Document Comparison
PCI-SSF-Qualification-Requirements-v1_1.pdf
→
PCI-SSF-Qualification-Requirements-v1_1r1.pdf
98% similar
71 → 71
Pages
26801 → 27447
Words
111
Content Changes
Content Changes
111 content changes. 68 administrative changes (dates, page numbers) hidden.
Added
p. 2
December 2021 1.1 rev 1 Updates to allow SSF Assessor Companies to subcontract services.
Added
p. 7
• Unmodified, completed, and executed SSF Agreement, and
• SSF Agreement (Appendix A)
• Insurance Requirements (Appendix B)
• SSF Assessor Company Application (Appendix C)
• Secure SLC Assessor Application (Appendix D)
• Secure Software Assessor Application (Appendix E)
• SSF Agreement (Appendix A)
• Insurance Requirements (Appendix B)
• SSF Assessor Company Application (Appendix C)
• Secure SLC Assessor Application (Appendix D)
• Secure Software Assessor Application (Appendix E)
Added
p. 11
• Unless expressly prohibited by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the SSF Assessor Company, SSF Assessor Company candidate or any principal thereof, and any Assessor-Employee thereof, and the status and resolution.
Added
p. 14
• Annual re-qualification fees for subsequent years
Added
p. 14
The SSF Assessor Company must also provide to PCI SSC proof of bound insurance coverage for all such subcontractors to demonstrate policies are in accordance with SSF Program insurance coverage requirements (see Appendix B of the SSF Qualification Requirements). PCI SSC's consent to any such subcontracting shall be subject to such terms, conditions, and requirements as PCI SSC may in its sole discretion deem necessary, reasonable, or appropriate under the circumstances.
Note: To obtain PCI SSC's consent to the use of a subcontractor, contact the SSF Program Manager at software@pcisecuritystandards.org.
Note: To obtain PCI SSC's consent to the use of a subcontractor, contact the SSF Program Manager at software@pcisecuritystandards.org.
Added
p. 16
Note: Approved subcontractors shall not be permitted to include a company logo other than that of the responsible SSF Assessor Company or any reference to another company in the Report on Compliance, Report on Validation or attestation documents while performing work on behalf of the SSF Assessor Company.
If a SSF Assessor Company wishes to hire another company that is not an active SSF Assessor Company to perform any portion of the SSF Assessor Company Services, such hiring is considered to be subcontracting and requires prior written consent by PCI SSC for each subcontracted worker. The SSF Assessor Company must also provide to PCI SSC proof-of- coverage statements covering all such subcontractors to demonstrate that insurance satisfying applicable insurance coverage requirements (see Appendix B) has been purchased and is maintained for all such subcontractors.
If a SSF Assessor Company wishes to hire another company that is not an active SSF Assessor Company to perform any portion of the SSF Assessor Company Services, such hiring is considered to be subcontracting and requires prior written consent by PCI SSC for each subcontracted worker. The SSF Assessor Company must also provide to PCI SSC proof-of- coverage statements covering all such subcontractors to demonstrate that insurance satisfying applicable insurance coverage requirements (see Appendix B) has been purchased and is maintained for all such subcontractors.
Added
p. 19
• Résumé or Curriculum Vitae (CV), and
• Certificates or other evidence of completion of industry-recognized professional certification.
• Performing Secure Software Assessments
• Verifying the work product addresses all Secure Software Assessment procedure steps and supports the validation status of the payment software
• Strictly following the Secure Software Standard and PCI Secure Software Assessor Program Guide
• Producing the final Assessment Report Each Secure Software Assessor performing or managing a Secure Software Assessment must satisfy the following requirements:
• Possess substantial information security knowledge and experience to conduct technically complex security assessments
• Résumé or Curriculum Vitae (CV), and
• Certificates or other evidence of completion of industry-recognized professional certification.
• Initial Secure Software Assessor qualification training and exam
• Annual Secure Software Assessor requalification training and exam
• A written statement that it successfully completed such background checks for each candidate Assessor-Employee
• A summary description of current Assessor-Employee personnel background check policies and procedures, which must require and …
• Certificates or other evidence of completion of industry-recognized professional certification.
• Performing Secure Software Assessments
• Verifying the work product addresses all Secure Software Assessment procedure steps and supports the validation status of the payment software
• Strictly following the Secure Software Standard and PCI Secure Software Assessor Program Guide
• Producing the final Assessment Report Each Secure Software Assessor performing or managing a Secure Software Assessment must satisfy the following requirements:
• Possess substantial information security knowledge and experience to conduct technically complex security assessments
• Résumé or Curriculum Vitae (CV), and
• Certificates or other evidence of completion of industry-recognized professional certification.
• Initial Secure Software Assessor qualification training and exam
• Annual Secure Software Assessor requalification training and exam
• A written statement that it successfully completed such background checks for each candidate Assessor-Employee
• A summary description of current Assessor-Employee personnel background check policies and procedures, which must require and …
Added
p. 32
• Ensure Secure Software Assessors complete the required Module(s) training and exam.
