Payment Card Industry (PCI) Qualified Integrators and Resellers

Transcription

1 Payment Card Industry (PCI) Qualified Integratrs and Resellers Prgram Guide Versin 3.0 September 2015

2 Dcument Changes Date Versin Descriptin August Initial release f the PCI Qualified Integratrs and Resellers (QIR) Prgram Guide Octber Minr edits t align with PCI DSS and PA-DSS v3.0 N/A 2.0 Versin number nt used September Minr edits t simplify prgram, e.g., Allwing sle prprietrs t jin the prgram by remving the requirement t have tw trained emplyees n staff at all times QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page i

3 Table f Cntents Dcument Changes... i 1 Intrductin QIR Prgram Backgrund Related Publicatins Terminlgy QIR Prgram Rles and Respnsibilities Prgram Overview Fees QIR Qualificatin Prcess QIR Required Requalificatin Prcesses Pre-Implementatin Activities Preparatin Qualified Installatin Prcess Overview Implementatin Executin Pst-Implementatin Activities Implementatin Reprting Onging Supprt Engagement Terminatin QIR Quality Management QIR Cmpany Respnsibilities PCI SSC s Rle in Quality Management QIR Cmpany Status... 9 Appendix A: Acceptable Frms f Dcumented Evidence QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page ii

4 1 Intrductin This dcument prvides an verview f the PCI SSC Qualified Integratrs and Resellers Prgram ( QIR Prgram ) perated and managed by PCI Security Standards Cuncil, LLC ( PCI SSC ), and shuld be read in cnjunctin with the Qualificatin Requirements Fr Qualified Integratrs and Resellers (QIRs) QIR Qualificatin Requirements ), and the ther dcuments referenced in Sectin 1.2 belw. This dcument describes the fllwing: QIR Prgram Backgrund QIR Prgram Rles and Respnsibilities QIR Prgram Overview Pre-Implementatin Activities Qualified Installatin Prcess Overview Pst-Implementatin Activities QIR Quality Management 1.1 QIR Prgram Backgrund PCI SSC perates the Payment Applicatin Data Security Standards (PA-DSS) prgram. The prgram prmtes the develpment and implementatin f secure cmmercial payment applicatins that d nt stre prhibited data, and helps t ensure that payment applicatins supprt cmpliance with the PCI DSS. Organizatins qualified by PCI SSC t implement, cnfigure and/r supprt PA-DSS validated Payment Applicatins n behalf f merchants and service prviders are referred t as Qualified Integratr and Reseller Cmpanies r QIR Cmpanies. The quality, reliability and cnsistency f a QIR Cmpany s wrk prvide cnfidence that the applicatin has been implemented in a manner that supprts the custmer s PCI DSS cmpliance. 1.2 Related Publicatins The Payment Card Industry (PCI) Qualified Integratrs and Resellers (QIR) Prgram Guide (r QIR Prgram Guide ) shuld be used in cnjunctin with the latest versins f the fllwing ther PCI SSC publicatins, each as available thrugh the Website: QIR Qualificatin Requirements, which defines requirements that must be satisfied by QIR Cmpanies in rder t perfrm Qualified Installatins PCI DSS, which sets the fundatin fr ther PCI Standards and related requirements PA-DSS, which defines the specific technical requirements and prvides related assessment prcedures and templates used t validate payment applicatins and dcument the validatin prcess QIR Implementatin Statement, which is a template used t dcument the results f a Qualified Installatin QIR Implementatin Instructins, which is a guidance dcument used t explain hw t cmplete the QIR Implementatin Statement QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page 1

