrate that insurance satisfying applicable insurance coverage requirements has been purchased and is maintained for all such Subcontractors.
Modified
p. 10 → 11
Note: All fees associated with the PFI Program are posted on the Website. All such fees are non- refundable,
Note: All fees associated with the PFI Program are posted on the Website. All such fees are non-refundable,
Removed
p. 11
Ensure that a PA-QSA Employee (defined in the QSA Qualification Requirements For Payment Application Qualified Security Assessors (PA-QSA)) that is in Good Standing as such is available to be assigned to each PFI Investigation, if needed.
Modified
p. 11 → 12
Ensure that all Lead Investigators on each PFI Investigation have completed required PFI Program training and/or information sessions within the two-year period prior to leading a given PFI Investigation (including without limitation, Participating Payment Brand-specific training such as PIN security compliance validation training).
Ensure that all Lead Investigators on each PFI Investigation have completed required PFI Program training and/or information sessions within the two-year period prior to leading a given PFI Investigation (including without limitation, Participating Payment Brand-specific training).
Modified
p. 11 → 12
Ensure that each PFI Employee has successfully completed annual training for incident response and computer forensics professionals•such as renewal of certifications, including but not limited to: information systems audit training to support such professional certifications as CISSP, CISM, CISA, or GIAC certification (in addition to any required PCI SSC training).
Ensure that each PFI Employee has successfully completed annual training for incident response and computer forensics professionals•such as renewal of certifications, including but not limited to information systems audit training to support such professional certifications as CISSP, CISM, CISA, or GIAC certification (in addition to any required PCI SSC training).
Modified
p. 12 → 13
Upon reasonable request of any Participating Payment Brand, attend requested conference calls with Participating Payment Brands and third parties, such as point-of- sale (POS) vendors, resellers, integrators and others, addressing issues related to payment applications and/or security practices.
Upon reasonable request of any Participating Payment Brand, attend requested conference calls with Participating Payment Brands and third parties, such as point-of-sale (POS) vendors, resellers, integrators and others, addressing issues related to payment applications and/or security practices.
Modified
p. 13 → 14
• E-commerce compromises involving web applications Proficiency to analyze/reverse-engineer malware Attestation that each employee of the PFI Company (or candidate) with respect to whom the PFI Company (or candidate) is seeking or has obtained qualification as a PFI Employee satisfies all PFI Employee requirements Annually, documentation that each PFI Employee of the PFI Company (or candidate) has successfully completed required PCI SSC training as well as annual training for incident response and computer forensics professionals such as …
• E-commerce compromises involving web applications Proficiency to analyze/reverse-engineer malware Attestation that each employee of the PFI Company (or candidate) with respect to whom the PFI Company (or candidate) is seeking or has obtained qualification as a PFI Employee satisfies all PFI Employee requirements Annually, documentation that each PFI Employee of the PFI Company (or candidate) has successfully completed required PCI SSC training as well as annual training for incident response and computer forensics professionals such as …
Modified
p. 14 → 15
Prior to using any Subcontractor, the PFI Company (or candidate) must provide to the Approving Organization a list of all Subcontractors that the PFI Company reasonably anticipates engaging or subcontracting to assist the PFI Company in the performance of its PFI Investigations (the "Subcontractor List").
Removed
p. 15
Active incident response certification, such as SANs GIAC Certified Incident Handler (GCIH), GIAC Certified Forensics Analyst (GCFA), or equivalent certification satisfactory to the Approving Organization; or a minimum three (3) years of forensic investigation/incident handling experience.
Approved subcontractors are not permitted to include, and no PFI Company shall permit any of its subcontractors to include, any company logo or reference to a company other than the responsible PFI Company, in any PFI report or other materials in connection with work performed as a subcontractor for the PFI.
Approved subcontractors are not permitted to include, and no PFI Company shall permit any of its subcontractors to include, any company logo or reference to a company other than the responsible PFI Company, in any PFI report or other materials in connection with work performed as a subcontractor for the PFI.
Modified
p. 15 → 16
Proof of Incident Response certification, such as SANs GIAC Certified Incident Handler (GCIH) or GIAC Certified Forensics Analyst (GCFA), if applicable.
Proof of Incident Response certification as described in section 3.3.1, if applicable.
Modified
p. 16 → 17
Résumé demonstrating a BS or higher degree in Computer Science, Electrical Engineering, Computer Engineering and/or Forensics or minimum five (5) years of equivalent industry experience.
Removed
p. 17
Phone number Fax number E-mail address 4.2 Background Checks 4.2.1 Requirement Each PFI Company must perform background checks that satisfy the provisions described below (to the extent legally permitted within the applicable jurisdiction) with respect to each applicant PFI Employee.
Modified
p. 18 → 20
Each PFI Company must have documented the details of the aforementioned quality assurance program in a program manual that includes, without limitation, all required PFI Report templates (such program manual may (but need not) be included as part of the program manual required in accordance with Section 4.3 of the QSA Qualification Requirements).