• Failure to meet applicable SSF quality standards or comply with applicable SSF Requirements
• Failure to pay applicable SSF fees
• Failure to meet applicable SSF training requirements (annual or otherwise)
• Failure to meet applicable SSF continuing education requirements
• Failure to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates
• Failure to maintain applicable SSF insurance requirements
• Failure to comply with or validate compliance in accordance with applicable SSF Requirements, the applicable SSF Standard, the PCI Secure SLC Program Guide or PCI Secure Software Standard Program Guide (as applicable), or the terms of the SSF Agreement or supplements or addenda thereto
• Failure to maintain physical, electronic, or procedural safeguards to protect confidential or sensitive information
• Failure to report unauthorized access to any system storing confidential or sensitive information
• Engaging in unprofessional or unethical business …
• Failure to meet applicable SSF quality standards or comply with applicable SSF Requirements
• Failure to pay applicable SSF fees
• Failure to meet applicable SSF training requirements (annual or otherwise)
• Failure to meet applicable SSF continuing education requirements
• Failure to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates
• Failure to maintain applicable SSF insurance requirements
• Failure to comply with or validate compliance in accordance with applicable SSF Requirements, the applicable SSF Standard, the PCI Secure SLC Program Guide or PCI Secure Software Standard Program Guide (as applicable), or the terms of the SSF Agreement or supplements or addenda thereto
• Failure to maintain physical, electronic, or procedural safeguards to protect confidential or sensitive information
• Failure to report unauthorized access to any system storing confidential or sensitive information
• Engaging in unprofessional or unethical business …
Added
p. 55
• WORKERS’ COMPENSATION: Statutory Workers Compensation as required by applicable law
• EMPLOYER’S LIABILITY with a limit of $1,000,000
• COMMERCIAL GENERAL LIABILITY INSURANCE including PRODUCTS, COMPLETED OPERATIONS, ADVERTISING INJURY, PERSONAL INJURY and CONTRACTUAL LIABILITY INSURANCE with the following minimum limits for Bodily Injury and Property Damage on an Occurrence basis: $1,000,000 per occurrence and $2,000,000 annual aggregate. PCI SSC to be added as “Additional Insured.” The policy Coverage Territory must global.
• COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non-owned autos subject to minimum limits of $1,000,000 per accident
• EMPLOYER’S LIABILITY with a limit of $1,000,000
• COMMERCIAL GENERAL LIABILITY INSURANCE including PRODUCTS, COMPLETED OPERATIONS, ADVERTISING INJURY, PERSONAL INJURY and CONTRACTUAL LIABILITY INSURANCE with the following minimum limits for Bodily Injury and Property Damage on an Occurrence basis: $1,000,000 per occurrence and $2,000,000 annual aggregate. PCI SSC to be added as “Additional Insured.” The policy Coverage Territory must global.
• COMMERCIAL AUTOMOBILE INSURANCE including owned, leased, hired, or non-owned autos subject to minimum limits of $1,000,000 per accident
Modified
p. 1
Payment Card Industry (PCI) Software Security Framework Qualification Requirements for Assessors Version 1.1
Payment Card Industry (PCI) Software Security Framework Qualification Requirements for Assessors Version 1.1 revision 1
Modified
p. 6
PCI Secure Software Lifecycle (Secure SLC) Standard
• PCI Secure Software Lifecycle (Secure SLC) Standard
Modified
p. 6
PCI Secure Software Standard Companies and their employees may choose to qualify to perform assessments using the PCI Secure SLC Standard, the PCI Secure Software Standard, or both.
• PCI Secure Software Standard Companies and their employees may choose to qualify to perform assessments using the PCI Secure SLC Standard, the PCI Secure Software Standard, or both.
Modified
p. 7
Meeting or exceeding all applicable SSF Requirements.
• Meeting or exceeding all applicable SSF Requirements.
Modified
p. 7
Executing the SSF Agreement with PCI SSC.
• Executing the SSF Agreement with PCI SSC.
Modified
p. 7
Qualifying and maintaining at least one employee as an Assessor-Employee.
• Qualifying and maintaining at least one employee as an Assessor-Employee.
Modified
p. 7
Ensuring that its Assessor-Employees satisfy and continue to meet or exceed all applicable SSF Requirements, including those outlined within this document.
• Ensuring that its Assessor-Employees satisfy and continue to meet or exceed all applicable SSF Requirements, including those outlined within this document.
Modified
p. 7
• Completed and executed SSF Assessor Company Application (Appendix C).
Modified
p. 8
Section 1: Introduction and overview.
• Section 1: Introduction and overview.
Modified
p. 8
Section 2: SSF Assessor Company Business Requirements includes minimum business requirements that must be demonstrated to PCI SSC by the assessor company.
• Section 2: SSF Assessor Company Business Requirements includes minimum business requirements that must be demonstrated to PCI SSC by the assessor company.
Modified
p. 8
Section 3: SSF Assessor Company Capability Requirements includes the information and documentation necessary to demonstrate the assessor company’s service expertise.
• Section 3: SSF Assessor Company Capability Requirements includes the information and documentation necessary to demonstrate the assessor company’s service expertise.
