Payment Card Industry (PCI) Qualification Requirements

Transcription

1 Payment Card Industry (PCI) Qualificatin Requirements Fr Qualified Integratrs and Resellers (QIRs) Versin 3.0 September 2015

2 Dcument Changes Date Versin Descriptin August Initial release f the PCI Qualificatin Requirements fr QIRs Nvember Minr edits t align with PCI DSS and PA-DSS v3.0; Simplificatin f the applicatin prcess September Minr adjustments t prgram requirements, e.g., allw sle prprietrs t jin the prgram by remving the requirement t have tw trained emplyees n staff at all times PCI Qualificatin Requirements fr QIRs, v 3.0 August PCI Security Standards Cuncil, LLC Page i

3 Table f Cntents Dcument Changes... i 1 Intrductin Terminlgy Dcument Structure Related Publicatins QIR Applicatin Prcess Additinal Infrmatin Requests QIR Cmpany Business Requirements Business Legitimacy Cde f Prfessinal Respnsibility QIR Cmpany Fees QIR Cmpany and QIR Emplyee Capability Requirements QIR Cmpany QIR Emplyees Skills and Experience QIR Cmpany Administrative Requirements Cntact Persn Backgrund Checks Adherence t PCI SSC Prcedures Quality Assurance Prtectin f Cnfidential and Sensitive Infrmatin Retentin f Results QIR Cmpany and QIR Emplyee Requalificatin Requirements Prvisins QIR Remediatin and Revcatin Schedule 1 - Terminlgy Appendix A: QIR Agreement Appendix B. Applicatin Checklist PCI Qualificatin Requirements fr QIRs, v 3.0 August PCI Security Standards Cuncil, LLC Page ii

4 1 Intrductin Organizatins qualified by PCI SSC as Qualified Integratr and Reseller Cmpanies (QIR Cmpanies) are authrized t implement, cnfigure and/r supprt PA-DSS validated Payment Applicatins n behalf f merchants r service prviders fr purpses f perfrming Qualified Installatins as part f the QIR Prgram. The quality, reliability and cnsistency f a QIR Cmpany s wrk prvide cnfidence that the Payment Applicatin has been implemented in a manner that supprts the Custmer s PCI DSS cmpliance. All QIR Cmpanies are identified n the QIR List in accrdance with the QIR Agreement. If a cmpany is nt n the QIR List, it is nt recgnized as a QIR Cmpany by PCI SSC. All cmpanies and individuals seeking t qualify as QIR Cmpanies r QIR Emplyees must satisfy initial qualificatin requirements and requalify with PCI SSC every three years, as detailed further in this dcument. Interested applicants shuld cmplete the nline registratin frm lcated n the PCI Security Standards Cuncil Website (Website). 1.1 Terminlgy Fr purpses f this dcument, capitalized terms used but nt defined herein shall have the meanings set frth in Schedule 1 heret. 1.2 Dcument Structure Sectin 1: Intrductin ffers a high-level verview f the QIR applicatin prcess. Sectin 2: QIR Cmpany Business Requirements cvers minimum business requirements that must be demnstrated t PCI SSC by the cmpany. Sectin 3: QIR Cmpany and QIR Emplyee Capability Requirements reviews the infrmatin and dcumentatin necessary t demnstrate the service qualificatins and expertise f the cmpany and its emplyees. Sectin 4: QIR Cmpany Administrative Requirements fcuses n the lgistics f ding business as a QIR Cmpany, including backgrund checks, adherence t QIR Prgram prcedures, prtectin f cnfidential and sensitive infrmatin, and quality assurance. Sectin 5: QIR Requalificatin briefly utlines the QIR requalificatin prcess. Sectin 6: QIR Remediatin and Revcatin Prcess cntains infrmatin regarding remediatin and revcatin prcedures. Schedules and Appendices: The schedules and appendices t the QIR Qualificatin Requirements include the terminlgy schedule, QIR Agreement and Applicatin Checklist. 1.3 Related Publicatins This dcument shuld be used in cnjunctin with the current versins f the fllwing ther PCI SSC publicatins, each available thrugh the Website: PCI DSS, the PCI SSC standard that sets the fundatin fr ther PCI Standards and related requirements PA-DSS, the PCI SSC standard that defines the specific technical requirements and prvides related assessment prcedures and templates used t validate Payment Applicatin cmpliance and dcument the validatin prcess PCI Qualificatin Requirements fr QIRs, v3.0 September PCI Security Standards Cuncil, LLC Page 1

5 QIR Prgram Guide, the guidance dcument that defines requirements that must be satisfied by all QIR Cmpanies in rder t perfrm Qualified Installatins QIR Implementatin Statement, the template prvided by PCI SSC t dcument the Qualified Installatin. QIR Implementatin Instructins, a cmplementary dcument fr the QIR Implementatin Statement that explains hw t dcument the Qualified Installatin. 1.4 QIR Applicatin Prcess T begin the applicatin prcess a cmpany representative must submit a registratin frm thrugh the Website. Upn receipt f the registratin frm, PCI SSC will send an t the cmpany representative with credentials t access the secure web prtal designated by PCI SSC fr the QIR Prgram (the Prtal ) and begin the applicatin prcess. The cmpany s Primary Cntact (see Sectin belw) will manage the applicatin prcess fr bth the cmpany and any cmpany emplyees seeking QIR Emplyee qualificatin. T facilitate preparatin f the applicatin, refer t Appendix B: Applicatin Checklist. Applicatins must cntain all items listed in Appendix B. All applicatin materials must be submitted in English. Dcumentatin prvided in a language ther than English must be accmpanied by a certified English translatin. In the event a cmpany des nt meet the requirements specified in the QIR Qualificatin Requirements, PCI SSC will ntify the cmpany, and the cmpany will have 30 days frm the date f ntificatin t appeal the decisin. Appeals must be addressed t the PCI SSC General Manager. If a cmpany s appeal is denied, its name will nt be placed n the QIR List. Imprtant Nte: PCI SSC reserves the right t reject any applicatin frm any applicant that PCI SSC determines has cmmitted, within tw (2) years prir t the applicatin date, any cnduct that wuld have been cnsidered a Vilatin (defined in the QIR Prgram Guide) if cmmitted by a QIR Cmpany r QIR Emplyee. The perid f ineligibility will be a minimum f ne (1) year as determined by PCI SSC in a reasnable and nn-discriminatry manner, in light f the circumstances. 1.5 Additinal Infrmatin Requests In an effrt t maintain the integrity f the QIR Prgram, PCI SSC may frm time t time request that QIR Cmpanies and QIR Emplyees submit additinal infrmatin r materials in rder t demnstrate adherence t applicable requirements, as part f the QIR apprval prcess, r as part f PCI SSC's QIR quality assurance initiatives, including but nt limited t remediatin, revcatin and appeals as further described in the QIR Prgram Guide. All such additinal infrmatin and materials must be submitted in English r with a certified English translatin. QIR Cmpanies are required t respnd t each such request with the required infrmatin r dcumentatin n later than three (3) weeks frm receipt f the crrespnding written request r as therwise requested by PCI SSC. 2 QIR Cmpany Business Requirements Each QIR Cmpany must satisfy the fllwing business requirements and prvide the fllwing infrmatin t PCI SSC. PCI Qualificatin Requirements fr QIRs, v3.0 September PCI Security Standards Cuncil, LLC Page 2