5 1.3 Terminlgy Except as therwise specified herein, capitalized terms used but nt defined in this dcument shall have the meanings ascribed t them in Schedule 1 t the QIR Qualificatin Requirements. 1.4 QIR Prgram Rles and Respnsibilities The QIR Prgram simplifies the prcess fr identifying and engaging integratrs and resellers qualified t assist merchants and industry participants in their effrt t install PA-DSS validated payment applicatins in a manner that facilitates PCI DSS cmpliance. A QIR Cmpany may be any frm f legal entity and must cmply with all QIR Cmpany Requirements. Only cmpanies that are qualified by PCI SSC and are in Gd Standing (r in Remediatin) as QIR Cmpanies are permitted t perfrm Qualified Installatins. All QIR Cmpanies are listed n the QIR List. QIR Cmpany respnsibilities generally include (withut limitatin) the fllwing: Ensuring installatins and cnfiguratins f PA-DSS validated Payment Applicatins are in accrdance with the applicable PA-DSS Implementatin Guide in a manner which supprts PCI DSS cmpliance. Prviding the custmer with a cmpleted QIR Implementatin Statement after installatin and cnfiguratin f a PA-DSS validated applicatin. Dcumenting any ptential risks t PCI DSS cmpliance identified by the QIR Emplyee in the QIR Implementatin Statement. Maintaining a quality assurance prgram that includes vetting f emplyees invlved in Qualified Installatins, persnnel training and educatin n PCI DSS and applicable PA- DSS Implementatin Guides. Prtecting cnfidential and sensitive infrmatin. Supprting any PFI frensic investigatins in which the applicatin the QIR installed at a custmer envirnment may be invlved. Servicing the payment applicatins (fr example, trubleshting, delivering remte updates and prviding remte supprt) if engaged t d s, accrding t the PA-DSS Implementatin Guide and PCI DSS. 2 Prgram Overview The gal f the QIR Prgram is t educate, qualify and train rganizatins invlved in the implementatin, cnfiguratin and/r supprt f a PA-DSS validated payment applicatin n behalf f a merchant r service prvider. The prgram fcuses n tw cre bjectives: Ensuring that QIR Cmpanies install and cnfigure PA-DSS validated payment applicatins int custmer envirnments in a manner that supprts PCI DSS cmpliance, and Ensuring that QIR Cmpanies are accuntable fr ensuring that such installatins facilitate their custmers PCI DSS cmpliance effrts. QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page 2

6 2.1 Fees QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page 3 Fees t participate as a QIR Cmpany in the QIR Prgram are specified in the QIR Prgram Fee Schedule n the Website. Pricing and fees charged by QIR Cmpanies fr the services they prvide t custmers in cnnectin with Qualified Installatins are negtiated directly between the QIR Cmpany and the applicable custmer. Fees and pricing fr Qualified Installatins and related services f QIR Cmpanies are nt set by PCI SSC, and PCI SSC is nt invlved in any way with such fees r pricing. 2.2 QIR Qualificatin Prcess In an effrt t help ensure that each QIR Cmpany and QIR Emplyee pssesses the requisite knwledge, skills, experience and capacity t perfrm installatins f PA-DSS validated applicatins in a prficient manner and in accrdance with industry expectatins, cmpanies and individuals desiring t perfrm Qualified Installatins must first be qualified as QIR Cmpanies r QIR Emplyees (as applicable), and then must maintain that qualificatin in Gd Standing. Please refer t the QIR Qualificatin Requirements t review specific infrmatin regarding qualificatin as a QIR Cmpany r QIR Emplyee. 2.3 QIR Required Requalificatin Prcesses In additin t all ther applicable requirements, each QIR Cmpany must perfrm the prcesses listed belw in rder t remain in Gd Standing: Requalify every three years. Require all cntinuing QIR Emplyees t successfully cmplete all required QIR Prgram training and training examinatins every three years. QIR Emplyees failing t satisfy this requirement must d s befre leading r managing any Qualified Installatin. Annually review and update, as applicable, the QIR Cmpany s Quality Manual (See Sectin 6.1 belw). Require all QIR Emplyees t annually review PA-DSS Payment Applicatin training materials t maintain current knwledge f all majr and minr sftware changes. Train emplyees and cntractrs with access t custmer sites n hw t access, install, maintain and supprt payment applicatins (and any cnnected systems) in accrdance with the infrmatin prvided by the applicatin vendr in the PA-DSS Implementatin Guide and ther supprting materials. 3 Pre-Implementatin Activities 3.1 Preparatin T help ensure that each QIR Cmpany and QIR Emplyee pssesses the requisite knwledge, skills, experience and capacity t perfrm Qualified Installatins in a prficient manner, and in accrdance with industry expectatins, each QIR Cmpany and each QIR Emplyee is required at all times t satisfy all applicable QIR Qualificatin Requirements. The current versin f these requirements is available n the Website. Applicatins validated as cmpliant with the PA-DSS and accepted by PCI SSC are identified n the list f validated Payment Applicatins n the Website (the Applicatin List ). Only the specific

