Payment Card Industry (PCI) Data Security Standard Validation Requirements

Transcription

1 Payment Card Industry (PCI) Data Security Standard Validation Requirements For Qualified Security Assessors (QSA) Version 1.2 October 2008

2 Document Changes Date Version Description October To align version number with PCI DSS v1.2; no other changes made. PCI DSS Validation Requirements for QSAs v 1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page i

3 Table of Contents Document Changes... i 1 Introduction Terminology Goal Qualification Process Overview Document Structure Related Publications QSA Application Process Requests QSA Business Requirements Business Legitimacy Independence Insurance Coverage QSA Fees QSA Agreements QSA Capability Requirements QSA Company - Services and Experience QSA Staff Skills and Experience QSA Administrative Requirements Contact Person Background Checks Adherence to PCI Procedures Quality Assurance Protection of Confidential and Sensitive Information Evidence Retention QSA Initial Qualification and Annual Re-qualification QSA List QSA Re-qualification QSA Revocation Process Appendix A. Qualified Security Assessor (QSA) Agreement Appendix B. Qualified Security Assessor New Application Process Checklist Appendix C. Sample QSA Feedback Form Appendix D. QSA Fees Appendix E. Insurance Coverage PCI DSS Validation Requirements for QSAs v 1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page ii

4 1 Introduction In response to requests from merchants for a unified set of payment account data security requirements, members of the payment card industry ( PCI ) adopted the PCI Data Security Standard ( PCI DSS ), a set of requirements for cardholder data protection across the entire industry, maintained by the PCI Security Standards Council, LLC ( PCI SSC ), the current version of which is available on the PCI SSC web site at (the Website ). Organizations that are authorized to validate an entity s adherence to PCI DSS requirements are referred to as Qualified Security Assessors or QSAs. Validation of these requirements by independent and qualified security companies is important to the effectiveness of PCI DSS. The quality, reliability, and consistency of a QSA s work provide confidence that cardholder data are adequately protected. Key to the success of the PCI DSS is merchant and service provider compliance. When implemented appropriately, PCI DSS requirements provide a well-aimed defense against data exposure and compromise. As a result, on-site PCI DSS assessments performed by Qualified Security Assessors ( Assessments ) have become increasingly critical in today s environment. The proficiency with which a QSA conducts an Assessment can have a tremendous impact on the consistent and proper application of PCI measures and controls. The current version of these Payment Card Industry (PCI) Data Security Standard Validation Requirements for Qualified Security Assessors (the QSA Validation Requirements ), as available through the Website, describes the necessary qualifications a QSA must have to be recognized by the PCI SSC to perform Assessments. Members of the payment card industry also adopted the Payment Application Data Security Standard (the "PA-DSS"), a set of requirements derived from and closely related to the PCI DSS, but intended to illustrate for payment software vendors what is required for their payment software applications to facilitate and not prevent their customers PCI DSS compliance. The PA-DSS is also maintained by PCI SSC and is available as part of the Payment Application Data Security Standard and Audit Procedures ( PA-DSS Security Audit Procedures ) through the Website. Each QSA organization that chooses to additionally qualify to become a Payment Application Qualified Security Assessor (defined below) must satisfy the requirements set forth in the most current version of the Payment Card Industry (PCI) Data Security Standard QSA Validation Requirements Supplement for Payment Application Qualified Security Assessors (PA-QSA) (available through the Website), in addition to continuing to satisfy all general requirements for QSAs. 1.1 Terminology Throughout these QSA Validation Requirements, the following terms shall have the following meanings: "Payment Application Qualified Security Assessor" or PA-QSA means a QSA company that provides services to payment application vendors in order to validate such vendors' payment applications as adhering to the requirements of the PA-DSS and that has satisfied and continues to satisfy all requirements applicable to PA-QSAs, as described in the QSA Validation Requirements Supplement for Payment Application Qualified Security Assessors (PA-QSA). "PA-DSS Assessment" means assessment of vendor payment applications in accordance with the PA-DSS Security Audit Procedures in order to establish vendor compliance with the PA-DSS. Principal QSA and Associate QSA are used to refer to those QSA companies that have satisfied additional qualification requirements where needed to support PCI DSS adoption in certain global markets, as described in further detail in QSA Validation Requirements Supplement for Principal-Associate Qualified Security Assessors. Copyright 2008 PCI Security Standards Council LLC Page 1