6 2.1 Business Legitimacy Requirements The QIR Cmpany must be recgnized as a legal entity Prvisins The fllwing infrmatin must be prvided t PCI SSC: Cpy f business license r equivalent (prf f legal existence frm the relevant jurisdictin; see Business License Requirements n Website). Attestatin that the QIR Cmpany (and QIR Cmpany principals) have n past r present allegatins r cnvictins f any fraudulent r criminal activity against them, r a written statement describing any such allegatins r cnvictins and the status and reslutin theref. 2.2 Cde f Prfessinal Respnsibility Requirements PCI SSC has adpted a PCI SSC Cde f Prfessinal Respnsibility (the Cde, available n the Website) t help ensure that PCI SSC-qualified cmpanies and individuals adhere t high standards f ethical and prfessinal cnduct. All PCI SSC-qualified cmpanies and individuals must advcate, adhere t and supprt the Cde Prvisins The QIR Cmpany must cnfirm the PCI SSC Cde f Prfessinal Respnsibility is advcated, adhered t and supprted by the cmpany. Each QIR Emplyee must accept the PCI SSC Cde f Prfessinal Respnsibility at the beginning f each PCI SSC QIR Training curse. 2.3 QIR Cmpany Fees Requirements All fees payable by QIR Cmpanies in cnnectin with the QIR Prgram ( Fees ) must be paid by check r ther means apprved by PCI SSC. All checks shuld be made payable t PCI SSC and mailed t the fllwing address r as therwise instructed by PCI SSC: PCI Security Standards Cuncil 401 Edgewater Place, Suite 600 Wakefield, MA USA Phne number: (781) QIR Cmpanies are respnsible fr payment f the fllwing Fees as then specified n the Website: PCI Qualificatin Requirements fr QIRs, v3.0 September PCI Security Standards Cuncil, LLC Page 3

7 Training and Exam Fees The Fees a QIR Cmpany will pay are the QIR Training and Exam Fee fr each individual QIR Emplyee they want t have qualified (minimum f ne per QIR Cmpany). The Primary Cntact will receive an invice fr training Fees, and will be respnsible fr payment f that invice befre the trainee receives access t QIR training material. Exam Retake (necessary nly if the QIR Emplyee s previus attempt resulted in failure) There is n limit t the number f times an individual QIR Emplyee can retake the QIR Exam and there is n waiting perid required after each failed attempt. The QIR Cmpany will be assessed the Exam Retake Fee prir t each retake attempt. Requalificatin Requalificatin is required every three years n r befre the QIR Emplyee s qualificatin expiratin date. In rder t requalify, individual QIR Emplyees will need t take the QIR Training and Exam. The Fees a QIR Cmpany will pay are the QIR Training and Exam Fee fr each individual QIR Emplyee they want t have requalify. 3 QIR Cmpany and QIR Emplyee Capability Requirements 3.1 QIR Cmpany QIR Cmpanies must be qualified by PCI SSC and maintain a skilled and trained wrkfrce t prvide secure implementatins f PA-DSS validated Payment Applicatins t merchants and Service Prviders. Only cmpanies qualified by PCI SSC as QIR Cmpanies are listed n the PCI SSC website and authrized t perfrm Qualified Installatins Requirements Nte: All Fees assciated with the QIR Prgram are psted n the Website. All such Fees are nn-refundable, updated annually and subject t change upn ntice frm PCI SSC. Psting f a revised QIR Prgram Fee Schedule n the Website shall be deemed t cnstitute ntice f a Fee change. The QIR Cmpany must be either the direct prvider f a PA-DSS validated Payment Applicatin r a cmpletely independent third party licensed r therwise authrized by a PA-DSS validated Payment Applicatin vendr t implement that Payment Applicatin int the merchant r service prvider envirnment. The QIR Cmpany must have prcesses in place t ensure that its QIR Emplyees are trained and have access t applicable dcumentatin t perfrm Qualified Installatins. Prcesses must include, but are nt limited t, participatin in the training prgram(s) prvided by PCI SSC and the Payment Applicatin vendr(s). The PA-DSS standard requires PA-DSS Payment Applicatin vendrs t maintain instructinal dcumentatin and training prgrams fr integratrs and resellers. The QIR Cmpany must have experience installing and cnfiguring applicatins, preferably Payment Applicatins, equal t at least ne year r three separate engagements. The QIR Cmpany must at all times emply at least ne (1) QIR Emplyee. PCI Qualificatin Requirements fr QIRs, v3.0 September PCI Security Standards Cuncil, LLC Page 4