7 QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page 4 versins f the Payment Applicatins that appear in the Applicatin List ( Validated Applicatin Versins ) have been evaluated and determined t cmply with the PA-DSS and therefre are eligible fr Qualified Installatins. Preparatin activities that the QIR Cmpany must cnsider prir t undertaking a Qualified Installatin include but are nt limited t: Sell and install nly thse Validated There are tw types f validated Payment Applicatin Versins that are identified n Applicatins: Acceptable fr New the Website as Acceptable fr New Deplyments and Acceptable nly fr Pre- Deplyments. Existing Deplyments. These are identified as tw different tabs n the Website and als Cnfirm befre the start f a new Engagement that the applicatin is Acceptable fr New Deplyments. in the Deplyment Ntes fr each validated applicatin. Be prepared t answer any questins the custmer may have, r knw where t refer the custmer, regarding the payment applicatin listing infrmatin n the Website, such as: The Revalidatin Date is based n the acceptance f a specific applicatin by PCI SSC. Each validated payment applicatin must underg an annual attestatin until the Expiry Date is reached. Payment applicatins that have nt yet expired appear n the Acceptable fr New Deplyments list. The Expiry Date is based n the lifecycle f PA-DSS. All payment applicatins validated t a particular versin f PA-DSS expire n the same date. When the Expiry Date is reached, if a specific payment applicatin has nt been validated against the current versin f PA-DSS, it will be placed n the Acceptable nly fr Pre-Existing Deplyments list. The perating system(s) n which the PA-DSS applicatin has been tested and any dependent hardware r sftware requirements are listed fr each payment applicatin n the Website. It is the respnsibility f the QIR Cmpany and applicable QIR Emplyee t ensure that the custmer s envirnment meets these minimum requirements fr each payment applicatin s implementatin. Ntify the custmer that PCI DSS cmpliance is at risk if any applicatin they chse t install r maintain has been identified as vulnerable r des nt appear n the Applicatin List as Acceptable fr New Deplyments. Ensure that all new and existing QIR Emplyees and cntractrs wh have access t custmer sites, cardhlder data r a custmer s CDE (cardhlder data envirnment) meet the requirements f PCI DSS PCI DSS 12.7 Screen ptential persnnel prir t hire t minimize the risk f attacks frm internal surces. (Examples f backgrund checks include previus emplyment histry, criminal recrd, credit histry, and reference checks.) The QIR Emplyee shuld, prir t undertaking a Qualified Installatin, review the latest payment applicatin vendr instructinal dcumentatin, PA-DSS Implementatin Guide and training prgrams fr the specific versin f the PA-DSS validated applicatin. Prvide the custmer with the name f the Lead QIR wh will be respnsible fr the Engagement, an estimate f wrk t be perfrmed, expected duratin f the wrk and ntice f any ptential dwn time.