Modified
p. 8
Section 4: SSF Assessor Company Administrative Requirements includes standards for operating as a SSF Assessor Company.
• Section 4: SSF Assessor Company Administrative Requirements includes standards for operating as a SSF Assessor Company.
Modified
p. 8
Section 5: SSF Assessor Company List and Re-Qualification includes the annual re- qualification process for the SSF Assessor Company.
• Section 5: SSF Assessor Company List and Re-Qualification includes the annual re- qualification process for the SSF Assessor Company.
Modified
p. 8
Section 6: Assessor Quality Management Program includes PCI SSC’s assessor quality management process, including remediation and revocation.
• Section 6: Assessor Quality Management Program includes PCI SSC’s assessor quality management process, including remediation and revocation.
Modified
p. 8
• Amending SSF Assessor Company Status (Appendix F) 1.2 Related Publications This document should be reviewed along with other applicable PCI SSC publications, including but not limited to the current publicly available versions of the following, each available on the Website:
Modified
p. 9
PCI Secure Software Lifecycle (Secure SLC) Standard
• PCI Secure Software Lifecycle (Secure SLC) Standard
Modified
p. 9
PCI Secure Software Standard
• PCI Secure Software Standard
Modified
p. 9
PCI Secure Software Lifecycle (Secure SLC) Program Guide
• PCI Secure Software Lifecycle (Secure SLC) Program Guide
Modified
p. 9
PCI Secure Software Program Guide
• PCI Secure Software Program Guide
Modified
p. 9
PCI Software Security Framework Glossary of Terms Abbreviations, and Acronyms
• PCI Software Security Framework Glossary of Terms Abbreviations, and Acronyms
Modified
p. 9
PCI SSC Code of Professional Responsibility 1.3 Updates to Documents and Security Requirements This document is expected to change as necessary to align with updates to other PCI Software Security Framework documentation and other related PCI SSC publications. Additionally, PCI SSC provides interim updates to the PCI community through a variety of means, including (without limitation) required assessor training, e-mail bulletins and newsletters, and frequently asked questions.
• PCI SSC Code of Professional Responsibility 1.3 Updates to Documents and Security Requirements This document is expected to change as necessary to align with updates to other PCI Software Security Framework documentation and other related PCI SSC publications. Additionally, PCI SSC provides interim updates to the PCI community through a variety of means, including (without limitation) required assessor training, e-mail bulletins and newsletters, and frequently asked questions.
Modified
p. 11
Copy of current, valid SSF Assessor Company (or candidate SSF Assessor Company) formation document or equivalent approved by PCI SSC (the “Business License”), including year of incorporation, and location(s) of offices (Refer to the Documents Library on the Website
• Business License Requirements for more information)Unless expressly prohibited by applicable law, written statements describing all past or present allegations or convictions of any fraudulent or criminal activity involving the SSF Assessor Company, SSF Assessor Company candidate or any principal thereof, …
• Business License Requirements for more information)
• Copy of current, valid SSF Assessor Company (or candidate SSF Assessor Company) formation document or equivalent approved by PCI SSC (the “Business License”), including year of incorporation, and location(s) of offices (Refer to the Documents Library on the Website
• Business License Requirements for more information)
• Business License Requirements for more information)
Modified
p. 11
Written statements describing any past or present appeals or revocations of any qualification issued by PCI SSC to the SSF Assessor Company (or any predecessor entity or, unless expressly prohibited by applicable law, any employee of any of the foregoing), and the current status and any resolution thereof.
• Written statements describing any past or present appeals or revocations of any qualification issued by PCI SSC to the SSF Assessor Company (or any predecessor entity or, unless expressly prohibited by applicable law, any employee of any of the foregoing), and the current status and any resolution thereof.
Modified
p. 11
The SSF Assessor Company must not undertake to perform any SSF Assessment of any entity
• The SSF Assessor Company must not undertake to perform any SSF Assessment of any entity
Modified
p. 12
The SSF Assessor Company must not (and will not) have offered or been offered, have provided or been provided, or have accepted any gift, gratuity, service, or other inducement to or from any employee of PCI SSC or any Vendor in connection with entering into the SSF Agreement or any agreement with a Vendor, or performing SSF Assessor Company-related services.
• The SSF Assessor Company must not (and will not) have offered or been offered, have provided or been provided, or have accepted any gift, gratuity, service, or other inducement to or from any employee of PCI SSC or any Vendor in connection with entering into the SSF Agreement or any agreement with a Vendor, or performing SSF Assessor Company-related services.
Modified
p. 12
The SSF Assessor Company must fully disclose in its Assessment Reports, if it assesses any Vendor that uses any security-related device, application, product, solution or software testing tool that is developed, manufactured, sold, resold, licensed, or otherwise made available to the applicable Vendor, directly or indirectly, by the SSF Assessor Company, or to which the SSF Assessor Company owns the rights, or that the SSF Assessor Company has configured or manages, including but not limited to the following:
• The SSF Assessor Company must fully disclose in its Assessment Reports, if it assesses any Vendor that uses any security-related device, application, product, solution or software testing tool that is developed, manufactured, sold, resold, licensed, or otherwise made available to the applicable Vendor, directly or indirectly, by the SSF Assessor Company, or to which the SSF Assessor Company owns the rights, or that the SSF Assessor Company has configured or manages, including but not limited to the following:
Modified
p. 12
• Source code versioning and management solutions When recommending remediation actions that include one of its own solutions or products, the SSF Assessor Company must also recommend other market options that exist.