8 3.1.2 Prvisins The fllwing infrmatin must be prvided t PCI SSC: Cnfirmatin that the QIR Cmpany is either the direct prvider f a PA-DSS validated Payment Applicatin r a cmpletely independent third-party licensed r therwise authrized by the PA-DSS validated Payment Applicatin vendr t implement the Payment Applicatin int the merchant r service prvider envirnment. Cnfirmatin that the QIR Cmpany has prcesses fr ensuring that all f its QIR Emplyees are trained and have access t dcumentatin frm PCI SSC and the Payment Applicatin vendr, including, but nt limited t the PCI DSS and PA-DSS standard and prgram dcumentatin, and Payment Applicatin vendr training and the PA-DSS Implementatin Guide fr each PA-DSS validated Payment Applicatin fr which they intend t perfrm Qualified Installatins. Cnfirmatin f the QIR Cmpany s experience installing r cnfiguring applicatins equal t ne year r three separate engagements. List f the reginal markets and languages supprted by the QIR Cmpany. Acknwledgement that the QIR Cmpany must cntinually emply at least ne (1) QIR Emplyee in rder t be and remain a QIR Cmpany. 3.2 QIR Emplyees Skills and Experience Each QIR Emplyee perfrming r managing any Qualified Installatin must be qualified by PCI SSC. Only individuals qualified by PCI SSC as QIR Emplyees are authrized t perfrm Qualified Installatins. The Lead QIR must be actively engaged fr the duratin f the Engagement and Qualified Installatin. QIR Emplyees are respnsible fr: Perfrming the Qualified Installatin(s). Ensuring the PA-DSS validated Payment Applicatin is installed in a manner cmpliant with the Payment Applicatin vendr s PA-DSS Implementatin Guide, fllwing the best practices f the QIR Prgram Guide, and in a manner that facilitates Custmers PCI DSS cmpliance. Prducing the QIR Implementatin Statement Requirements All QIR Emplyee(s) perfrming r managing Qualified Installatins fr a given QIR Cmpany must: Have sufficient applicatin installatin and system hardening knwledge and experience t cnduct technically cmplex applicatin installatins. Be knwledgeable regarding the QIR Prgram Guide. Be knwledgeable f apprpriate cntents f the PA-DSS Implementatin Guide(s) fr the Payment Applicatin(s) they implement. Be trained in and have up-t-date knwledge f the PA-DSS validated Payment Applicatin(s) they implement, and perfrm such implementatin(s) in accrdance with applicable QIR Requirements. PCI Qualificatin Requirements fr QIRs, v3.0 September PCI Security Standards Cuncil, LLC Page 5

9 Attend requisite QIR Prgram training, and legitimately pass, f his r her wn accrd withut any unauthrized assistance, all requisite QIR Prgram training examinatins. QIR Emplyees wh fail t pass such exams must nt lead r manage any Qualified Installatin until passing such exams. Be emplyees f the QIR Cmpany (meaning this wrk cannt be subcntracted t nnemplyees) r permitted subcntractrs apprved in writing by PCI SSC. Apprved subcntractrs shall nt be permitted t include a cmpany lg ther than that f the respnsible QIR Cmpany r any reference t anther cmpany in the QIR Implementatin Statement dcuments while perfrming wrk n behalf f the QIR Cmpany Prvisins The fllwing infrmatin must be prvided t PCI SSC fr each individual seeking qualificatin as a QIR Emplyee: Wrk histry, such as a Résumé r Curriculum Vitae, that includes relevant wrk experience and respnsibilities in Payment Applicatin installatins, system hardening, system integratin, netwrk security, etc., and wrk experience related t the payment industry. 4 QIR Cmpany Administrative Requirements 4.1 Cntact Persn Requirements The QIR Cmpany must designate a primary cntact persn fr QIR Prgram purpses. The primary cntact shall serve as the QIR Cmpany s sle pint f cntact fr all QIR cmmunicatins t PCI SSC in cnnectin with the QIR Prgram, and may be changed in accrdance with the QIR Agreement Prvisins The fllwing cntact infrmatin must be prvided t PCI SSC, fr the primary cntact: Name Jb Title Address Phne number address 4.2 Backgrund Checks Requirements The QIR Cmpany must perfrm backgrund checks (as described in Sectin 4.2.2) n all QIR Emplyees, if legally permitted within the applicable jurisdictin. Upn request, the QIR Cmpany must prvide t PCI SSC the backgrund check histry fr each QIR Emplyee, if legally permitted within the applicable jurisdictin. PCI Qualificatin Requirements fr QIRs, v3.0 September PCI Security Standards Cuncil, LLC Page 6

10 4.2.2 Prvisins The QIR must prvide the fllwing t PCI SSC: Cnfirmatin that the QIR Cmpany cnducts backgrund checks fr each emplyee: Backgrund checks must be cmpleted prir t submitting emplyee qualificatin requests t PCI SSC. QIR Emplyees must successfully pass the backgrund check in accrdance with the QIR Cmpany s plicies and prcedures (where legally permitted). Examples f backgrund checks include previus emplyment histry, criminal recrd, credit histry and reference checks. Cnfirmatin that the QIR Cmpany backgrund checks include each f the fllwing (t the extent legally permissible in the applicable jurisdictin): Gathering f current phtgraphs Verificatin f aliases (when applicable) Annual review f recrds f any criminal activity, arrests r cnvictins Autmatic disqualificatin frm QIR Emplyee cnsideratin f individuals wh have cmmitted any felny r crime invlving financial fraud r frgery 4.3 Adherence t PCI SSC Prcedures Implementatin Statements Fr each Qualified Installatin, the resulting QIR Implementatin Statement must fllw the instructins set frth in the QIR Prgram Guide. Each QIR Implementatin Statement must be prepared by a QIR Emplyee and be based n the results f the Qualified Installatin in accrdance with the QIR Prgram Guide. If clarificatin n the intent f any questin in the QIR Implementatin Statement is needed, the QIR Implementatin Instructins shuld be used as a reference guide Marketing S lng as a QIR Cmpany cntinues t appear n the QIR List, in advertising and/r prmting its Services it may refer t its listing n the QIR List and t its qualificatin by PCI SSC as a QIR Cmpany. Withut prir PCI SSC apprval in each instance, hwever, a QIR Cmpany is required nt t: (a) use any trademark, service mark, lg r similar designatin (each a Mark ) f PCI SSC; (b) make any statement cnstituting an implied r express endrsement, recmmendatin r warranty by PCI SSC regarding itself, its Services r any related prducts r services; (c) make any false r misleading statement regarding, r misrepresent the requirements f, PCI SSC, any Participating Payment Brand r any f the PCI Materials; (d) state r imply that any f the PCI Materials (r cmpliance therewith) require usage f any f its prducts r services; r (e) publish r therwise make available any statement, material r prduct (in any frm) that refers t r includes any PCI Materials r prtin theref, r any name r acrnym f PCI SSC r any PCI SSC standard (except fr brief references t PCI SSC and/r its standards (r crrespnding acrnyms) t the extent reasnably necessary fr purpses f describing, marketing r prmting its Services). PCI Qualificatin Requirements fr QIRs, v3.0 September PCI Security Standards Cuncil, LLC Page 7