5 "QSA Agreement" refers to the PCI Qualified Security Assessor (QSA) Agreement attached as Appendix A to the QSA Validation Requirements. QSA employee refers to an individual who is employed by a QSA company and who has satisfied and continues to satisfy all QSA Requirements applicable to those of the QSA s employees who will conduct Assessments, as described in further detail herein. Qualified Security Assessor or QSA refers to a company that has satisfied and continues to satisfy all requirements set forth in these QSA Validation Requirements. All capitalized terms used in these QSA Validation Requirements without definition shall have the meanings specified in the QSA Agreement. 1.2 Goal To qualify as a QSA by PCI SSC, a company must meet or exceed the requirements described in the QSA Validation Requirements and execute the QSA Agreement (see Appendix A) with PCI SSC and comply with its terms. The requirements defined in the QSA Validation Requirements serve as a validation baseline for PCI SSC and provide a transparent process for QSA qualification and re-qualification across the payment industry. 1.3 Qualification Process Overview The QSA qualification process has potentially three parts: the first involves the qualification of the security company itself. The second relates to the qualification of the company s employee(s) who will be performing and/or managing the on-site PCI DSS Assessments. The third (and optional) part relates to qualification of Principle and Associate QSAs where needed to support global market needs. (See QSA Validation Requirements Supplement for Principal-Associate Qualified Security Assessors.) Those QSA organizations that choose to additionally qualify to become a Payment Application QSA (PA-QSA) must also complete the requirements specified in PCI DSS QSA Validation Requirements Supplement for Payment Application Qualified Security Assessors (PA-QSA). All QSAs and PA-QSAs will be identified on PCI SSC s list of QSAs on the Website (the QSA List ) in accordance with the QSA Agreement. If a company is not on the QSA List, its work product is not recognized by PCI SSC. All QSAs must re-qualify annually. QSA Validation Requirements are incorporated into the QSA Agreement. To initiate the qualification process, the security company must sign the QSA Agreement in unmodified form and submit it to PCI SSC. Copyright 2008 PCI Security Standards Council LLC Page 2

6 1.4 Document Structure QSA Validation Requirements define the requirements a security company must meet to become a QSA. The document is structured in five sections as follows. Section 1: Introduction offers a high-level overview of the QSA applications process. Section 2: QSA Business Requirements covers minimum business requirements that must be demonstrated to PCI SSC by the security company. This section outlines information and items that must be provided to prove business stability, independence, and insurance coverage. QSA fees and agreements are also covered. Section 3: QSA Capability Requirements reviews the information and documentation necessary to demonstrate the security company s service expertise, as well as that of its employees. Section 4: QSA Administrative Requirements focuses on the logistics of doing business as a PCI DSS QSA, including background checks, adherence to PCI DSS procedures, quality assurance, and protection of confidential and sensitive information. Section 5: QSA Initial Qualification and Annual Maintenance briefly outlines the yearly re-qualification process, as well as revocation procedures if there is a breach of the QSA Agreement. Appendices: The appendices to the QSA Validation Requirements include the QSA Agreement and several helpful checklists, feedback forms, and detailed fee requirements. 1.5 Related Publications The QSA Validation Requirements should be used in conjunction with the following other PCI SSC publications, each available through the Website: PCI DSS Payment Card Industry (PCI) Data Security Standard Security Audit Procedures ( PCI DSS Security Audit Procedures ) PA-DSS Security Audit Procedures QSA Validation Requirements for Principal and Associate QSAs and PA-QSAs can be found in the following two documents, also available through the Website: QSA Validation Requirements Supplement for Principal-Associate Qualified Security Assessors QSA Validation Requirements Supplement for Payment Application Qualified Security Assessors (PA-QSA) Copyright 2008 PCI Security Standards Council LLC Page 3

7 1.6 QSA Application Process In addition to outlining the requirements that a PCI QSA must meet to perform on-site PCI DSS Assessments, the QSA Validation Requirements describe the information that must be provided to PCI SSC as part of the application process. Each outlined requirement is followed by the information that must be submitted to document that the security company meets or exceeds the stated requirements. To facilitate preparation of the application package, refer to Appendix B: QSA New Application Process Checklist. All application materials and the signed QSA Agreement must be submitted in English. The QSA Agreement is binding in English even if the QSA Agreement was translated and reviewed in another language. All other documentation provided by the QSA in a language other than English must be accompanied by a certified English translation (examples include business licenses and insurance certificates). Applications must indicate which geographic region(s) see Appendix D QSA Fees for list of region(s) or country(s) the QSA is applying for, and include all relevant application fees for each applicable region or country. All application packages must include a signed QSA Agreement and all other required documentation. Applicants should send their completed application packages by mail to the following address: submissions will not be accepted. PCI SSC 401 Edgewater Place, Suite 600 Wakefield, MA Phone number: Important Note: PCI SSC reserves the right to reject any application from any applicant (company or individual) that PCI SSC determines has committed, within two (2) years prior to the application date, any conduct that would have been considered a Violation (defined in Section 5.2 below) if committed by a QSA company or QSA employee. The period of ineligibility will be a minimum of one (1) year, as determined by PCI SSC in a reasonable and non-discriminatory manner, in light of the circumstances. 1.7 Requests PCI SSC, in an effort to maintain the integrity of the QSA program, may request from time to time demonstrated adherence to the requirements listed in this document. The QSA is responsible to respond to such a PCI SSC request with the documented evidence no later than three (3) weeks from receipt of written notice. Copyright 2008 PCI Security Standards Council LLC Page 4