• When recommending remediation actions that include one of its own solutions or products, the SSF Assessor Company must also recommend other market options that exist.
Modified
p. 12
The SSF Assessor Company must ensure that its Assessor-Employees conducting or assisting with SSF Assessments are not subject to any conflict of interest, including by imposing and enforcing appropriate requirements regarding independence and separation of duties to limit sources of influence that might compromise independent judgment in performing SSF Assessments.
• The SSF Assessor Company must ensure that its Assessor-Employees conducting or assisting with SSF Assessments are not subject to any conflict of interest, including by imposing and enforcing appropriate requirements regarding independence and separation of duties to limit sources of influence that might compromise independent judgment in performing SSF Assessments.
Modified
p. 12
The SSF Assessor Company will not use its status as an SSF Assessor Company to market services unnecessary to bring their clients into compliance with any SSF Standard.
• The SSF Assessor Company will not use its status as an SSF Assessor Company to market services unnecessary to bring their clients into compliance with any SSF Standard.
Modified
p. 12
The SSF Assessor Company must not misrepresent any requirement of any SSF Standard, including but not limited to, in connection with its promotion or sales of
• The SSF Assessor Company must not misrepresent any requirement of any SSF Standard, including but not limited to, in connection with its promotion or sales of
Modified
p. 13
The SSF Assessor Company must notify its Assessor-Employees of the independence requirements provided for in this document, as well as SSF Assessor Company’s independence policy implementing such requirements, at least annually, and ensure compliance therewith.
• The SSF Assessor Company must notify its Assessor-Employees of the independence requirements provided for in this document, as well as SSF Assessor Company’s independence policy implementing such requirements, at least annually, and ensure compliance therewith.
Modified
p. 13 → 14
• Annual training fee(s) for each Assessor-Employee (or candidate)
Modified
p. 15
The SSF Assessor Company must have a dedicated software security practice that includes staff with specific job functions that support the software security practice.
• The SSF Assessor Company must have a dedicated software security practice that includes staff with specific job functions that support the software security practice.
Modified
p. 15
The SSF Assessor Company must have demonstrated competence in cryptographic techniques, to include cryptographic algorithms, key management and rotation processes, and secure key storage.
• The SSF Assessor Company must have demonstrated competence in cryptographic techniques, to include cryptographic algorithms, key management and rotation processes, and secure key storage.
Modified
p. 15
The SSF Assessor Company must have demonstrated competence in using application penetration-testing methodologies, to include use of forensic tools/methods, ability to exploit common software vulnerabilities, and ability to execute arbitrary code to test processes.
• The SSF Assessor Company must have demonstrated competence in using application penetration-testing methodologies, to include use of forensic tools/methods, ability to exploit common software vulnerabilities, and ability to execute arbitrary code to test processes.
Modified
p. 15
Description of the applicant SSF Assessor Company’s software security knowledge and assessment experience, including code review and a description of the methodology used to perform such reviews, preferably related to payment systems, equal to at least one year or three separate assessments.
• Description of the applicant SSF Assessor Company’s software security knowledge and assessment experience, including code review and a description of the methodology used to perform such reviews, preferably related to payment systems, equal to at least one year or three separate assessments.
Modified
p. 15
Evidence of a dedicated software security practice, such as:
• Evidence of a dedicated software security practice, such as:
Modified
p. 16
Two client references from software security related engagements performed by the applicant SSF Assessor Company within the last 12 months.
• Two client references from software security related engagements performed by the applicant SSF Assessor Company within the last 12 months.
Modified
p. 16
An Assessor-Employee only qualified by PCI SSC as a Secure SLC Assessor is authorized to conduct SSF Assessments only against the Secure SLC Standard.
• An Assessor-Employee only qualified by PCI SSC as a Secure SLC Assessor is authorized to conduct SSF Assessments only against the Secure SLC Standard.
Modified
p. 16
An Assessor-Employee only qualified by PCI SSC as a Secure Software Assessor is only authorized to conduct SSF Assessments against the Secure Software Standard and the specific Module for which that Assessor-Employee has been qualified.
• An Assessor-Employee only qualified by PCI SSC as a Secure Software Assessor is only authorized to conduct SSF Assessments against the Secure Software Standard and the specific Module for which that Assessor-Employee has been qualified.
Modified
p. 16
Adhere to the PCI SSC Code of Professional Responsibility.
• Adhere to the PCI SSC Code of Professional Responsibility.
Modified
p. 16
Be an employee of the SSF Assessor Company (meaning this work cannot be subcontracted to non-employees).
• Be an employee of the SSF Assessor Company (meaning this work cannot be subcontracted to non-employees) unless PCI SSC has given prior written consent for each subcontracted worker.
Modified
p. 16 → 17
Performing Secure SLC Assessments.