11 4.4 Quality Assurance Requirements The QIR Cmpany must have implemented a quality assurance prgram as described in Sectin 4.4.2, and upn request, prvide a cpy f its Quality Manual (defined in the QIR Prgram Guide and further described belw) t PCI SSC. The QIR Cmpany must prvide a QIR Feedback Frm t each Custmer at the start f the installatin. The QIR Cmpany must adhere t all quality assurance requirements mandated by PCI SSC. The QIR Cmpany must permit PCI SSC t cnduct audits f any QIR prgram-related requirement at the discretin f PCI SSC Prvisins The QIR Cmpany must prvide the fllwing t PCI SSC: Cntact infrmatin fr the QIR Cmpany s designated quality assurance manager (wh may be the same as the primary cntact), as fllws: Name Jb Title Address Phne number address Cnfirmatin that the QIR Cmpany has a Quality Manual that cmplies with the requirements set frth in the QIR Prgram Guide and include, at a minimum, the fllwing: A reference t the QIR Cmpany s installatin prcedures r details f the installatin prcesses. A reference t prcedures r details f prcesses fr emplyees and cntractrs with access t Custmer sites t strictly fllw secure access, installatin, maintenance and supprt prcesses included in the PA-DSS Implementatin Guide fr each validated Payment Applicatin. Apprpriate requirements, prcesses and/r prcedures t ensure the prper dcumentatin f all installatin results. A requirement fr the Lead QIR t cmplete the QIR Implementatin Statement and sign the cmpleted dcument. A requirement fr a quality review f all QIR Implementatin Statements. A requirement that all QIR Emplyees must adhere t the QIR Prgram Guide. A requirement fr a prcess t manage security vilatins. A prcess t maintain cpies f training recrds cnfirming that QIR Emplyees, befre being assigned t a Qualified Installatin, have received requisite QIR Prgram training. A requirement fr QIR emplyees t dcument within the QIR Implementatin Statement and ntify the Custmer r service prvider f any areas that are nt implemented in accrdance with PCI DSS. PCI Qualificatin Requirements fr QIRs, v3.0 September PCI Security Standards Cuncil, LLC Page 8

12 4.5 Prtectin f Cnfidential and Sensitive Infrmatin Requirements The QIR Cmpany must maintain adequate physical, electrnic and prcedural safeguards cnsistent with industry-accepted practices t prtect sensitive and cnfidential infrmatin against any threats r unauthrized use r access, during strage, prcessing, cmmunicatin r therwise, including withut limitatin, payment card accunt numbers, cardhlder data, payment card transactin infrmatin, infrmatin relating natural persns that culd be used t identify such persns, and any ther infrmatin received by the QIR Cmpany in cnnectin with remediatin r ther Prgram activities that is nt readily publicly available. The QIR Cmpany must adhere t all requirements t such prtect sensitive and cnfidential infrmatin, as required by the applicable Custmer, PCI SSC r Participating Payment Brands. T the extent the QIR Cmpany stres, prcesses r transmits any data t which the PCI DSS applies, the QIR Cmpany shall be required t be certified as cmpliant with the PCI DSS and shall, at its sle cst and expense: (a) cnduct r have cnducted the audits required fr PCI DSS cmpliance; and (b) take all actins required t maintain PCI DSS cmpliance Prvisins The QIR must prvide the fllwing: Cnfirmatin that the QIR Cmpany has implemented and cmplies with apprpriate practices fr prtecting and handling all such cnfidential and sensitive data, including at a minimum the fllwing physical, electrnic, and prcedural safeguards: Systems string Custmer data d nt reside n Internet-accessible systems. Prtectin f systems string Custmer data by adequate netwrk and applicatinlayer cntrls, including a firewall and IDS/IPS. The fllwing physical and lgical access cntrls: Restricted access (e.g., via lcks) t the physical ffice space. Restricted access (e.g., via lcked file cabinets) t paper files. Restricted lgical access t electrnic files via rle-based access cntrl. Encryptin f sensitive Custmer infrmatin when transmitted ver the Internet either by r ther means. Secure transprt and strage f backup media. Encryptin f Custmer data n QIR emplyee laptps. Prcesses t ensure emplyees and cntractrs maintain the cnfidentiality and restrict the use f all such sensitive and cnfidential infrmatin, including written and executed cnfidentiality agreements. PCI Qualificatin Requirements fr QIRs, v3.0 September PCI Security Standards Cuncil, LLC Page 9