8 2 QSA Business Requirements This section describes the minimum business requirements and related information that must be provided to PCI SSC (for Principal and/or Associate QSA requirements, see QSA Validation Requirements Supplement for Principal-Associate Qualified Security Assessors, and for PA-QSA requirements, see QSA Validation Requirements Supplement for Payment Application Qualified Security Assessors (PA-QSA)). Subsections include information about the company s business legitimacy, independence, and required insurance coverage. 2.1 Business Legitimacy Requirement The QSA must be recognized as a legal entity Provisions The following information must be provided to PCI SSC: Copy of Business license or equivalent, including year of incorporation, and location(s) of offices Written statements describing any past or present allegations or convictions of any fraudulent or criminal activity involving the QSA (and QSA principles), and the status and resolution 2.2 Independence Requirement The QSA must adhere to professional and business ethics, perform all duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing Assessments. The QSA must have a code of conduct policy, and provide the policy to PCI SSC upon request. The QSA must adhere to all independence requirements in this section, as required by PCI SSC, including without limitation, the following (collectively, the Specified Independence Requirements ). The QSA will not undertake to perform Assessments of entities that it controls or with which it is under common control or in which it holds any investment. The QSA has not offered or provided (and will not offer or provide) any gift, gratuity, service, or other inducement to any employee of PCI SSC or any QSA subject or agency involved in retaining the QSA to enter into the QSA Agreement or to provide QSA-related services. The QSA must fully disclose in the Report on Compliance if they assess customers who use any security-related devices or security-related applications that have been developed or manufactured by the QSA, or to which the QSA owns the rights, or that the QSA has configured or manages, including the following: Application or Network Firewalls Intrusion Detection/Prevention Systems Copyright 2008 PCI Security Standards Council LLC Page 5

9 2.2.2 Provisions Database or other Encryption Solutions Security Audit Log Solutions File Integrity Monitoring Solutions Anti-virus solutions The QSA agrees that when the QSA recommends remediation actions that include one of its own solutions or products, the QSA will also recommend other market options that exist. The QSA agrees that it will not use its status as a listed QSA to market services unnecessary to bring QSA subjects into compliance with the PCI DSS. The QSA must not, and agrees that it will not, misrepresent requirements of the PCI DSS in connection with its promotion or sales of services to QSA clients, or state or imply that the PCI DSS requires usage of the QSA's products or services. The QSA must describe the company s practices to maintain and assure auditor independence, including, but not limited to, practices, organizational structure/separation, and employee education in place to prevent conflicts of interest in a variety of scenarios, such as the following: The QSA customer uses products or applications developed or manufactured by the QSA company. The QSA customer uses products or applications managed or configured by the QSA company. The description must include details with respect to compliance with the Specified Independence Requirements called out in Section 2.1 above. 2.3 Insurance Coverage Requirement At all times while its QSA Agreement is in effect, the QSA shall maintain sufficient insurance, insurers, coverage, exclusions, and deductibles that PCI SSC reasonably requests to adequately insure the QSA for its obligations and liabilities under the QSA Agreement, including without limitation the QSA's indemnification obligations. The QSA must adhere to all requirements for insurance coverage required by PCI SSC, including without limitation the requirements in Appendix E, Insurance Coverage, which includes details of required insurance coverage Provisions The QSA must provide a proof of coverage statement to PCI SSC to demonstrate that insurance coverage matches locally set insurance coverage requirements. If the QSA subcontracts or assigns any portion of the QSA services (only with prior written consent from PCI SSC see Section 3.2.1), the QSA must also provide to PCI SSC proof of coverage statements from all subcontractors to demonstrate that subcontractors purchase and maintain insurance to match insurance coverage requirements. Copyright 2008 PCI Security Standards Council LLC Page 6

10 2.4 QSA Fees Requirement Each QSA applicant must provide to PCI SSC an initial processing fee per geographic region or country in which the QSA applicant intends to perform Assessments (see Appendix D QSA Fees). These fees are credited toward the qualification fee (see below) if a company is qualified as a QSA. The initial processing fee check should be made payable to PCI SSC and mailed with the completed QSA application package. See Section 1.6 of this document for the mailing address. Once a company is approved for qualification as a QSA, the following fees may also apply. The qualification fee, which must be paid in full within 30 days of notification. This fee may vary by location, as specified in Appendix D, QSA Fees. Note: All fees are subject to change. An annual QSA re-qualification fee for subsequent years, also summarized by location in Appendix D, QSA Fees. A training fee for each QSA employee to be qualified, for training sponsored by PCI SSC. This is an annual fee. See Appendix D, QSA Fees. Additional fees apply for PA-QSA qualification and Principal-Associate QSA qualification; these are outlined in QSA Validation Requirements Supplement for Payment Application Qualified Security Assessors (PA-QSA), Appendix E, and QSA Validation Requirements Supplement for Principal-Associate Qualified Security Assessors, Appendix D, respectively. 2.5 QSA Agreements Requirement PCI SSC requires that all agreements between PCI SSC and the QSA (including the QSA Agreement) be signed by a duly authorized officer of the QSA, submitted in unmodified form to PCI SSC, and mailed with the completed QSA application package. The QSA Agreement requires that all QSAs and employees of the QSA comply with the requirements outlined in the QSA Validation Requirements. There are various agreements, depending on what QSA programs your company is applying for. Initially to become a QSA, your company must submit the QSA Agreement. Once the QSA Agreement and associated documentation is submitted, to be qualified for additional programs, please submit the appropriate optional agreement (s) along with the completed application package(s), as follows: PCI SSC Agreement for Principal-Associate QSAs Principal-Associate QSA Agreement PA-QSA Agreement See QSA Validation Requirements Supplement for Payment Application Qualified Security Assessors (PA-QSA) or QSA Validation Requirements Supplement for Principal-Associate Qualified Security Assessors as appropriate more information and for agreements and checklists. Copyright 2008 PCI Security Standards Council LLC Page 7