8 Direct the custmer t the QIR Feedback Frm n the Website where the frm can be cmpleted and submitted t PCI SSC. Determine the level f access that will be required t supprt the custmer, and strictly fllw secure access, installatin, maintenance and supprt prcesses utlined in the applicatin vendr s latest PA-DSS Implementatin Guide. Ensure that QIR Emplyee access credentials are unique per QIR Emplyee and per custmer. Develp an installatin, cnfiguratin and maintenance plan frm the infrmatin prvided by the applicatin vendr in the PA-DSS Implementatin Guide and any ther supprting materials. 4 Qualified Installatin Prcess Overview 4.1 Implementatin Executin The PA-DSS Implementatin Guide is prvided by the vendr f the validated payment applicatin and is used by the QIR Cmpany t install, cnfigure and maintain the payment applicatin. Any questins abut the PA-DSS Implementatin Guide shuld be directed t the applicatin vendr. The QIR Implementatin Statement prvides a checklist f tasks t be cmpleted as part f a Qualified Installatin. Sme r all f these tasks will apply t any given implementatin. It is the respnsibility f the Lead QIR t understand hw each item within the QIR Implementatin Statement applies t the particular implementatin. All tasks in the QIR Implementatin Statement are the respnsibility f the Lead QIR. Sme f the tasks may be autmatically perfrmed by the payment applicatin; ther tasks will be perfrmed by the QIR Emplyee. The PA-DSS Implementatin Guide fr the validated payment applicatin will prvide instructins n hw t cnfigure the payment applicatin r ther sftware. The custmer may chse t perfrm sme f these tasks rather than the QIR Cmpany. It is imprtant that the Lead QIR dcument all tasks that bth the QIR Cmpany and the custmer are t perfrm, and that bth the QIR Cmpany and the custmer understand and agree t the tasks befre cmmencement. The QIR Implementatin Statement and the PA-DSS Implementatin Guide must bth be used during the installatin. The QIR Cmpany must retain evidence f all cnfigurable elements f a Qualified Installatin (whether perfrmed by the QIR Emplyee r custmer) and must retain these wrk papers as part f the installatin dcumentatin. Examples f types f evidence are prvided in Appendix A. 5 Pst-Implementatin Activities 5.1 Implementatin Reprting The QIR Implementatin Statement must be prduced as part f each Engagement and must be cmpleted and delivered t the custmer n later than ten (10) business days after cmpletin f the Qualified Installatin. The QIR Cmpany must stre the QIR Implementatin Statement and any assciated wrk papers in accrdance with the QIR Cmpany s current evidence retentin plicy and prcedures and fr a minimum f three (3) years frm the cmpletin f the Qualified Installatin. PCI SSC QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page 5

9 reserves the right t examine these dcuments upn reasnable ntice as part f the quality assurance prcess. A template fr the QIR Implementatin Statement is available n the Website. Supprting guidance, the QIR Implementatin Instructins, is als n the Website and explains hw t cmplete the QIR Implementatin Statement. The Implementatin Statement is divided int three (3) parts; Part 1: Implementatin Statement Summary, Part 2: Implementatin Statement Details and Part 3: QIR Emplyee Additinal Observatins. QIR Cmpanies must fllw the defined frmat fr all Qualified Installatins Part 1: Implementatin Statement Summary The Implementatin Statement Summary is used t prvide cnfirmatin and acceptance f the Qualified Installatin, alng with Custmer, QIR Cmpany and Payment Applicatin details. The fllwing infrmatin must be included in the QIR Implementatin Statement: Custmer s cmpany name and cntact details Name f QIR Cmpany Name and cntact details f the Lead QIR, and PA-DSS validated Payment Applicatin name, versin number and reference number as shwn n the Website Requested Cntent Quality Review Explanatin The QIR Cmpany must perfrm a quality review f the QIR Implementatin Statement t cnfirm accuracy and cmpleteness. Signatures The signature f the Lead QIR indicates acceptance f respnsibility and accuntability fr the cmpleted installatin. The signature f the custmer is required t cnfirm a cpy f the QIR Implementatin Statement has been prvided t them. NOTE: The Lead QIR is expected t review the results f the installatin with the custmer t demnstrate the Payment Applicatin has been installed and cnfigured in a manner that supprts cmpliance with PCI DSS, and if applicable, that ptential areas f vulnerability have been identified Part 2: Implementatin Statement Details The secnd sectin f the QIR Implementatin Statement cntains a checklist f tasks that must be cmpleted during the Qualified Installatin. The checklist prvides the QIR Emplyee with a systematic way t cmprehensively dcument each step f the Qualified Installatin. The activities cnducted during the installatin and cnfiguratin f the Payment Applicatin must be recrded s that the custmer understands, and has a recrd f, changes made t their envirnment. The QIR Implementatin Instructins prvides details fr each task. QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page 6