Removed
p. 19
• Applicable warning letters
• Probation requirements and/or processes
• Remediation requirements, processes, and related fees
• Revocation requirements and/or processes
• Reinstatement requirements and/or processes
• Probation requirements and/or processes
• Remediation requirements, processes, and related fees
• Revocation requirements and/or processes
• Reinstatement requirements and/or processes
Modified
p. 19 → 20
Applicable warning letters Probation requirements and/or processes Remediation requirements, processes, and related fees Revocation requirements and/or processes Reinstatement requirements and/or processes Appeals requirements and/or processes The PFI Company must provide a Feedback Report in the form attached hereto as Appendix C to each Entity Under Investigation (and if applicable, to each acquirer) at the completion of its PFI Investigation thereof and request that it be promptly completed and delivered to PCI SSC.
Modified
p. 19 → 20
PCI SSC reserves the right, upon reasonable notice, to conduct PFI Company site visits for purposes of auditing the processes and procedures used by PFI Company in connection with PFI Investigations; and each PFI Company must comply with all such requests and provide PCI SSC with reasonable access for such purposes.
Modified
p. 19 → 21
Oversight of quality assurance for all PFI Reports.
Modified
p. 19 → 21
Review and approval of all PFI Reports prior to distribution to Participating Payment Brands, Entities Under Investigation or others, as applicable.
Modified
p. 19 → 21
Sole responsibility for submitting PFI Reports to Participating Payment Brands, Entities Under Investigation or others, as applicable.
Modified
p. 19 → 21
Each PFI Company (or candidate) shall, upon request, provide to the Approving Organization a description of the contents of the PFI Company’s quality assurance manual, to confirm that the manual addresses all aspects of the PFI Company’s procedures and requirements for PFI Investigations and report review processes, including without limitation, a requirement that all PFI Employees must comply with all PFI Employee requirements.
Modified
p. 19 → 21
Additionally, each PFI Company (or candidate) must provide to PCI SSC prompt written notice of any change to any information previously provided to PCI SSC or any other Approving Organization if such change is reasonably likely to impact the Good Standing of such PFI Company or to cause the PFI Company to no longer be eligible for PFI Company qualification.
Modified
p. 19 → 21
All information, materials and documentation must be provided to the Approving Organization in English or with a certified English translation.
Modified
p. 20 → 21
The PFI Company (or candidate) must provide to the Approving Organization a blank copy of the documentation that all employees sign acknowledging the company’s policies and procedures for handling and preserving the integrity of evidence and how evidence is collected.
Modified
p. 20 → 21
PFI Company (or candidate) must provide to the Approving Organization proof that employees collecting evidence are proficient in use of the tools being used for the examination. This can be demonstrated by copies of certifications or notable experience in résumés.
Removed
p. 21
Ensure and certify in each Final PFI Report that the judgments, conclusions and findings therein: o accurately reflect, include and are based solely upon the factual evidence as gathered, discovered and determined to be relevant to the PFI Investigation by the PFI Company in its sole discretion during the course of that PFI Investigation o reflect the independent judgments, findings and conclusions of the PFI Company and its PFI Employees only, acting in their sole discretion; and o were not in any manner influenced, directed, controlled, modified, provided or subjected to any prior approval by the subject Entity Under Investigation, any contractor, representative, professional advisor, agent or affiliate thereof, or any other person or entity other than the PFI Company and its PFI Employees.
Removed
p. 24
Note: Failure to successfully qualify as a PFI Company within 12 months of initial application submission will result in forfeiture of all PFI Program application and initial processing fees and closure of the application.
Modified
p. 24 → 25
Proof of coverage statements for all proposed subcontractors.
Proof of coverage statements for all proposed Subcontractors.
Modified
p. 24 → 25
Documentation that the candidate PFI Company can ensure that a PA- QSA Employee (in Good Standing as such) is available to be assigned to each PFI Investigation.
Documentation that the candidate PFI Company can ensure that a PA-QSA Employee (and/or a Secure Software Assessor after October 28, 2022), in Good Standing as such, is available to be assigned to each PFI Investigation.