• Performing Secure SLC Assessments.
Modified
p. 16 → 17
Verifying the work product addresses all Secure SLC Assessment procedure steps and supports the validation status of the Vendor.
• Verifying the work product addresses all Secure SLC Assessment procedure steps and supports the validation status of the Vendor.
Modified
p. 16 → 17
Strictly following the Secure SLC Standard and PCI Secure SLC Program Guide.
• Strictly following the Secure SLC Standard and PCI Secure SLC Program Guide.
Modified
p. 16 → 17
Producing the final Assessment Report.
• Producing the final Assessment Report.
Modified
p. 16 → 17
Possess substantial information security knowledge and experience to conduct technically complex security assessments.
• Possess substantial information security knowledge and experience to conduct technically complex security assessments.
Modified
p. 17
• Software/Systems Testing Possess a minimum of three (3) years of experience in each of the following information security disciplines (experience may be acquired concurrently•for example, if the role involved experience in multiple disciplines at the same time):
• Possess a minimum of three (3) years of experience in each of the following information security disciplines (experience may be acquired concurrently•for example, if the role involved experience in multiple disciplines at the same time):
Modified
p. 17
• Cryptography and Key Management Possess at least one of the following accredited, industry-recognized professional certifications from each of List A and List B in Table 2.
• Possess at least one of the following accredited, industry-recognized professional certifications from each of List A and List B in Table 2.
Modified
p. 18
• IIA Certified Internal Auditor (CIA) Possess knowledge about the Secure SLC Standard and all applicable documents on the Website.
• Possess knowledge about the Secure SLC Standard and all applicable documents on the Website.
Modified
p. 18
Legitimately and successfully complete and pass all required annual Secure SLC Assessor training and exams provided as part of the SSF, of his or her own accord without any unauthorized assistance. Failure to pass any such exam automatically disqualifies the individual as a Secure SLC Assessor and, accordingly, the employee must not perform or manage any Secure SLC Assessment until successfully passing the exam and reinstating his or her qualification.
• Legitimately and successfully complete and pass all required annual Secure SLC Assessor training and exams provided as part of the SSF, of his or her own accord without any unauthorized assistance. Failure to pass any such exam automatically disqualifies the individual as a Secure SLC Assessor and, accordingly, the employee must not perform or manage any Secure SLC Assessment until successfully passing the exam and reinstating his or her qualification.
Removed
p. 19
Performing Secure Software Assessments Verifying the work product addresses all Secure Software Assessment procedure steps and supports the validation status of the payment software Strictly following the Secure Software Standard and PCI Secure Software Assessor Program Guide Producing the final Assessment Report Each Secure Software Assessor performing or managing a Secure Software Assessment must satisfy the following requirements:
Modified
p. 19
A record of working experience and responsibilities outlined in Section 3.2.1 by completing and submitting Appendix D, Résumé or Curriculum Vitae (CV), and Certificates or other evidence of completion of industry-recognized professional certification.
• A record of working experience and responsibilities outlined in Section 3.2.1 by completing and submitting Appendix D,
Modified
p. 19
• Possess a minimum of three (3) years of experience in each of the following software development disciplines (experience may be acquired concurrently•for example, if the role involved experience in multiple disciplines at the same time):
Modified
p. 19
• Software/Systems Testing Possess a minimum of three (3) years of experience in each of the following software security disciplines (experience may be acquired concurrently•for example, if the role involved experience in multiple disciplines at the same time):
• Possess a minimum of three (3) years of experience in each of the following software security disciplines (experience may be acquired concurrently•for example, if the role involved experience in multiple disciplines at the same time):
Modified
p. 20
• Incident detection and response Possess at least one of the following accredited, industry-recognized professional certifications from List A or List B in Table 3.
• Possess at least one of the following accredited, industry-recognized professional certifications from List A or List B in Table 3.
Modified
p. 20
• Process at least one of the following accredited, industry-recognized professional certifications from List C in Table 3.
Modified
p. 20
Table 3: Professional Certifications for Secure Software Assessors Information Security Software Development • (ISC)2 Certified Information System Security Professional (CISSP)
Table 3: Professional Certifications for Secure Software Assessors Information Security Software Development
Modified
p. 20
Possess knowledge about the Secure Software Standard and all applicable documents on the PCI SSC Website.
• Possess knowledge about the Secure Software Standard and all applicable documents on the PCI SSC Website.
Modified
p. 20
Legitimately and successfully complete and pass all required Secure Software Assessor training and exams, of his or her own accord without any unauthorized assistance. Each employee who fails to complete or pass any requisite training or exam must not perform or manage any Secure Software Assessment until completing
• Legitimately and successfully complete and pass all required Secure Software Assessor training and exams, of his or her own accord without any unauthorized assistance. Each employee who fails to complete or pass any requisite training or exam must not perform or manage any Secure Software Assessment until completing
Modified
p. 21
• Additional Module training(s) and exam(s) issued by PCI SSC as part of the required Secure Software Assessor training within 90 days of training release, at any time, from time to time.
Modified
p. 21
A record of working experience and responsibilities outlined in Section 3.2.3 by completing and submitting Appendix E, Résumé or Curriculum Vitae (CV), and Certificates or other evidence of completion of industry-recognized professional certification.