11 3 QSA Capability Requirements This section describes the minimum QSA capability requirements and related documentation the QSA must provide to PCI SSC. The QSA must demonstrate security audit expertise, work history, and industry experience. 3.1 QSA Company - Services and Experience Requirement The QSA must possess security assessment experience similar or related to the PCI DSS Assessment. The QSA must have a dedicated security practice that includes staff with specific job functions that support the security practice Provisions The following information must be provided to PCI SSC: The QSA s experience and knowledge with information security audit engagements, preferably related to payment systems, equal to at least one year or three separate audits Description of the QSA s relevant areas of specialization within information security (for example, network security, database and application security, and incident response), demonstrating at least one area of specialization Evidence of a dedicated security practice, such as: The number of all employees and the number of employees performing security assessments; and For the number of employees performing security assessments, the percentage of time dedicated to such assessments Brief description of core business offerings Description of size and types of market segments in which the QSA tends to focus, such as Fortune 500, financial industry, insurance industry, or small-to-medium sized businesses List of languages supported by the QSA Two client references from security engagements within the last 12 months Copyright 2008 PCI Security Standards Council LLC Page 8

12 3.2 QSA Staff Skills and Experience Each QSA employee performing or managing PCI DSS Assessments must be qualified by PCI SSC as a QSA employee; only QSA employees qualified by PCI SSC can conduct PCI DSS Assessments. QSA employees are responsible for the following: Performing the PCI DSS Assessment Being on-site for the duration of the Assessment Reviewing the work product that supports the audit procedures Ensuring adherence to the PCI DSS Security Audit Procedures Scoping decisions Selecting systems and system components where sampling is employed Evaluating compensating controls Producing the final report Requirement The QSA employee(s) performing or managing PCI DSS Assessments must: Provisions Have sufficient information security knowledge and experience to conduct technically complex security assessments Possess industry-recognized security certification(s) or equivalent work experience Be knowledgeable about the PCI DSS and the PCI DSS Security Audit Procedures Attend annual training provided by PCI SSC, and legitimately pass, of his or her own accord without any unauthorized assistance, all examinations conducted as part of training. If a QSA employee fails to so pass any exam in connection with such training, the QSA employee must no longer lead or manage a PCI DSS assessment until successfully passing the exam on a future attempt Be employees of the QSA (meaning this work cannot be subcontracted to non-employees) unless PCI SSC has given prior written consent for each subcontracted worker. Approved subcontractors shall not be permitted to include a company logo other than that of the responsible QSA or any reference to another company in the Report of Compliance or attestation documents while performing work on behalf of the QSA. The following information must be provided to PCI SSC for each individual to be qualified: Education (subject, level, institute) equal to bachelor s degree or professional certificate Area(s) of expertise (Network Security, Application Security and Consultancy, System Integration, Auditing, Special Skills), with at least 1 year (total) in three separate areas Copyright 2008 PCI Security Standards Council LLC Page 9

13 Years of working experience and responsibilities Years of working experience related to payment industry and responsibilities Résumé Minimum of one of the following certifications must be provided to PCI SSC: Copy of Certified Information System Security Professional (CISSP) certificate and ID number Copy of Certified Information Systems Auditor (CISA) certificate and ID number Copy of Certified Information Security Manager (CISM) certificate and ID number If an employee does not satisfy any of the above education criteria or certificates, he or she must provide a description of a minimum of five years of relevant information security experience or proof of other recognized security certifications. Copyright 2008 PCI Security Standards Council LLC Page 10

14 4 QSA Administrative Requirements This section describes the administrative requirements for QSAs, including company contacts, background checks, adherence to PCI DSS procedures, quality assurance, and protection of confidential and sensitive information. 4.1 Contact Person Requirement The QSA must provide PCI SSC with a primary and secondary contact and related contact information for each Provisions The following contact information must be provided to PCI SSC, for both primary and secondary contacts: Name Title Address Phone number Fax number address 4.2 Background Checks Requirement The QSA must perform a background check (as described in Subsection 4.2.2) on all QSA employees, if legally permitted within the applicable jurisdiction. The QSA must adhere to all background check requirements as required by PCI SSC. Upon request, the QSA must provide to PCI SSC the background check history for each QSA employee, when legally permitted within the applicable jurisdiction Provisions The QSA must provide the following to PCI SSC: A written statement that the QSA conducts background checks for each employee prior to submitting employee qualification requests to PCI SSC, and that each employee with respect to which qualification materials have been submitted has successfully passed the background check in accordance with the QSA s policies and procedures (where legally permitted). A summary description of current QSA personnel background check policies and procedures, to confirm the procedures include at least (to the extent legally permissible in the applicable jurisdiction): Gathering of current photographs Copyright 2008 PCI Security Standards Council LLC Page 11

15 Verification of aliases (when applicable) Reviewing of records of any criminal activity, arrests or convictions updated annually Comparing of fingerprints with national and regional criminal records That misdemeanors are allowed, but that felonies automatically disqualify an employee from consideration as a QSA employee 4.3 Adherence to PCI Procedures Requirements For each Assessment, the resulting QSA report must follow the Report on Compliance (ROC) template and instructions, as outlined in the PCI DSS Security Audit Procedures. The QSA must prepare each ROC based on evidence obtained by following the PCI DSS Security Audit Procedures Requirements The QSA must accompany a ROC with an Attestation of Compliance in the form available through signed by a duly authorized officer of the QSA, that summarizes whether the entity is in compliance or not in compliance with PCI DSS, and any related findings. 4.4 Quality Assurance Requirements Provisions The QSA must have implemented a quality assurance program as documented in the quality assurance program manual (as described in Subsection 4.4.2). The QSA must provide a QSA Feedback Form to their client at the completion of the audit. See Appendix C, Sample QSA Feedback Form. The QSA must adhere to all quality assurance requirements mandated by PCI SSC. PCI SSC reserves the right to conduct site visits and audit the QSA at the discretion of the PCI SSC. Upon request, the QSA must provide the quality assurance manual to PCI SSC. The QSA must provide the following to PCI SSC: A description of the contents of the QSA quality assurance manual, to confirm the procedures fully document the PCI audit processes and the review process for generation of the ROC, including at least the following: Copyright 2008 PCI Security Standards Council LLC Page 12