10 5.1.3 Part 3: QIR Emplyee Additinal Observatins The QIR Emplyee Additinal Observatins sectin prvides the QIR Emplyee a place t dcument any cncerns r issues identified during the Qualified Installatin. Any bservatins r details applicable t the verall installatin that the Custmer needs t be aware f shuld be recrded in this sectin. Als, any anmalies r issues bserved that may affect the Custmers PCI DSS cmpliance shuld be recrded here. This is als where the QIR Emplyee will recrd explanatins fr any tasks that culd nt be r were nt perfrmed as part f the Qualified Installatin, such as a required task that the Custmer executed rather than the QIR Emplyee. 5.2 Onging Supprt The QIR Cmpany may be asked t manage the payment applicatin after installatin. This may include applying updates r patches, changing cnfiguratins, etc. Wrk must be cnducted in accrdance with the PA-DSS Implementatin Guide and the QIR Implementatin Statement. When debugging r trubleshting fr custmers, the QIR Cmpany must verify that any cardhlder data, if necessary t reslve a prblem, is cllected in limited amunts, encrypted while stred and securely deleted immediately after use. The QIR Cmpany must immediately reprt all vulnerabilities r ptential breaches t the custmer. The QIR Cmpany must review, at least annually, updates t the applicable PA-DSS Implementatin Guide and supprting dcumentatin t remain current with all majr and minr sftware changes, and QIR Cmpany training materials must be updated t reflect all majr and minr sftware changes Remte Access If supprt is being prvided remtely, the QIR Cmpany must: Advise custmers t turn n remte management nly when necessary, mnitr when in use and t turn ff access immediately thereafter. Use remte management sftware nly when abslutely necessary, and in a secure manner, t access custmer sites fr the purpses f installatin, supprt, and maintenance. Use tw-factr authenticatin with strng cryptgraphy. QIR Cmpanies using remte access sftware must fllw the PA-DSS Implementatin Guide, which cntains instructins n using remte access security features. The QIR Cmpany is required t manage all remte access t custmers as fllws: Site access must be restricted and authenticatin credentials assigned t nly thse persnnel wh need access. Remte QIR Cmpany access t custmer sites must nly cme frm specific and knwn IP addresses. Unique, cmplex and secure authenticatin credentials must be used fr each custmer. Data transmissins must always be encrypted. QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page 7

11 5.2.2 PFI Supprt If the QIR Cmpany is asked t participate in the investigatin f a breach at the custmer envirnment where the QIR Cmpany installed a PA-DSS validated payment applicatin, the QIR Cmpany may be requested t prvide cpies f the QIR Implementatin Statement and assciated dcumentatin frm the Engagement t the custmer and/r t the applicable PCI SSC-qualified PCI Frensic Investigatr (PFI), and must cperate fully with the PFI in such investigatin and all such requests. 5.3 Engagement Terminatin When an Engagement ends, the QIR Cmpany must perfrm clean-up tasks that include but are nt limited t: Ensuring credentials are securely remved frm all custmer sites after any installatin r maintenance tasks have been cmpleted. Prviding instructins fr the custmer t remve QIR Cmpany user accunts and credentials, if the QIR Cmpany n lnger supprts the custmer. Prviding instructins fr the custmer t eliminate all cnnectivity fr example, pen firewall prts between the QIR Cmpany and the custmer. 6 QIR Quality Management QIR Cmpanies are required t establish a Quality Assurance Prgram that, as stated in the QIR Qualificatin Requirements and further detailed within this Prgram Guide, requires QIR Cmpanies and Emplyees t adhere t all quality assurance requirements set by PCI SSC. The quality apprach fr the QIR Prgram is achieved by QIR candidates fulfilling the qualificatin requirements detailed in the QIR Qualificatin Requirements, the QIR Cmpany s and Emplyee s cntinued adherence t thse requirements and respnsibilities, and PCI SSC s n-ging mnitring f the QIR Cmpany and Emplyees. 6.1 QIR Cmpany Respnsibilities The QIR Cmpany is expected t manage an internal quality assurance prgram that meets all QIR quality assurance requirements and expectatins f PCI SSC, and is dcumented and described in the QIR Cmpany s Quality Manual. PCI SSC reserves the right t request and review the Quality Manual at any time. The Quality Manual must be reviewed and updated annually, and must minimally include: Prcedures requiring all QIR Emplyees and cntractrs with access t custmer sites t strictly fllw secure access, installatin, maintenance and supprt prcesses utlined in the applicatin vendr s latest PA-DSS Implementatin Guide Apprpriate requirements, prcesses and prcedures regarding reviews f perfrmed installatin prcedures, supprting dcumentatin and infrmatin dcumented in QIR Implementatin Statements relating t installatin recmmendatins; and thrugh dcumentatin f all installatin results A requirement fr a quality review f all QIR Implementatin Statements A requirement that all QIR Emplyees must adhere t the QIR Prgram Guide and all QIR Emplyee Requirements QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page 8

