Payment Card Industry (PCI) Data Security Standard Qualification Requirements. For Approved Scanning Vendors (ASV)

Transcription

1 Payment Card Industry (PCI) Data Security Standard Qualification Requirements For Approved Scanning Vendors (ASV) Version 2.1 December 2013

2 Document Changes Date DSS Version Description October 1, To align version number with PCI DSS v1.2; no other changes made. February PCI DSS Validation Requirements for Approved Scanning Vendors (ASVs) Version 2.0, this is the third release of the Validation Requirements for Approved Scanning Vendors (ASVs). Constructed and finalized by PCI SSC s Technical Working Group (TWG) and approved by the PCI SSC Executive Committee. December Documented the remediation process and made minor changes to be consistent with v2.0 of the PCI Data Security Standards PCI Security Standards Council, LLC Page i

3 Table of Contents Document Changes... i 1 Introduction Terminology Goal Qualification Process Overview Document Structure Related Publications ASV Application Process Additional Information Requests ASV Business Requirements Business Legitimacy Independence Insurance Coverage ASV Fees ASV Agreements ASV Capability Requirements ASV Company Services and Experience ASV Employee Skills and Experience ASV Administrative Requirements Contact Person Background Checks Adherence to PCI Procedures Quality Assurance Protection of Confidential and Sensitive Information Evidence Retention ASV Initial Qualification and Annual Re-qualification ASV List ASV Re-qualification ASV Remediation Process ASV Revocation Process Appendix A. PCI ASV Compliance Test Agreement Appendix B. PCI ASV Application Process Checklist Appendix C. Insurance PCI Security Standards Council, LLC Page ii

4 1 Introduction Developed in response to requests from merchants for a unified set of payment account data security requirements, the Payment Card Industry (PCI) Data Security Standard ( PCI DSS, as further described below) is a single set of requirements for cardholder data protection across the entire industry, maintained by PCI Security Standards Council, LLC ( PCI SSC ). Key to the success of the PCI DSS is merchant and service provider compliance. PCI DSS requirements, when implemented appropriately, provide a well-aimed defense against data exposure and compromise. Organizations recognized by PCI SSC to validate adherence to the PCI DSS by performing vulnerability scans of internet facing environments of merchants and service providers as part of the PCI SSC Approved Scanning Vendor Compliance Test Program (the ASV Program ) are known as Approved Scanning Vendor companies ( ASV Companies, as further described below). PCI SSC provides a variety of tools to promote the compliance of internet-facing systems with the PCI DSS, including specific requirements for scans of merchants and service providers, and for periodic remote scanning services performed by ASV Companies as part of the ASV Program ( PCI Scanning Services, as further described below). Validation of these requirements by independent and qualified security companies is important to help ensure the effectiveness of the PCI DSS. The quality, reliability, and consistency of an ASV Company s work are essential to ensure the protection of cardholder data. This document describes the necessary requirements for ASV Companies (and their ASV Employees) to be qualified by PCI SSC to perform PCI Scanning Services. To achieve (and maintain) such qualification, ASV Companies and ASV Employees must comply with all applicable ASV Requirements, including without limitation the requirements set forth in this document. 1.1 Terminology Throughout this document, the terms set forth in this Section 1.1 shall have the corresponding meanings appearing in the table below: ASV Agreement ASV Company ASV Employee The then current version of (or successor document to) the PCI ASV Compliance Test Agreement, the current version of which is attached as Appendix A to the ASV Qualification Requirements. A data security firm that has been qualified, and continues to be qualified, by PCI SSC to use an ASV Scan Solution to determine compliance of their Scan Customers with the external vulnerability scanning requirement of PCI DSS Requirement for ASV Program purposes. An individual who is employed by an ASV Company and has satisfied, and continues to satisfy, all ASV Requirements applicable to employees of ASV Companies who will use an ASV Scan Solution to determine compliance of their customers with the external vulnerability scanning requirement of PCI DSS Requirement for ASV Program purposes, as described in further detail herein PCI Security Standards Council, LLC Page 1