13 4.6 Retentin f Results Requirements The QIR Cmpany must maintain recrds f Qualified Installatins. These recrds must: Be retained fr a minimum f three (3) years frm the cmpletin f each Qualified Installatin. The QIR Cmpany must secure (in accrdance with 4.5 abve) and maintain dcumented evidence (whether in digital r hard cpy frmat) f cmpliance with all requirements f the PA-DSS Implementatin Guide, including but nt limited t cpies f cnfiguratin and ther installatin reprts and settings, results, and related wrk papers, ntes, and technical infrmatin created and/r btained during the applicable Qualified Installatin. Fr a list f acceptable frms f evidence, please see the QIR Prgram Guide. Adhere t all evidence-retentin requirements required by PCI SSC. Be available upn request by PCI SSC, PFIs and Participating Payment Brands fr the time perid specified in the QIR Prgram Guide, even if the QIR Cmpany leaves the QIR Prgram Prvisins The QIR Cmpany must prvide t PCI SSC: Cnfirmatin that the QIR Cmpany has a retentin plicy r retentin schedule that cvers the requirements in Sectin A cpy f the QIR Cmpany s recrd retentin plicy r schedule upn request. 5 QIR Cmpany and QIR Emplyee Requalificatin 5.1 Requirements All QIR Cmpanies and QIR Emplyees must requalify with PCI SSC every three (3) years, based n the QIR Cmpany s riginal qualificatin date. Requalificatin is cntingent n: Payment f applicable Fees. The Cmpany maintaining internal prcesses fr managing emplyee training. Successful cmpletin f QIR training prvided by PCI SSC, which includes passing the exam. QIR Emplyees cmpleting the required Cntinued Prfessinal Educatin (CPE) credits. Psitive Feedback frm Custmers, PCI SSC and Participating Payment Brands. 5.2 Prvisins The fllwing must be prvided t PCI SSC and/r will be cnsidered by PCI SSC during the requalificatin prcess fr bth the QIR Cmpany and QIR Emplyees: Payment f all applicable QIR Training and Exam Fees (including requalificatin Fees). Cnfirmatin that the QIR Cmpany has internal prcesses t rutinely educate QIR Emplyees n the apprpriate methds and techniques t install and cnfigure the validated Payment Applicatin(s) that the QIR Cmpany is authrized t implement. PCI Qualificatin Requirements fr QIRs, v3.0 September PCI Security Standards Cuncil, LLC Page 10

14 Prf f cmpleted CPE hurs fr the minimum number f hurs required per year as specified in the CPE Maintenance Guide n the Website. CPE hurs must be reprted t PCI SSC at the end f each year prir t the qualificatin anniversary date. Apprved methds fr btaining and reprting CPE credit are dcumented in the CPE Maintenance Guide. 6 QIR Remediatin and Revcatin Each QIR Cmpany and QIR Emplyee must satisfy applicable QIR Requirements and meet prescribed quality levels fr Qualified Installatins, t remain in Gd Standing. Failure t satisfy applicable requirements r meet applicable quality levels may result in remediatin and/r revcatin. The QIR Prgram Guide prvides mre details n remediatin and revcatin. PCI Qualificatin Requirements fr QIRs, v3.0 September PCI Security Standards Cuncil, LLC Page 11

15 Schedule 1 - Terminlgy Fr purpses f this Agreement, the QIR Qualificatin Requirements, and the QIR Prgram Guide, the fllwing terms shall have the fllwing meanings when capitalized: Term Custmer Engagement Glssary Gd Standing Lead QIR PA-DSS PA-DSS Implementatin Guide Participating Payment Brand Payment Applicatin PCI DSS Meaning A merchant r ther entity by r fr which a given QIR Cmpany has been engaged t perfrm a Qualified Installatin. The entire cmmitment f services, as specified in the cntractual agreement between a QIR Cmpany and its Custmer, t prvide a Qualified Installatin and any nging supprt activities required t maintain the PA-DSS validated Payment Applicatin in a manner which facilitates PCI DSS cmpliance. The current versin f (r successr dcument t) the Payment Card Industry (PCI) Data Security Standard Glssary, Abbreviatins and Acrnyms available n the Website. (a) With respect t a given QIR Cmpany, that the QIR Agreement between the QIR Cmpany and PCI SSC is in full frce and effect, the QIR Cmpany has been apprved by PCI SSC as a QIR Cmpany and such apprval has nt been revked, terminated, suspended, cancelled r withdrawn, the QIR Cmpany is in cmpliance with all QIR Cmpany Requirements, and the QIR Cmpany is nt in breach f any f the terms r cnditins f remediatin, its QIR Agreement (including withut limitatin, all prvisins regarding cmpliance with the QIR Qualificatin Requirements and payment), r any ther agreement with PCI SSC; and (b) With respect t a given QIR Emplyee, that the QIR Emplyee is in cmpliance with all QIR Emplyee Requirements. In regard t a given Qualified Installatin, the key QIR Emplyee leading the Engagement fr the QIR Cmpany The then current versin f the Payment Card Industry (PCI) Payment Applicatin Data Security Standard Requirements and Security Assessment Prcedures (r successr dcument theret), as made publicly available by PCI SSC n the Website. An implementatin guide prepared by the applicable Payment Applicatin vendr fr a given Payment Applicatin (required pursuant t the PA- DSS). A glbal payment card brand r scheme that is als a limited liability cmpany member f PCI SSC (r affiliate theref). A sftware applicatin used in cnnectin with the strage, prcessing r transmissin f cardhlder data. The then current versin f the Payment Card Industry (PCI) Data Security Standard Requirements (r successr dcument theret), as made publicly available by PCI SSC n the Website. PCI Qualificatin Requirements fr QIRs, v3.0 September PCI Security Standards Cuncil, LLC Page 12