12 A requirement fr dcumentatin f disciplinary actin if an emplyee r cntractr fails t securely access, install, maintain r supprt payment applicatins (and any cnnected systems) in accrdance with industry data security best practices and standards Prcesses fr maintaining cpies f training recrds t cnfirm that all QIR Emplyees have received training befre being assigned t a Qualified Installatin The QIR Cmpany must ntify PCI SSC anytime a QIR Emplyee leaves emplyment r mves t a nn-qir rle. Furthermre, if the cmpany des nt maintain at least ne QIR Emplyee, the QIR Cmpany will be remved frm the QIR List and becme ineligible t perfrm new Qualified Installatins until the minimum requirements are satisfied Feedback Prcess At the start f each Qualified Installatin, the QIR Cmpany must direct the custmer t the QIR Feedback Frm n the Website, and request that the Cmpany submit the cmpleted frm t PCI SSC fllwing the installatin. Any payment card brand, acquiring bank r ther persn r entity may submit QIR Feedback Frms t PCI SSC t prvide feedback n a Qualified Installatin. Additinally, a Qualified Security Assessr (QSA) Cmpany r Emplyee that assesses a merchant r service prvider that has had a Qualified Installatin perfrmed may submit a QIR Feedback Frm regarding the QIR Cmpany that perfrmed that installatin. The QIR Feedback Frm addresses the fllwing: Adequacy f QIR Implementatin Statement cntent; Cmpetence f staff assigned t Qualified Installatin Engagements; Ability t effectively cmmunicate the results f the Qualified Installatin and any ptential risks r expsures identified during the Qualified Installatin. 6.2 PCI SSC s Rle in Quality Management PCI SSC quality assurance prcess begins with QIR Cmpany and QIR Emplyee qualificatin and related training prcess. PCI SSC then perfrms mnitring activities t gain assurance that established requirements are in place and maintained as expected. This is achieved mst ften thrugh review and mnitring f QIR Custmer Feedback Frms, and may include audits f QIR Implementatin Statements and ther materials, infrmatin r wrk prduct generated r btained during the curse f Qualified Installatins. PCI SSC reserves the right t cnduct such activities at any time, and each QIR Cmpany is required t cperate in such quality assurance activities. Nte: the QIR Cmpany may redact sensitive r cnfidential infrmatin that des nt materially impact PCI SSC s quality assurance review. Tgether, these quality checks allw PCI SSC t reasnably mnitr the quality f QIR Cmpanies and Emplyees. S lng as PCI SSC determines in its reasnable discretin that a QIR Cmpany cntinues t satisfy applicable QIR Requirements and meets prescribed quality levels fr Qualified Installatins, that QIR Cmpany will remain in Gd Standing as a QIR Cmpany. Failure t satisfy applicable requirements r meet applicable quality levels may result in any r all f the actins described in Sectin 6.4 belw. 6.3 QIR Cmpany Status QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page 9