16 Reviews of performed audit procedures, supporting documentation, and information documented in the ROC related to the appropriate selection of system components, sampling procedures, compensating controls, remediation recommendations, proper use of payment definitions, consistent findings, and thorough documentation of results A requirement that all QSA employees must adhere to the PCI DSS Security Audit Procedures 4.5 Protection of Confidential and Sensitive Information Requirements The QSA must maintain adequate physical, electronic, and procedural safeguards consistent with industry-accepted practices to protect sensitive and confidential information against any threats or unauthorized access during storage, processing, and/or communicating of this information. The QSA must adhere to all requirements to protect sensitive and confidential information, as required by PCI SSC. The QSA must maintain the privacy and confidentiality of information obtained in the course of performing their duties under the QSA Agreement, unless (and to the extent) disclosure is required by legal authority Provisions The QSA must provide the following: A description of the QSA s confidential and sensitive data-protection handling practices, including at a minimum the following physical, electronic, and procedural safeguards: Systems storing customer data do not reside on Internet-accessible systems Protection of systems storing customer data by adequate network and application-layer controls, including a firewall and IDS/IPS The following physical and logical access controls: Restricting access (e.g., via locks) to the physical office space Restricting access (e.g., via locked file cabinets) to paper files Restricting logical access to electronic files via role-based access control Encryption of sensitive customer information when transmitted over the Internet either by or other means Secure transport and storage of backup media Encryption of customer data on consultants laptops A description of requirements and processes used to ensure employee confidentiality of customer data, including a (blank) copy of confidentiality agreements required to be signed by employees The QSA must sign the QSA Agreement, which includes a statement that the QSA will adhere to the foregoing requirement. Copyright 2008 PCI Security Standards Council LLC Page 13

17 4.6 Evidence Retention Requirements The QSA must secure (in accordance with 4.5 above) and maintain digital and/or hard copies of case logs, audit results and work papers, notes, and any technical information that was created and/or obtained during the PCI DSS Assessment for a minimum of three (3) years. The QSA must adhere to all evidence-retention requirements, as required by PCI SSC. This information must be available upon request by PCI SSC and its Affiliates for a minimum of three (3) years. The QSA must provide a copy of the evidence-retention policy and procedures to PCI SSC upon request Provisions A description of the QSA s evidence-retention policy and procedures that covers the foregoing requirements must be provided to PCI SSC. Copyright 2008 PCI Security Standards Council LLC Page 14

18 5 QSA Initial Qualification and Annual Re-qualification This section describes what happens after initial qualification and items related to the annual QSA re-qualification. This section includes: (1) the QSA List, (2) annual maintenance of the QSA qualification, and (3) revocation, if necessary, of a QSA s qualification 5.1 QSA List Once a company has met all requirements specified in the QSA Validation Requirements, PCI SSC will add the QSA to QSA List in accordance with the QSA Agreement. Only those QSAs on the QSA List are authorized by PCI SSC to perform PCI DSS onsite Assessments. The QSA List and PA-QSA list are posted on the Website. Those QSAs that have additionally qualified as Associate QSAs (per QSA Validation Requirements Supplement for Principal-Associate Qualified Security Assessors)) will be identified as QSAs on the Website, with the Principal QSA noted as the primary contact. Those QSAs that have additionally qualified to perform PA-DSS Assessments (per QSA Validation Requirements Supplement for Payment Application Qualified Security Assessors (PA-QSA)) will be identified as PA-QSAs on the Website. Only those QSAs that have also qualified as PA-QSAs are authorized by PCI SSC to perform PA-DSS Assessments. In the event a company does not meet the requirements specified in the QSA Validation Requirements, PCI SSC will notify the company. The company will have 30 days from the date of notification to appeal the decision. Appeals must be addressed to the PCI SSC General Manager and follow the procedures outlined on If a company s appeal is denied, its name will not be placed on the QSA List. 5.2 QSA Re-qualification Requirements All QSAs and employees must be re-qualified by PCI SSC on an annual basis, based on the QSA s original qualification date. Re-qualification is based on payment of annual fees, proof of training attended, and satisfactory feedback from the QSA clients (the merchants or service providers that were assessed), from PCI SSC, and from payment brand participants. PCI SSC reserves the right to perform random on-site audits of the QSA Provisions The following must be provided to PCI SSC and/or will be considered by PCI SSC during the re-qualification process for both the QSA and QSA employees: Feedback from QSA clients (entities that were assessed), from PCI SSC, and from payment brand participants (see Appendix C, Sample QSA Feedback Form). Significant or excessive unsatisfactory feedback may be cause for revocation; Copyright 2008 PCI Security Standards Council LLC Page 15