16 Term PCI Materials PCI SSC PFI (r PCI Frensic Investigatr) QIR Agreement QIR Cmpany (r Qualified Integratr and Reseller Cmpany) QIR Cmpany Requirements QIR Emplyee QIR Emplyee Requirements QIR Feedback Frm QIR Implementatin Statement QIR Installatin QIR List QIR Prgram QIR Prgram Fee Schedule Meaning The PCI DSS, PA-DSS, QIR Qualificatin Requirements, QIR Prgram Guide, QIR Prgram training materials, Website and all related and ther materials prvided r therwise made accessible by PCI SSC in cnnectin with the QIR Prgram. PCI Security Standards Cuncil, LLC, a Delaware limited liability cmpany. An entity apprved as a PCI Frensic Investigatr by PCI SSC t perfrm frensic investigatins as part f the PCI SSC PCI Frensic Investigatr Prgram. A list f PFIs appears n the Website. The QIR Agreement attached as Appendix A t the QIR Qualificatin Requirements. Refers t a cmpany that has satisfied and cntinues t satisfy all requirements set frth in the QIR Qualificatin Requirements, QIR Prgram Guide and QIR Agreement and is thereby qualified t implement, cnfigure, r supprt PA-DSS validated Payment Applicatins n behalf f Custmers. The requirements applicable t QIR Cmpanies and the prvisins required f QIR Cmpanies as set ut in the QIR Qualificatin Requirements, and such additinal requirements as PCI SSC may establish fr QIR Cmpanies frm time t time in cnnectin with the QIR Prgram. A full-time emplyee f a QIR Cmpany wh has been apprved as a QIR Emplyee and is in cmpliance with all QIR Emplyee Requirements. The requirements applicable t QIR Emplyees as set ut in the QIR Qualificatin Requirements, and such additinal requirements as PCI SSC may establish fr QIR Emplyees frm time t time in cnnectin with the QIR Prgram. The then current versin f (r successr dcument t) the QIR Feedback Frm fr Payment Brands and Others, as made publicly available by PCI SSC n the Website. The reprt prvided t a Custmer upn cmpletin f the rendering f a Qualified Installatin. The installatin f a PA-DSS validated Payment Applicatin within a Custmer s cardhlder data envirnment (defined in the Glssary), cnducted by a QIR Cmpany acting in that capacity. The list f QIR Cmpanies maintained n the Website. The PCI SSC Qualified Integratrs and Resellers Prgram managed by PCI SSC, as further described herein and in the QIR Prgram Guide and related PCI SSC guidance and publicatins. The then current schedule f Fees payable by QIR Cmpanies in cnnectin with participatin in the QIR Prgram, as made publicly available by PCI SSC n the Website. PCI Qualificatin Requirements fr QIRs, v3.0 September PCI Security Standards Cuncil, LLC Page 13

17 Term QIR Prgram Guide QIR Qualificatin Requirements QIR Requirements Qualified Installatin Services Website Meaning The then current versin f the Payment Card Industry (PCI) Qualified Integratrs and Resellers (QIRs) Prgram Guide (r successr dcument theret), as made publicly available by PCI SSC n the Website. With respect t a given QIR Cmpany, the then mst current versin f (r successr dcument t) the Payment Card Industry (PCI) Qualificatin Requirements Fr Qualified Integratrs and Resellers (QIRs), as made publicly available n the Website and amended by PCI SSC frm time t time in its sle discretin, all supplements and addenda theret, and any and all related agreements and/r undertakings applicable t a such QIR Cmpany in cnnectin with the QIR Prgram. With respect t a given QIR Cmpany, the requirements and bligatins theref pursuant t the QIR Qualificatin Requirements, the QIR Agreement and the QIR Prgram Guide, each addendum and supplement t each f the freging, each agreement entered int between such QIR Cmpany and PCI SSC, and any and all ther plicies, prcedures, requirements r bligatins impsed, mandated, prvided fr r therwise established by PCI SSC frm time t time in cnnectin with any PCI SSC prgram in which such QIR Cmpany is then a participant, including but nt limited t, the requirements f all applicable PCI SSC training prgrams, quality assurance and remediatin prgrams, prgram guides and ther related PCI SSC prgram materials. The installatin and/r cnfiguratin f a PA-DSS validated Payment Applicatin fr purpses f cmpliance with the applicable PA-DSS Implementatin Guide and the QIR Prgram Guide as part f the QIR Prgram. The QIR Installatins and all related services perfrmed by a given QIR Cmpany t PCI SSC, the QIR Cmpany s Custmers r thers in cnnectin with the QIR Agreement and the QIR Prgram The PCI SSC website at PCI Qualificatin Requirements fr QIRs, v3.0 September PCI Security Standards Cuncil, LLC Page 14

18 Appendix A: QIR Agreement This dcument (the Agreement ) is a legally binding agreement between PCI Security Standards Cuncil, LLC ("PCI SSC") and QIR (defined belw), effective as f the date PCI SSC ntifies QIR that QIR s applicatin and registratin fr qualificatin as a QIR Cmpany have been apprved (the Effective Date ). Fr purpses heref, QIR is the cmpany, rganizatin r ther legal entity that, thrugh its individual representative(s), was identified t PCI SSC in the QIR Registratin Frm infrmatin submitted t PCI SSC thrugh the nline QIR Cmpany registratin page n the Website, received a link prviding access t this Agreement frm PCI SSC, and clicks ACCEPT belw. By clicking ACCEPT belw, the individual ding s: (i) represents and warrants t PCI SSC that s/he is authrized t legally bind QIR t the terms heref and (ii) fr gd and valuable cnsideratin, the receipt and sufficiency f which is acknwledged, agrees n QIR s behalf that (a) QIR has read, understands, and accepts, agrees t and is legally bund by the terms heref, (b) PCI SSC may reject r terminate this Agreement if QIR fails t satisfy applicable QIR Requirements, and (c) capitalized terms used but nt defined herein shall have the meanings in Schedule 1 t the Payment Card Industry (PCI) Qualificatin Requirements fr Qualified Integratrs and Resellers (QIRs) as available at (the Website ). 1. QIR Qualificatin; Listing; Primary Cntact. During the Term (defined belw): (a) QIR is hereby qualified by PCI SSC t perfrm Qualified Installatins subject t applicable QIR Requirements, and (B) PCI SSC is authrized t display QIR s name and QIR Cmpany qualificatin status infrmatin n the QIR List and incrprate int QIR s listing n the QIR List such QIR trademarks as (and in the manner) QIR has designated fr such purpse. QIR acknwledges and agrees that in the event PCI SSC determines in its sle but reasnable discretin that QIR meets any cnditin fr remediatin r revcatin (defined in the QIR Prgram Guide), PCI SSC may, upn ntice, ffer QIR the pprtunity t participate in remediatin, revke QIR's QIR Cmpany qualificatin, anntate r remve the listing f QIR n the QIR List, and/r terminate this Agreement. QIR hereby designates the individual identified t PCI SSC as QIR s Primary Cntact as part f the QIR registratin prcess t serve as QIR s sle pint f cntact all QIR Prgram cmmunicatins t PCI SSC. 2. QIR Requirements. During the Term, QIR agrees t cmply with all QIR Requirements, including but nt limited t the plicies, prcedures, terms and cnditins set frth in the QIR Qualificatin Requirements r the QIR Prgram Guide, and thse therwise established by PCI SSC in cnnectin with applicable QIR Prgram quality assurance initiatives and remediatin prcedures. 3. QIR Representatins. QIR hereby represents and warrants that it: (a) is in cmpliance with all applicable QIR Requirements; (b) will cmply with all applicable laws, rdinances, rules and regulatins pertaining t this Agreement r its bligatins hereunder during the Term; and (c) will ensure t its best knwledge that all infrmatin it prvides t PCI SSC is and remains accurate and cmplete. 4. Limitatin f Liability; Indemnificatin. A. PCI SSC EXPRESSLY DISCLAIMS ANY AND ALL REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, WITH RESPECT TO THE QIR PROGRAM, THE PCI MATERIALS, THIS AGREEMENT OR THE SUBJECT MATTER HEREOF, INCLUDING BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND WARRANTIES OF TITLE AND NON-INFRINGEMENT. B. EXCEPT FOR DAMAGES CAUSED BY A PARTY S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT OR AS PROVIDED IN SECTION 4.C, IN NO EVENT SHALL: (I) EITHER PARTY BE LIABLE TO THE OTHER FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, PUNITIVE OR SPECIAL DAMAGES OR FOR ANY DAMAGES AS A RESULT OF LOSS OF BUSINESS, REVENUE, GOODWILL, OR OTHER COMMERCIAL OR ECONOMIC LOSS, TO THE EXTENT ARISING OUT OF OR IN CONNECTION WITH THE QIR PROGRAM, THE PCI MATERIALS, THIS AGREEMENT OR THE SUBJECT MATTER HEREOF, HOWEVER CAUSED, WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF PCI Qualificatin Requirements fr QIRs, v 3.0 September PCI Security Standards Cuncil, LLC Page 15