13 QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page 10 The QIR Prgram recgnizes several status designatins fr QIR Cmpanies and QIR Emplyees. The status f a QIR Cmpany r QIR Emplyee is initially Gd Standing but may change based n quality cncerns, feedback, administrative issues, r ther factrs. These status designatins are described further belw. Nte: These status designatins are nt necessarily prgressive: Any QIR Cmpany s r QIR Emplyee s status may be revked r a QIR Cmpany s QIR Agreement terminated fr quality cncerns. Accrdingly, a QIR Cmpany r QIR Emplyee may mve directly frm Gd Standing t Revcatin (defined belw). Nnetheless, nn-severe quality cncerns are generally first addressed thrugh the Remediatin prcess (described belw) in rder t prmte imprved perfrmance Gd Standing QIR Cmpanies and QIR Emplyees are expected t maintain a status f Gd Standing while participating in the QIR Prgram. Where PCI SSC detects any deteriratin f quality levels ver time, PCI SSC may issue warnings t QIR Cmpanies. While a Warning shuld be taken seriusly s that actins d nt escalate t Remediatin and/r Revcatin, a Warning alne des nt impair a QIR Cmpany s Gd Standing status Remediatin A QIR Cmpany and/r Emplyee may be placed int Remediatin fr varius reasns, including quality cncerns r administrative issues such as failure t meet any requalificatin requirements, failure t submit required infrmatin, etc. QIR Cmpanies in Remediatin are listed n the Website in Red, indicating Remediatin status withut further explanatin as t why the designatin is warranted. If administrative r nn-severe quality prblems are detected, PCI SSC will typically recmmend participatin in the Remediatin prgram. Remediatin prvides an pprtunity fr QIR Cmpanies and/r Emplyees t imprve perfrmance by wrking clsely with PCI SSC staff; and in the absence f participatin, quality issues may increase. During Remediatin, QIR Cmpanies and QIR Emplyees may cntinue t perfrm installatins, cnfiguratins and peratinal supprt. During Remediatin and generally in cnnectin with PCI SSC s QIR Prgram quality assurance initiatives, PCI SSC may mnitr and require QIR Cmpanies t prvide QIR Implementatin Statements and any ther materials, infrmatin r wrk prduct generated r btained during the curse f Qualified Installatins (redacted in accrdance with QIR Prgram plicy). Such materials must be prvided within three (3) weeks f PCI SSC s request. QIR Cmpanies may als be charged fees t cver PCI SSC s csts f mnitring and Remediatin. Remediatin is a jint effrt between the QIR Cmpany and PCI SSC t imprve the quality f the QIR Cmpany wrk prduct. The QIR Cmpany must submit a Remediatin plan acceptable t PCI SSC, detailing hw the QIR Cmpany plans t imprve the quality f its Qualified Installatins and related wrk prduct. PCI SSC may audit the QIR Cmpany s cmpliance with its quality assurance prgram and ther QIR prgramrelated requirements, at the sle cst and expense f the QIR Cmpany Revcatin In the event PCI SSC determines in its sle but reasnable discretin that a QIR Cmpany r QIR Emplyee meets any cnditin fr revcatin f QIR Cmpany r QIR Emplyee qualificatin established by PCI SSC frm time t time (satisfactin f any