• A record of working experience and responsibilities outlined in Section 3.2.3 by completing and submitting Appendix E,
Modified
p. 22
• E-mail address 4.2 Background Checks 4.2.1 Requirement Each SSF Assessor Company must perform background checks that satisfy the provisions described below (to the extent legally permitted within the applicable jurisdiction) with respect to each applicant Assessor-Employee.
Modified
p. 22
Attestation that its policies and hiring procedures include performing background checks: Examples of background checks include previous employment history, criminal record, credit history, and reference checks
• Attestation that its policies and hiring procedures include performing background checks: Examples of background checks include previous employment history, criminal record, credit history, and reference checks
Modified
p. 23
• A resource planning policy and process for SSF Assessments which includes:
Modified
p. 23
• résumés and current skill sets for Assessor-Employees, and a process for ongoing training, monitoring, and evaluating Assessor-Employees to ensure their skill sets stay current and relevant for SSF Assessments Descriptions of all job functions and responsibilities within the SSF Assessor Company relating to its status and obligations as an SSF Assessor Company Identification of QA manual process owner Approval and sign-off processes for SSF Assessments and respective Assessment Requirements for independent quality review of SSF Assessor Company and Assessor- …
• résumés and current skill sets for Assessor-Employees, and a process for ongoing training, monitoring, and evaluating Assessor-Employees to ensure their skill sets stay current and relevant for SSF Assessments
Modified
p. 25
Requirements that systems that store, process or transmit information of multiple classifications is classified according to the highest classification of information handled.
• Requirements that systems that store, process or transmit information of multiple classifications is classified according to the highest classification of information handled.
Modified
p. 25
Physical, electronic, and procedural safeguards for protecting the acquisition and handling of confidential and personal information, including:
• Physical, electronic, and procedural safeguards for protecting the acquisition and handling of confidential and personal information, including:
Modified
p. 25
Physical, electronic, and procedural safeguards for protecting the storage of and access to confidential and personal information, including:
• Physical, electronic, and procedural safeguards for protecting the storage of and access to confidential and personal information, including:
Modified
p. 26
Physical, electronic, and procedural safeguards for protecting the transmission of confidential or personal information between authorized parties, systems or custodians, including:
• Physical, electronic, and procedural safeguards for protecting the transmission of confidential or personal information between authorized parties, systems or custodians, including:
Modified
p. 26
Requirements for establishing legal agreements with authorized third-parties with access to confidential or personal information that include provisions mandating adherence to these requirements.
• Requirements for establishing legal agreements with authorized third-parties with access to confidential or personal information that include provisions mandating adherence to these requirements.
Modified
p. 26
A blank copy of the SSF Assessor Company’s confidentiality agreement(s) that each Assessor-Employee is required to sign.
• A blank copy of the SSF Assessor Company’s confidentiality agreement(s) that each Assessor-Employee is required to sign.
Modified
p. 27
A blank copy of the SSF Assessor Company’s Workpaper Retention Policy agreement that each Assessor-Employee is required to sign, included as part of the policy, which includes agreement to conform at all times with the Workpaper Retention Policy and all applicable SSF Requirements.
• A blank copy of the SSF Assessor Company’s Workpaper Retention Policy agreement that each Assessor-Employee is required to sign, included as part of the policy, which includes agreement to conform at all times with the Workpaper Retention Policy and all applicable SSF Requirements.
Modified
p. 27
A requirement that all Assessment Results and Related Materials must be classified as confidential and handled accordingly, with detailed instructions describing how Assessor-Employees are to comply with this requirement. If the classification and handling of confidential and personal information is addressed in other confidential and sensitive data protection handling policies of the SSF Assessor Company, this should be clearly noted within the Workpaper Retention Policy.
• A requirement that all Assessment Results and Related Materials must be classified as confidential and handled accordingly, with detailed instructions describing how Assessor-Employees are to comply with this requirement. If the classification and handling of confidential and personal information is addressed in other confidential and sensitive data protection handling policies of the SSF Assessor Company, this should be clearly noted within the Workpaper Retention Policy.
Modified
p. 27
A requirement that Assessment Results and Related Materials must be retained for at least three (3) years and must include all digital and hard copy evidence created and/or obtained by or on behalf of the SSF Assessor Company during or in connection with each SSF Assessment•including but not limited to: documentation reviewed (policies, processes, procedures, network and dataflow diagrams), case logs, meeting agendas and notes, evidence of onsite and offsite activities (including interview notes), screenshots, config files, results of any …
• A requirement that Assessment Results and Related Materials must be retained for at least three (3) years and must include all digital and hard copy evidence created and/or obtained by or on behalf of the SSF Assessor Company during or in connection with each SSF Assessment•including but not limited to: documentation reviewed (policies, processes, procedures, network and dataflow diagrams), case logs, meeting agendas and notes, evidence of onsite and offsite activities (including interview notes), screenshots, config files, results of …
Modified
p. 27
Requirements ensuring that the SSF Assessor Company has confirmed that all Assessment Results and Related Materials relating to a given SSF Assessment has in fact been retained in accordance with the procedures defined in the Workpaper Retention Policy, prior to releasing the final Assessment Report for that SSF Assessment.