Removed
p. 28
1. Notwithstanding anything to the contrary in the Agreement, Company may engage appropriate third party subject matter experts to perform specific aspects of PFI Investigations where necessary, without first obtaining the consent of PCI SSC; provided that (a) Company shall be primarily responsible and liable for the performance of all services by such subcontractors in connection with such PFI Investigations; (b) Company shall promptly notify PCI SSC of each such engagement via electronic mail to pfi@pcisecuritystandards.org and shall promptly notify each affected Participating Payment Brand, prior to such subcontractor performing any such subcontracted for services if practicable, and in any event within one (1) business day after such services have begun in connection with each PFI Investigation in each instance; (c) in the event PCI SSC notifies Company of its rejection of any such subcontractor, Company shall immediately cease its use of such subcontractor in connection with such PFI Investigation; …
Removed
p. 29
B. Effect of Termination Upon any termination or expiration of this Addendum: (i) Company will no longer be identified as a PFI on the PFI List; (ii) Company shall immediately cease all advertising and promotion of its status as a PFI; (iii) Company shall immediately cease soliciting for and performing all PFI Services, provided that, if and to the extent instructed by PCI SSC in writing, Company shall
Modified
p. 29 → 31
6. Term and Termination This Addendum shall become effective as of the Addendum Effective Date and, unless earlier terminated in accordance with the Agreement, shall continue for an initial term of one (1) year, and thereafter shall renew for additional subsequent terms of one year, subject to Company's successful completion of applicable qualification and re-qualification requirements for each such one-year term. This Addendum shall immediately terminate upon termination of the Agreement and as otherwise specified in the Agreement.
6. Term and Termination A. Term - This Addendum shall become effective as of the Addendum Effective Date and, unless earlier terminated in accordance with the Agreement, shall continue for an initial term of one (1) year, and thereafter shall renew for additional subsequent terms of one year, subject to Company's successful completion of applicable qualification and re-qualification requirements for each such one-year term. This Addendum shall immediately terminate upon termination of the Agreement and as otherwise specified in the …
Modified
p. 30 → 32
7. Third-Party Beneficiaries Company hereby agrees that each Participating Payment Brand shall be an express third party beneficiary of this Agreement and, accordingly, shall have available to it all rights, whether at law or in equity, to enforce the provisions of this Agreement on its own behalf and in its own right directly against Company.
7. Third-Party Beneficiaries Company hereby agrees that each Participating Payment Brand shall be an express third-party beneficiary of this Agreement and, accordingly, shall have available to it all rights, whether at law or in equity, to enforce the provisions of this Agreement on its own behalf and in its own right directly against Company.
Modified
p. 31 → 33
Note: This Feedback Report should not be completed or submitted by the PFI Company. Completed Feedback Forms should be submit directly to PCI SSC by the investigated entity or acquirer (as applicable), via e-mail to pfi@pcisecuritystandards.org or by postal mail to:
Note: This Feedback Report should not be completed or submitted by the PFI Company. Completed Feedback Forms should be submitted directly to PCI SSC by the investigated entity or acquirer (as applicable), via e-mail to pfi@pcisecuritystandards.org or by postal mail to:
Modified
p. 31 → 33
PCI SSC 401 Edgewater Place, Suite 600 Wakefield, MA 01880, USA All responses are optional and this form may be submitted anonymously and should be completed in English.
PCI SSC 401 Edgewater Place, Suite 600 Wakefield, MA 01880, USA All responses are optional, and this form may be submitted anonymously and should be completed in English.
Modified
p. 35 → 37
PCI 3DS Core Security Standard The then-current versions of (or successor documents to) the Payment Card Industry 3-D Secure (PCI 3DS) Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server any and all appendices, exhibits, schedules, and attachments to any of the foregoing and all materials incorporated therein, in each case, as from time to time amended and made available on the Website.
PCI 3DS Core Security Standard The then-current versions of (or successor documents to) the Payment Card Industry 3- D Secure (PCI 3DS) Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server any and all appendices, exhibits, schedules, and attachments to any of the foregoing and all materials incorporated therein, in each case, as from time to time amended and made available on the Website.
Modified
p. 35 → 37
ASV Assessment An information security vulnerability assessment performed by a PCI SSC- qualified Approved Scanning Vendor in accordance with the PCI SSC Qualification Requirements for Approved Scanning Vendors (ASV) or successor document thereto.
ASV Assessment An information security vulnerability assessment performed by a PCI SSC-qualified Approved Scanning Vendor in accordance with the PCI SSC Qualification Requirements for Approved Scanning Vendors (ASV) or successor document thereto.
Modified
p. 35 → 37
Cardholder Data Defined in the PCI DSS Glossary of Terms, Abbreviations, and Acronyms.
Cardholder Data Also referred to as Payment Data or Account Data. Defined in the PCI DSS Glossary of Terms, Abbreviations, and Acronyms.
Modified
p. 36 → 38
PA-QSA (or Payment Application Qualified Security Assessor) A QSA Company that provides services to payment application vendors in order to validate such vendors' payment applications as adhering to the requirements of the PA-DSS and that has satisfied and continues to satisfy all requirements applicable to PA-QSAs (or is in compliance with remediation under the PA-DSS Program), as described in the QSA Qualification Requirements For Payment Application Qualified Security Assessors (PA-QSA).
PA-QSA (or Payment Application Qualified Security Assessor) A QSA Company that provides services to payment application vendors in order to validate such vendors' payment applications as adhering to the requirements of the PA- DSS and that has satisfied and continues to satisfy all requirements applicable to PA- QSAs (or is in compliance with remediation under the PA-DSS Program), as described in the QSA Qualification Requirements For Payment Application Qualified Security Assessors (PA-QSA).