19 Payment of annual re-qualification fees (see Appendix D, Fees); Proof of information systems audit training within the last 12 months to support professional certifications (even if the employee does yet not have professional certifications), of a minimum 20 hours per year and 120 hours over the rolling three-year period. This is in addition to training provided by PCI SSC. 5.3 QSA Revocation Process Each of the following conditions (each a Violation ) may result in immediate Revocation (as defined in the QSA Agreement) of QSA qualification (including removal from the QSA List), subject to reinstatement pending a successful appeal in accordance with the QSA Agreement, and/or termination of the QSA Agreement: The QSA (or any QSA employee thereof) fails to validate compliance in accordance with the PCI DSS Security Audit procedures and/or the PA-DSS Security Audit Procedures, as applicable. The QSA (or any QSA employee thereof) violates any provision or obligation regarding non-disclosure of confidential materials. The QSA (or any QSA employee thereof) fails to maintain physical, electronic, and procedural safeguards to protect confidential or sensitive information; The QSA (or any QSA employee thereof) fails to report unauthorized access to any system storing confidential or sensitive information. The QSA (or any QSA employee thereof) engages in unprofessional or unethical business conduct. The QSA (or any QSA employee thereof) fails to provide quality services, based on customer feedback or evaluation by PCI SSC or its affiliates. The QSA (or any QSA employee thereof) is determined to have cheated on any exam in connection with QSA or PA-QSA training, including without limitation, submitting work that is not the work of the QSA employee taking the exam, theft of or unauthorized access to an exam, use of an alternate, stand-in or proxy during an exam, use of any prohibited or unauthorized materials, notes or computer programs during an exam and providing or communicating in any way any unauthorized information to another person during an exam. The QSA (or any QSA employee thereof) is determined by PCI SSC to have provided false or intentionally incomplete or misleading information to the Council in any application or other materials. The QSA (or any QSA employee thereof) failed to promptly notify the Council of any event described above that occured at any time after the date two (2) years before such QSA or QSA employee s qualification by PCI SSC. The QSA is otherwise not in Good Standing (as defined in the QSA Agreement). In the event of any Revocation, the QSAs name will be removed from the QSA List, PCI SSC will notify the QSA of the corresponding Violation, and the QSA will have an opportunity to defend its conduct through an appeal to PCI SSC in accordance with the QSA Agreement. All appeals must be submitted to PCI SSC in writing, addressed to the PCI SSC General Manager and follow all applicable procedures as specified by PCI SSC. PCI SSC will review all relevant evidence submitted by the complainant (if any) and QSA in connection with such appeals and make a decision as to whether termination of QSA qualification is warranted. All decisions of PCI SSC regarding revocation are final. Copyright 2008 PCI Security Standards Council LLC Page 16

20 If a QSA s appeal is denied or the QSA fails to appeal in accordance with the QSA Agreement, PCI SSC may immediately terminate the corresponding QSA Agreement and notify the participating payment brands and/or acquirers. Copyright 2008 PCI Security Standards Council LLC Page 17

21 Appendix A. Qualified Security Assessor (QSA) Agreement A.1 Introduction This document (the "Agreement") is an agreement between PCI Security Standards Council, LLC ("PCI SSC") and the undersigned Applicant ("QSA"), regarding QSA's qualification and designation to perform the Services (as defined herein). Effective upon the date of PCI SSC's approval of this Agreement (the "Effective Date"), as evidenced by the PCI SSC signature below, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, QSA and PCI SSC agree to the terms and conditions set forth in this Agreement. A.2 General Information Applicant Company Name: Business Address: City: State/Province: Country: Postal Code: Regions Applying For (see Appendix D): Primary Contact Name: Direct Telephone Number: Location: Title: Fax: Secondary Contact Name: Direct Telephone Number: Location: Title: Fax: Applicant s Officer Signature Date Applicant Officer Name: Title: PCI SSC PCI SSC Signature Date Name: Title: Date: Copyright 2008 PCI Security Standards Council LLC Page 18