• Requirements ensuring that the SSF Assessor Company has confirmed that all Assessment Results and Related Materials relating to a given SSF Assessment has in fact been retained in accordance with the procedures defined in the Workpaper Retention Policy, prior to releasing the final Assessment Report for that SSF Assessment.
Modified
p. 27
All Assessment Results and Related Materials must be made available to PCI SSC upon request for a minimum of three (3) years after completion of the applicable SSF Assessment.
• All Assessment Results and Related Materials must be made available to PCI SSC upon request for a minimum of three (3) years after completion of the applicable SSF Assessment.
Modified
p. 27
The SSF Assessor Company must provide a copy of the Workpaper Retention Policy and related procedures to PCI SSC upon request, including copies of any other policies and procedures referenced within any of the foregoing documents, such as general confidential and sensitive 4.5.2 Provisions The applicant SSF Assessor Company must provide a completed version of Appendix C to PCI SSC.
• The SSF Assessor Company must provide a copy of the Workpaper Retention Policy and related procedures to PCI SSC upon request, including copies of any other policies and procedures referenced within any of the foregoing documents, such as general confidential and sensitive 4.5.2 Provisions The applicant SSF Assessor Company must provide a completed version of Appendix C to PCI SSC.
Modified
p. 28
Instructions and procedures for notifying Vendors of Incidents discovered during or in connection with the performance of an SSF Assessment or other SSF-related services and documenting those Incidents and related information in accordance with Section 4.6.1.
• Instructions and procedures for notifying Vendors of Incidents discovered during or in connection with the performance of an SSF Assessment or other SSF-related services and documenting those Incidents and related information in accordance with Section 4.6.1.
Modified
p. 28
Retention requirements for all Incident-related documentation, notices, and reports, with the same protections as those noted for work-paper retention in the SSF Assessor Company’s evidence-retention policy and procedures.
• Retention requirements for all Incident-related documentation, notices, and reports, with the same protections as those noted for work-paper retention in the SSF Assessor Company’s evidence-retention policy and procedures.
Modified
p. 29
PCI SSC has issued a corresponding notification of acceptance to both the SSF Assessor Company and the Vendor; and
• PCI SSC has issued a corresponding notification of acceptance to both the SSF Assessor Company and the Vendor; and
Modified
p. 29
PCI SSC has added a corresponding listing on the applicable list on the Website.
• PCI SSC has added a corresponding listing on the applicable list on the Website.
Modified
p. 29
A statement that the SSF Assessor Company will not recognize validation status in connection with either the Secure Software Standard or the Secure SLC Standard until PCI SSC has (a) notified the SSF Assessor Company and the applicable Vendor via a notification of acceptance and (b) added a corresponding listing on the applicable list on the Website.
• A statement that the SSF Assessor Company will not recognize validation status in connection with either the Secure Software Standard or the Secure SLC Standard until PCI SSC has (a) notified the SSF Assessor Company and the applicable Vendor via a notification of acceptance and (b) added a corresponding listing on the applicable list on the Website.
Modified
p. 31
• PCI SSC Programs Fee Schedule.
• Payment of annual re-qualification fee in accordance with the Website
• PCI SSC Programs Fee Schedule.
• PCI SSC Programs Fee Schedule.
Modified
p. 31
• Skills and Experience. PCI SSC reserves the right to request proof of current professional certifications at any time.
• Maintaining professional certification(s) as required per Section 3.2, Assessor- Employee
• Skills and Experience. PCI SSC reserves the right to request proof of current professional certifications at any time.
• Skills and Experience. PCI SSC reserves the right to request proof of current professional certifications at any time.
Modified
p. 31
Payment of annual re-qualification fees in accordance with the Website • PCI SSC Programs Fee Schedule.
• Payment of annual re-qualification fees in accordance with the Website Programs Fee Schedule.
Modified
p. 32
• Complete all required Module training and successfully complete proctored exam.
Removed
p. 34
Failure to meet applicable SSF quality standards or comply with applicable SSF Requirements Failure to pay applicable SSF fees Failure to meet applicable SSF training requirements (annual or otherwise) Failure to meet applicable SSF continuing education requirements Failure to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates Failure to maintain applicable SSF insurance requirements Failure to comply with or validate compliance in accordance with applicable SSF Requirements, the applicable SSF Standard, the PCI Secure SLC Program Guide or PCI Secure Software Standard Program Guide (as applicable), or the terms of the SSF Agreement or supplements or addenda thereto Failure to maintain physical, electronic, or procedural safeguards to protect confidential or sensitive information Failure to report unauthorized access to any system storing confidential or sensitive information Engaging in unprofessional or unethical business conduct, including without limitation, plagiarism or other improper use of third-party work …
Modified
p. 34
PCI SSC's quality assurance, Remediation, and oversight programs and initiatives as established or imposed from time to time by PCI SSC in its sole discretion Failure to promptly notify PCI SSC of any event described above that occurred within three (3) years prior to the SSF Assessor Company’s or Assessor-Employee’s initial SSF Assessor qualification date
PCI SSC's quality assurance, Remediation, and oversight programs and initiatives as established or imposed from time to time by PCI SSC in its sole discretion
Modified
p. 35
The SSF Assessor Company and/or Assessor-Employee (as applicable) name will be removed from the relevant SSF Assessor Company List and/or search tool (as applicable).