19 SUCH DAMAGES; OR (II) THE AGGREGATE LIABILITY OF EITHER PARTY TO THE OTHER UNDER OR IN CONNECTION WITH THE QIR PROGRAM, THE PCI MATERIALS, THIS AGREEMENT OR THE SUBJECT MATTER HEREOF EXCEED THE AMOUNT OF FEES PAID TO PCI SSC HEREUNDER. C. QIR shall defend, indemnify, and hld harmless PCI SSC and its fficers, directrs, members, emplyees, agents, representatives, cntractrs, attrneys, successrs, and assigns (cllectively, "Indemnified Parties") frm and against any and all claims, lsses, liabilities, damages, suits, actins r prceedings (including withut limitatin, reasnable attrney's fees and related csts) (cllectively, Claims ) arising r resulting frm any claim by any third party regarding QIR s (i) breach f any warranty, representatin r agreement herein; r (ii) perfrmance r nn-perfrmance f the Services; prvided, hwever, that QIR s bligatins pursuant t this Sectin 4.C shall nt apply t any Claim t the extent arising frm the negligence r willful miscnduct f an Indemnified Party r any defect in the PCI SSC Materials t the extent used by QIR withut mdificatin and fr their intended purpse. 5. Term and Terminatin. This Agreement shall cmmence as f the Effective Date, remain in full frce and effect fr a perid until terminated pursuant t this Sectin (the Term ), and may be terminated (a) by QIR upn ntice r (b) by PCI SSC (i) as f the end f any calendar year f the Term upn at least sixty (60) days ntice; (ii) upn ntice in cnnectin with (A) any vluntary r invluntary bankruptcy, receivership, rerganizatin, disslutin r liquidatin f QIR that is nt therwise dismissed within thirty (30) days, (B) QIR's breach f any representatin r warranty under this Agreement, (C) Revcatin f QIR s QIR Cmpany qualificatin, r (D) failure f QIR t satisfy applicable QIR Cmpany re-qualificatin requirements in accrdance with QIR Prgram plicy and prcedure; r (iii) upn fifteen (15) days ntice in the event f QIR's breach f any ther prvisin heref that is nt cured within such 15-day perid. Sectins 4, 6, 7 and 8 f this Agreement and Sectin f the QIR Prgram Guide shall any survive terminatin f this Agreement. 6. Cnfidentiality and Required Disclsures; Use f Marks. QIR hereby acknwledges and agrees t cmply with the cnfidentiality and required disclsure prvisins set frth in the QIR Qualificatin Requirements. T help ensure its ability t prmptly make such required disclsures, QIR shall ensure that its written agreements with each Custmer permit QIR t make such disclsures t PCI SSC, in accrdance with the QIR Qualificatin Requirements. 7. Ntices. Ntices hereunder shall be in writing and deemed effective when delivered persnally, r by vernight curier upn verificatin f receipt, r by facsimile transmissin upn electrnic cnfirmatin f transmissin, r by certified r registered mail, return receipt requested, five (5) days after the mailing date. Ntices t QIR shall be sent t its Primary Cntact at the address specified fr QIR during QIR Cmpany registratin n the Website. Ntices t PCI SSC shall be sent t PCI SSC, attentin: General Manager, at 401 Edgewater Place, Suite 600, Wakefield, Massachusetts A party heret may change its cntact r address fr ntices and/r its Primary Cntact by ntice in accrdance with this Sectin. Ntwithstanding the freging, PCI SSC may prvide any ntice under this Agreement by electrnic mail transmissin t QIR s last designated Primary Cntact r by psting t the QIR Prgram Prtal, which ntice shall be deemed effective immediately thereafter. 8. General. This Agreement is gverned by the laws f the State f Delaware, withut resrt t its cnflict f laws prvisins. If any prvisin heref is r is determined t be vid, invalid r unenfrceable, the validity f the remaining prvisins shall nt be affected thereby. This Agreement (including the QIR Qualificatin Requirements and QIR Prgram Guide, each hereby incrprated int and made a part f this Agreement) sets frth the exclusive agreement between the parties with respect t its subject matter, and supersedes and merges all prir understandings and agreements, ral r written, between the parties with respect t such subject matter. This Agreement may be mdified, altered r amended by PCI SSC upn thirty (30) days ntice, prvided, that if QIR des nt agree with such mdificatin, alteratin r amendment, QIR may terminate this Agreement upn ntice t PCI SSC within such thirty (30) day perid, and therwise, such mdificatin, alteratin r amendment will be effective as f the end f such 30-day perid. The waiver r failure f either party heret t exercise any right prvided fr PCI Qualificatin Requirements fr QIRs, v 3.0 September PCI Security Standards Cuncil, LLC Page 16