22 A.3 Terms and Conditions A.3.1 QSA Services PCI SSC hereby approves QSA to perform, in accordance with this Agreement and the QSA Validation Requirements (defined below), onsite reviews of the member Financial Institutions of Members ("Financial Institutions"), issuers of Member payment cards ("Issuers"), merchants authorized to accept Member cards in payment for goods or services ("Merchants"), acquirers of Merchant accounts ( Acquirers ) and data processing entities performing services for a Financial Institution, Issuer, Merchant or Acquirer ("Processors", and each Processor, Acquirer, Issuer, Merchant or Financial Institution, a "Subject"), to determine Subjects' compliance with the Payment Card Industry (PCI) Data Security Standard, as such Standard may be amended from time to time (the "PCI DSS", which is hereby incorporated into this Agreement), the current version of which is available for review on the PCI SSC web site at (the "Website"), as part of the PCI Qualified Security Assessor Program ("QSA Program"). For purposes of this Agreement: (i) "Member" means a then current member of PCI SSC; (ii) the QSA reviews described above are referred to herein as "Assessments"; (iii) the Assessments, collectively with all related services provided by QSA to PCI SSC, Subjects or others in connection with this Agreement and the QSA Program, are referred to herein as the "Services"; (iv) QSA Validation Requirements means the most current version of (or successor document to) the Payment Card Industry (PCI) Validation Requirements for Qualified Security Assessors (QSA) document as available through the Website, as may be amended from time to time in PCI SSC s discretion, including without limitation, any and all additional supplements or addenda thereto which are applicable to QSA as a result of its participation in the QSA Program and related qualified security assessor initiatives operated by PCI SSC (each of which initiatives is hereby deemed to be included within the meaning of the term QSA Program for purposes of this Agreement); and (v) QSA Requirements means the obligations and requirements of QSA pursuant to this Agreement, the QSA Validation Requirements and any other agreement, addendum, supplement or other document entered into between PCI SSC and QSA. The QSA Validation Requirements are hereby incorporated into this Agreement, and QSA acknowledges and agrees that it has reviewed the current version of the QSA Validation Requirements available on the Website. QSA acknowledges that data security practices exist within a rapidly changing environment and agrees to monitor the Website at least weekly for changes to the PCI DSS, the QSA Validation Requirements and/or the Payment Card Industry (PCI) Data Security Standard Security Audit Procedures (the PCI DSS Security Audit Procedures ), also available on the Website and incorporated herein by reference. QSA will incorporate all such changes into all Assessments initiated on or after the effective date of such changes. PCI SSC will not accept any Report of Compliance ("ROC") regarding an Assessment that is not conducted in accordance with the PCI DSS and PCI DSS Security Audit Procedures in effect at the initiation date of such Assessment. A.3.2 Performance of Services QSA warrants and represents that it will perform each Assessment in strict compliance with the PCI DSS Security Audit Procedures in effect as of the commencement date of such Assessment. Without limiting the foregoing, QSA will include in each ROC an Attestation of Compliance in the form available through the Website signed by a duly authorized officer of QSA, in which QSA certifies without qualification that (a) the PCI DSS Security Audit Procedures were followed without deviation and (b) application of such procedures did not indicate any conditions of non-compliance with the PCI DSS other than those noted in the ROC. A.3.3 QSA Service Staffing Copyright 2008 PCI Security Standards Council LLC Page 19

23 QSA shall ensure that a QSA employee that is fully qualified in accordance with all applicable provisions of the QSA Validation Requirements supervises all aspects of each engagement to perform Services, including without limitation, being present onsite for the duration of the Assessment, reviewing the work product that supports the QSA's audit procedures, and ensuring adherence to PCI DSS Security Audit Procedures. Employees performing the following tasks must also be PCI SSC-qualified: scoping decisions, selection of systems and system components where sampling is employed (in accordance with the PCI DSS Security Audit Procedures), evaluation of compensating controls and/or final report production and/or review. A.3.4 QSA Requirements A.4 Fees QSA agrees to adhere to all QSA Requirements, including without limitation, the requirements stated in this Agreement and all requirements applicable to Qualified Security Assessors (as defined in the QSA Validation Requirements) stated in the QSA Validation Requirements. Without limiting the foregoing, QSA agrees to comply with all requirements regarding background checks as set forth in the QSA Validation Requirements and warrants that it has obtained all required consents to such background checks from each employee designated by QSA to PCI SSC to perform Services hereunder. Further, QSA warrants that, to the best of QSA's ability to determine, all information provided to PCI SSC in connection with this Agreement and QSA's participation in the QSA Program is and shall be accurate and complete as of the date such information is provided. Additionally, QSA acknowledges that PCI SSC may from time to time require QSA to provide a representative to attend any mandatory training programs in connection with the QSA Program, which may require the payment of attendance and other fees. QSA shall pay all fees (collectively, "Fees") as specified in Appendix D of the QSA Validation Requirements (the "Fee Schedule"). QSA acknowledges that PCI SSC may review and modify the fees specified in the Fee Schedule at any time and from time to time. Whenever a change in such Fees occurs, PCI SSC shall notify QSA in accordance with the terms of Section A10.1. Such change(s) will be effective thirty (30) days after the date of such notification. However, should QSA not agree with such change(s), QSA shall have the right to terminate this Agreement upon written notice to PCI SSC in accordance with the provisions of Section A10.1 at any time within such 30-day period. A.4.1 Initial Fee The applicable regional "Initial Processing Fee" specified in the Fee Schedule will be due and payable upon submission of QSA's executed version of this Agreement to PCI SSC for PCI SSC's approval for each region in which QSA has indicated it will perform Services. This Agreement will not be considered for PCI SSC approval until such Initial Fee payments have been received. A.4.2 Initial Qualification Fee The "Qualification Fee" specified in the Fee Schedule will be due and payable within thirty (30) days of notice to QSA that this Agreement has become effective; provided, however, that notwithstanding anything to the contrary in Section A5.1(a) of this Agreement, QSA will not be listed on the QSA List (defined in Section A5.1(a)) until the Qualification Fee is paid in full. A.4.3 Annual Qualification Fees Copyright 2008 PCI Security Standards Council LLC Page 20