14 QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page 11 such cnditin, a Vilatin ), including withut limitatin, any f the cnditins described as Vilatins belw, PCI SSC may, effective immediately upn ntice t the QIR Cmpany, revke the QIR Cmpany and/r QIR Emplyee qualificatin ( Revcatin ) and/r terminate the QIR Cmpany s QIR Agreement. Vilatins include (withut limitatin) the fllwing: Vilatin f any bligatin regarding nn-disclsure f cnfidential materials. Failure t maintain physical, electrnic and prcedural safeguards t prtect cnfidential r sensitive infrmatin; and/r failure t reprt t PCI SSC unauthrized access t any system that stres cnfidential r sensitive infrmatin. Engagement in unprfessinal r unethical business cnduct, including misrepresentatin f the PCI DSS r any ther PCI SSC requirements r dcuments t sell prducts r services. Failure t prvide quality services, based n custmer feedback r evaluatin by PCI SSC, any f its affiliates r any third party. Cheating n any exam in cnnectin with QIR Prgram training, including withut limitatin submitting wrk that is nt the wrk f the QIR Emplyee taking the exam; theft f r unauthrized access t an exam; use f an alternate, stand-in r prxy during an exam; use f any prhibited r unauthrized materials, ntes r cmputer prgrams during an exam; and prviding r cmmunicating in any way any unauthrized infrmatin t anther persn during an exam. Prvisin f false r intentinally incmplete r misleading infrmatin t PCI SSC in any applicatin r ther materials. Permitting any unqualified prfessinal t perfrm (r participate in the perfrmance f) any Qualified Installatin fr r n behalf f the QIR Cmpany. Failure t be in Gd Standing. Failure t perfrm any Qualified Installatin in accrdance with the QIR Prgram Guide. Revelatin by frensic evidence that a security r data breach f the QIR Cmpany led t a security r data breach f any f their QIR custmers. Failure t prvide prf f Cntinuing Prfessinal Educatin (CPE) hurs fr its QIR Emplyees. Failure t prmptly ntify PCI SSC f any Vilatins described abve that ccurred less than tw (2) years befre such QIR Cmpany s r QIR Emplyee s qualificatin by PCI SSC. Upn QIR Cmpany Revcatin and/r terminatin f its QIR Agreement, the QIR Cmpany is remved frm the QIR List and/r its listing may be anntated as PCI SSC deems apprpriate, and must (a) immediately cease all advertising and prmtin f its QIR Cmpany qualificatin and/r status; (b) immediately cease sliciting fr and perfrming all pending Engagements, Qualified Installatins r ther Services unless and t the extent therwise instructed by PCI SSC; (c) if requested by PCI SSC, btain (at the QIR Cmpany s sle cst and expense) the services f a replacement QIR Cmpany acceptable t PCI SSC fr purpses f cmpleting any unperfrmed Services fr which it is engaged immediately prir t such Revcatin r terminatin, and (d) within fifteen (15) days theref, in a manner acceptable t PCI SSC, ntify thse f its

15 Custmers with which the QIR Cmpany is then engaged t perfrm Services f such Revcatin r terminatin and, if applicable, f any cnditins, restrictins r requirements f such Revcatin that may impact its ability t perfrm such Services fr Custmers ging frward. PCI SSC may ntify any third party f such Revcatin r terminatin and the reasn(s) therefr. Revcatin is subject t appeal and pssible reinstatement f qualificatin in accrdance with QIR Prgram plicies and prcedures. All appeals must be submitted t PCI SSC in writing within thirty (30) days f Revcatin, addressed t the PCI SSC General Manager, and must fllw all applicable prcedures as specified by PCI SSC. All determinatins f PCI SSC regarding Revcatin and any related appeals are in PCI SSC s sle discretin, final and binding upn the QIR Cmpany. In the event the QIR Cmpany fails t submit a request fr appeal within the alltted 30-day perid, r if PCI SSC determines n appeal that terminatin is warranted, then effective immediately and autmatically thereafter, the QIR Agreement and QIR s QIR Cmpany qualificatin shall terminate. Upn Revcatin, the perid f ineligibility will be a minimum f ne (1) year as determined by PCI SSC in a reasnable and nn-discriminatry manner (in light f the circumstances) after the date f Revcatin r unsuccessful reslutin f appeal, whichever is later. QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page 12

16 Appendix A: Acceptable Frms f Dcumented Evidence Fr a minimum f three (3) years, QIR Cmpanies must secure and maintain dcumented evidence (whether in digital r hard cpy frmat) substantiating all services, including but nt limited t cpies f any and all case lgs, cnfiguratin and ther installatin results, wrk papers, ntes and technical infrmatin created and/r btained during each Qualified Installatin. The fllwing frms f dcumented evidence are acceptable fr purpses f cmpliance with the QIR Prgram Guide. Cpies f any lgs r cnfiguratin files used r generated Cpies f any applicatin-vendr written/published dcumentatin used Cpies f any trubleshting requests raised with the applicatin vendr during r as a result f the implementatin Any written/published applicatin-vendr prcedures used during the implementatin Any written prcess dcuments Interview ntes Change-cntrl dcumentatin Installatin lgs System-cnfiguratin files Written/published methdlgies Any written/published vendr prcedures Cpies/screenshts f any f the fllwing: displays f payment card data including but nt limited t POS devices, screens, lgs and receipts Screenshts f any cnfiguratin settings including but nt limited t thse settings relevant t secure authenticatin, lgging and remte access QIR Prgram Guide, v 3.0 September PCI Security Standards Cuncil, LLC Page 13