20 in this Agreement shall nt be deemed a waiver f any further right. QIR may nt assign this Agreement, r assign, delegate r subcntract any f its rights r bligatins hereunder, withut PCI SSC s prir written cnsent. All remedies herein are cumulative, in additin t any ther remedies available at law r in equity, subject nly t the express limitatins n liabilities and remedies set frth herein. In the event f an express cnflict between this Agreement and the QIR Qualificatin Requirements r the QIR Prgram Guide, this Agreement shall cntrl. PCI Qualificatin Requirements fr QIRs, v 3.0 September PCI Security Standards Cuncil, LLC Page 17

21 Appendix B. Applicatin Checklist This Appendix prvides a checklist f items that the applicant QIR Cmpany ( Cmpany ) and its applicant QIR Emplyees ( Emplyees ) will need t prvide, cmplete r d during the QIR Prgram applicatin prcess. The applicatin can be fund nline in the Prtal. Secure access t the Prtal will be prvided during the applicatin prcess. Cmpany Applies t QIR Prgram PA-DSS Vendr Authrizatin The Cmpany must cnfirm that it is either a direct prvider f a PA-DSS validated Payment Applicatin r a cmpletely independent third party licensed r therwise authrized by a PA-DSS validated Payment Applicatin vendr t implement that Payment Applicatin int the merchant r service prvider envirnment. Direct prvider f a PA-DSS validated Payment Applicatin Independent third party license r therwise authrized by the PA-DSS validated Payment Applicatin vendr t implement the validated Payment Applicatin int the Custmer r service prvider envirnment QIR Agreement The Cmpany must accept the QIR Agreement. Fees Primary Cntact Infrmatin Markets Languages Attestatin Cmpleted The Cmpany must pay all applicable Fees (see QIR Prgram Fee Schedule n Website) prir t qualificatin, payable t PCI SSC. The Cmpany must identify a Primary Cntact and include all cntact details. The Primary Cntact is the individual that will receive all Cuncil cmmunicatins and will be the liaisn between the QIR Cmpany/Emplyee and PCI SSC. The Cmpany must identify all reginal markets served. The Cmpany must identify all supprted languages. The Cmpany must cnfirm that it (and its principles) have n past r present allegatins r cnvictins f any fraudulent r criminal activity against them, r prvide a written statement describing any such allegatins r cnvictins and the status and reslutin theref. The Cmpany must cnfirm experience in infrmatin technlgy and experience in installing and cnfiguring applicatins, preferably Payment Applicatins, equal t at least ne year r three separate engagements The Cmpany must cnfirm that it has prcesses in place fr ensuring all QIR Emplyees are trained in and maintain up-t-date knwledge abut the PA-DSS validated Payment Applicatin(s) fr which they will be perfrming Qualified installatins. (This training may have ccurred prir t the QIR Applicatin prcess.) The Cmpany must cnfirm that it perfrms persnnel backgrund checks (t the extent legally permissible in the applicable jurisdictin) and that each QIR emplyee has successfully cmpleted the backgrund check. PCI Qualificatin Requirements fr QIRs, v 3.0 September PCI Security Standards Cuncil, LLC Page 18

22 The Cmpany must agree that it emplys a minimum f ne (1) QIR Emplyee at all time, in rder t becme and remain listed as a QIR Cmpany n the PCI SSC Website. The Cmpany must cnfirm that it has incrprated the fllwing int a Quality Manual as defined in sectin f the QIR Qualificatin Requirements: A reference t the QIR Cmpany s installatin prcedures r details f the installatin prcesses. A reference t prcedures r details f prcesses fr emplyees and cntractrs with access t Custmer sites t strictly fllw secure access, installatin, maintenance and supprt prcesses included in the PA-DSS Implementatin Guide fr each validated Payment Applicatin. Business License Webpage Link Apprpriate requirements, prcesses and/r prcedures t ensure the prper dcumentatin f all installatin results. A requirement fr the Lead QIR t cmplete the QIR Implementatin Statement and sign the cmpleted dcument. A requirement fr quality review f all QIR Implementatin Statements. A requirement that all QIR Emplyees must adhere t the QIR Prgram Guide A requirement fr a prcess t manage security vilatins. A requirement t maintain cpies f training recrds cnfirming that each QIR Emplyee, befre being assigned t a Qualified Installatin, has received requisite QIR Prgram training. A requirement fr QIR Emplyees t dcument within the QIR Implementatin Statement and ntify the Custmer r service prvider f any areas that are nt implemented in accrdance with PCI DSS. The Cmpany must uplad a cpy f its business license (See Business License Requirements n Website) The Cmpany must prvide the URL fr its webpage. Emplyees Apply t QIR Prgram Wrk Histry, Résumé, Curriculum Vitae Training Registratin The Primary Cntact must uplad a cpy f each applicant QIR Emplyee s Wrk Histry, Résumé r Curriculum Vitae that includes relevant wrk experience and respnsibilities in installatins, system hardening, netwrk security, etc., and wrk experience related t the payment industry. Once the Primary Cntact has cmpleted the Emplyee Applicatin, the PCI SSC QIR Prgram Manager will register the Emplyee fr training. The Primary Cntact will receive an invice fr training fees, and will be respnsible fr payment f that invice befre the trainee receives access t QIR training material. PCI Qualificatin Requirements fr QIRs, v 3.0 September PCI Security Standards Cuncil, LLC Page 19

23 Cde f Prfessinal Respnsibility QIR Training and Exam The Emplyee must agree t supprt the Cde f Prfessinal Respnsibility. This agreement is intrduced at the beginning f the nline training curse. The Emplyee will electrnically agree t the Cde. The Emplyee must cmplete QIR Training and successfully pass the training exam. PCI Qualificatin Requirements fr QIRs, v 3.0 September PCI Security Standards Cuncil, LLC Page 20