24 Annual Qualification Fees for each Renewal Term (as defined in Section A9.1), as determined by PCI SSC, will be due and payable within thirty (30) days of notice that QSA has been re-qualified for such Renewal Term. A.4.4 Training Fees Fees in the amount established by PCI SSC for training of QSA personnel will be due and payable within thirty (30) days after a QSA training session has been scheduled, and in any event, prior to such training session. QSA personnel will not be admitted to training sessions until applicable fees have been paid in full. A.4.5 Additional Fees QSA acknowledges that additional Fees may apply, including without limitation, fees to cover administrative costs, re-listing on the QSA List, penalties and other costs, and that QSA will pay all such Fees as and when required. A.4.6 Nonrefundable Fees All Fees paid by QSA pursuant to this Agreement are nonrefundable (regardless of whether QSA's application is approved, QSA has been removed from the QSA List, this Agreement has been terminated or otherwise). A.5 Advertising and Promotion; Intellectual Property A.5.1 QSA List and QSA Use of PCI SSC Materials and Marks (a) So long as QSA is in Good Standing (as defined below) as a Qualified Security Assessor, PCI SSC may, at its sole discretion, display the identification of QSA, together with related information regarding QSA's status as a Qualified Security Assessor, in such publicly available list of Qualified Security Assessors as PCI SSC may maintain and/or distribute from time to time, whether on the Website or otherwise (the "QSA List"). QSA shall provide all requested information necessary to ensure to PCI SSC's satisfaction that the identification and information relating to QSA on the QSA List is accurate. QSA shall be deemed to be in "Good Standing" as a Qualified Security Assessor as long as this Agreement is in full force and effect, QSA has been approved as a QSA and such approval has not been revoked and QSA is not in breach of any of the terms or conditions of this Agreement (including without limitation, all provisions regarding compliance with the QSA Validation Requirements and payment). Without limiting the rights of PCI SSC set forth in the first sentence of this Section or in Section A9 below, PCI SSC expressly reserves the right to remove QSA from the QSA List at any time during which QSA is not in Good Standing as a Qualified Security Assessor. (b) In advertising or promoting its Services, so long as QSA is in Good Standing as a Qualified Security Assessor, QSA may make reference to the fact that QSA is listed in the QSA List, provided that it may do so only during such times as QSA actually appears in the QSA List. (c) Except as expressly authorized herein, QSA shall not use any PCI SSC mark without the prior written consent of PCI SSC in each instance. QSA shall not use any Member mark without the prior written consent of the owner of such mark in each instance. Without limitation of the foregoing, except as expressly authorized herein, QSA shall have no authority to make, and consequently shall not make, any statement that would constitute any implied or express endorsement, recommendation or warranty by PCI SSC or any Member regarding QSA, the Services or related products, or the functionality, quality or Copyright 2008 PCI Security Standards Council LLC Page 21

25 performance of any aspect of any of the foregoing. QSA shall not: (i) make any false, misleading or incomplete statements regarding, or misrepresent the requirements of, PCI SSC, any Member or the PCI DSS, including without limitation, any requirement regarding the implementation of the PCI DSS or the application thereof to any Subject, or (ii) state or imply that the PCI DSS requires usage of QSA's products or services. Except with respect to (A) factual references to the QSA Program or to PCI Materials (defined in Section A7.3) that QSA includes from time to time in its contracts with Subjects and that are required or appropriate in order for QSA to accurately describe the nature of the Services QSA will provide pursuant to such contracts, (B) references permitted pursuant to Section A5.1(b) above and (C) references that PCI SSC has expressly authorized pursuant to a separate written agreement with QSA, QSA may not publish, disseminate or otherwise make available any statements, materials or products (in any form) that refer to the PCI DSS, the PCI Materials or any portion of the foregoing, QSA's listing on the QSA List, PCI SSC, any Member, or any PCI SSC or Member mark, unless such statement, material or product has been reviewed and approved in writing by PCI SSC and, to the extent applicable, such Member, prior to publication or other dissemination, in each instance. Prior review and/or approval of such statements, materials or products by PCI SSC and/or any applicable Member does not relieve QSA of any responsibility for the accuracy and completeness of such statements, materials or products or for QSA's compliance with this Agreement or any applicable law. Except as otherwise expressly agreed by PCI SSC in writing, any dissemination of promotional or other materials or publicity in violation of Section A5 shall be deemed a material breach of this Agreement and upon any such violation, PCI SSC may remove QSA's name from the QSA List and/or terminate this Agreement in its sole discretion. To the extent that QSA either uses or makes reference to any Member mark or makes any statement relating to any Member in violation of this Section A5.1, then such Member shall be an express third party beneficiary of this Section and shall have available to it all rights, whether at law or in equity, to enforce the provisions hereof on its own behalf and in its own right directly against QSA. A.5.2 Uses of QSA Name and Designated Marks QSA grants PCI SSC and each Member the right to use QSA's name and trademarks, as designated in writing by QSA, to list QSA on the QSA List and to include reference to QSA in publications to Financial Institutions, Issuers, Merchants, Acquirers, Processors, and the public regarding the QSA Program. Neither PCI SSC nor any Member shall be required to include any such reference in any materials or publicity regarding the QSA Program. QSA warrants and represents that it has authority to grant to PCI SSC and its Members the right to use its name and designated marks as contemplated by this Agreement. A.5.3 No Other Rights Granted Except as expressly stated in this Section A5, no rights to use any party's or Member s marks or other Intellectual Property Rights (as defined below) are granted herein, and each party respectively reserves all of its rights therein. Without limitation of the foregoing, except as expressly provided in this Agreement, no rights are granted to QSA with respect to any Intellectual Property Rights in the PCI DSS, the PCI DSS Security Audit Procedures or any other PCI Materials. Copyright 2008 PCI Security Standards Council LLC Page 22