• The SSF Assessor Company and/or Assessor-Employee (as applicable) name will be removed from the relevant SSF Assessor Company List and/or search tool (as applicable).
Modified
p. 35
PCI SSC may notify third parties.
• PCI SSC may notify third parties.
Modified
p. 35
The revoked company and/or individual (as applicable) can reapply for qualification after 180 days; provided however, that (i) if revoked in connection with Remediation, an election not to participate in Remediation when offered, or due to failure to satisfy applicable quality assurance standards set by PCI SSC, such company and/or individual shall be ineligible to re-apply as an SSF Assessor for a period of two (2) years, and (ii) acceptance of qualification applications after Revocation is determined at the Council’s …
• The revoked company and/or individual (as applicable) can reapply for qualification after 180 days; provided however, that (i) if revoked in connection with Remediation, an election not to participate in Remediation when offered, or due to failure to satisfy applicable quality assurance standards set by PCI SSC, such company and/or individual shall be ineligible to re-apply as an SSF Assessor for a period of two (2) years, and (ii) acceptance of qualification applications after Revocation is determined at the …
Modified
p. 37
Applicant’s Officer Signature Date Job Title:
Applicant’s Officer Signature Date Job Title:
Modified
p. 37
PCI SSC Signature Date
PCI SSC Signature Date
Modified
p. 54
A.10.5 Assignment SSF Assessor may not assign this Agreement, or assign, delegate or subcontract any of its rights and/or obligations under this Agreement.
A.10.5 Assignment SSF Assessor may not assign this Agreement, or assign, delegate or subcontract any of its rights and/or obligations under this Agreement (including but not limited to by subcontracting any of the foregoing to a related party or affiliate), without the prior written consent of PCI SSC, which consent PCI SSC may grant or withhold in its absolute discretion.
Removed
p. 55
WORKERS’ COMPENSATION: Statutory Workers Compensation as required by applicable law EMPLOYER’S LIABILITY with a limit of $1,000,000 COMMERCIAL GENERAL LIABILITY INSURANCE including PRODUCTS, COMPLETED OPERATIONS, ADVERTISING INJURY, PERSONAL INJURY and CONTRACTUAL LIABILITY INSURANCE with the following minimum limits for Bodily Injury and Property Damage on an Occurrence basis: $1,000,000 per occurrence and $2,000,000 annual aggregate. PCI SSC to be added as “Additional Insured.” The policy Coverage Territory must global.
Modified
p. 55
• CRIME/FIDELITY BOND including first-party employee dishonesty, robbery, fraud, theft, forgery, alteration, mysterious disappearance and destruction. Coverage must also include third-party employee dishonesty, i.e., coverage for claims made by the Security Assessor’s client against the Security Assessor for theft committed by the Security Assessor employees.
Modified
p. 55
TECHNOLOGY ERRORS & OMISSIONS, CYBER-RISK and PRIVACY LIABILITY INSURANCE covering liabilities for financial loss resulting or arising from acts, errors or omissions in rendering computer or information technology Services, or from data damage/destruction/corruption, including without limitation, failure to protect privacy, unauthorized access, unauthorized use, virus transmission, denial of service and loss of income from network security failures in connection with the Services provided under this agreement with a minimum limit of two million dollars ($2,000,000) each claim and annual aggregate. …
• TECHNOLOGY ERRORS & OMISSIONS, CYBER-RISK and PRIVACY LIABILITY INSURANCE covering liabilities for financial loss resulting or arising from acts, errors or omissions in rendering computer or information technology Services, or from data damage/destruction/corruption, including without limitation, failure to protect privacy, unauthorized access, unauthorized use, virus transmission, denial of service and loss of income from network security failures in connection with the Services provided under this agreement with a minimum limit of two million dollars ($2,000,000) each claim and annual …
Modified
p. 59
The Company hereby certifies to PCI SSC that, along with this application, the Company is providing to PCI SSC a proof-of-coverage statement demonstrating that its insurance coverage matches locally set insurance coverage requirements.1 A copy of the Company’s bound insurance coverage is attached to this application1
The Company hereby certifies to PCI SSC that, along with this application, the Company is providing to PCI SSC a proof-of-coverage statement demonstrating that its insurance coverage matches locally set insurance coverage requirements.1 A copy of the Company’s bound insurance coverage is attached to this application1 The Company hereby agrees not to subcontract or assign any portion of the SSF Assessor Company Services without first (a) obtaining the prior written consent of PCI SSC (see Section 3.2) and (b) providing …
Modified
p. 64
Duly authorized officer signature Date
Duly authorized officer signature Date
Modified
p. 67
Candidate signature Date
Candidate signature Date
Modified
p. 70
Candidate signature Date
Candidate signature Date