5 ASV Lab Scan Test ASV List ASV Program Guide ASV Qualification Requirements ASV Requirements ASV Scan Solution ASV Validation Lab PCI DSS PCI Scanning Services The testing of an ASV Scan Solution by an ASV Validation Lab to demonstrate for ASV Program purposes that the ASV Scan Solution performs in accordance with the ASV Program Guide. The then current list of ASV Companies published by PCI SSC on the Website. The then-current version of (or successor documents to) the Payment Card Industry (PCI) Data Security Standard (DSS) Approved Scanning Vendors Program Guide, as from time to time amended and made available on the Website. The then-current version of (or successor documents to) the Payment Card Industry (PCI) Qualification Requirements for Approved Scanning Vendors (ASV), as from time to time amended and made available on the Website. With respect to a given ASV Company or ASV Employee, the requirements and obligations thereof pursuant to the ASV Qualification Requirements, the ASV Agreement, the ASV Program Guide, each addendum, supplement, and other agreement entered into between such ASV Company or ASV Employee and PCI SSC, and any and all other policies, procedures, requirements or obligations imposed, mandated, provided for or otherwise established by PCI SSC from time to time in connection with any PCI SSC program in which such ASV Company or ASV Employee (as applicable) is then a participant, including but are not limited, to the requirements of all applicable PCI SSC training programs, quality assurance and remediation programs, program guides, and other related PCI SSC program materials. A set of security services, tool(s) and processes offered by an ASV Company to validate compliance of a Scan Customer with the external vulnerability scanning requirement of PCI DSS Requirement for ASV Program purposes, including without limitation, all corresponding ASV Company scanning procedures, scanning tool(s), scan reports, processes for exchanging information between the ASV Company and the Scan Customer, and processes used by the applicable ASV Company and its ASV Employees to: Operate the ASV Scan Solution Submit the scan report to the Scan Customer and Review and interpret scan results, as needed. A third party testing facility designated by PCI SSC for purposes of evaluating and determining whether ASV Scan Solutions perform in accordance with the ASV Program Guide. The then-current version of (or successor documents to) the Payment Card Industry (PCI) Data Security Standard and Security Assessment Procedures, as from time to time amended and made available on the Website. Remote scanning services performed by an ASV Company and ASV Employee(s), using an ASV Scan Solution appearing on the ASV List, for purposes of validating compliance of a Scan Customer with the external vulnerability scanning requirement of PCI DSS Requirement PCI Security Standards Council, LLC Page 2

6 PCI SSC Scan Customer Website for ASV Program purposes. PCI Security Standards Council, LLC. A merchant, service provider that undergoes a quarterly external vulnerability scan performed by an ASV Company for purposes of validating such Scan Customer s compliance with the external vulnerability scanning requirement of PCI DSS Requirement for ASV Program purposes. The then-current PCI SSC Web site (and its accompanying Web pages), which is currently available at Goal To be qualified as an ASV Company by PCI SSC, the ASV Company and its ASV Employees and ASV Scan Solution(s) must meet or exceed all applicable ASV Requirements, and the ASV Company must execute the ASV Agreement with PCI SSC. Companies that qualify are identified on PCI SSC s ASV List on the PCI SSC s Website in accordance with the ASV Agreement. The requirements defined in this document serve as a qualification baseline, and provide a transparent process for ASV Company and ASV Employee qualification and re-qualification for ASV Program purposes. Among other things, the ASV Company and ASV Employees must adhere to all requirements in these ASV Qualification Requirements, and must provide all of the required provisions described herein. 1.3 Qualification Process Overview The ASV qualification process consists of three parts: the first involves the qualification of the security company itself. The second relates to the qualification of the company s employee(s) responsible for the PCI Scanning Services. The third consists of the security testing of the company s ASV Scan Solution(s). All ASV Companies appear on the ASV List. If a security company is not on this list, its work product is not recognized by PCI SSC. ASV Companies and ASV Employees must re-qualify annually. The ASV Qualification Requirements are incorporated into the ASV Agreement. To initiate the qualification process, the security company must sign the ASV Agreement in unmodified form and submit it to PCI SSC. One provision of the ASV Agreement requires the company to warrant that to the best of its ability the information provided to PCI SSC to support the ASV application process is accurate and complete as of the date of its submission. 1.4 Document Structure This document defines the requirements a security company must meet to become an ASV Company. The document is structured in five sections as follows. Section 1: Introduction offers a high level overview of the ASV application process. Section 2: ASV Company Business Requirements covers minimum business requirements that must be demonstrated to PCI SSC by the security company. This section outlines PCI Security Standards Council, LLC Page 3

7 information and items that must be provided to prove business stability, independence, and insurance coverage. Section 3: ASV Capability Requirements reviews the information and documentation necessary to demonstrate the security company s service expertise, as well as that of at least two of its employees. Section 4: ASV Company Administrative Requirements focuses on the standards to meet regarding the logistics of doing business as an ASV Company, including background checks, adherence to PCI SSC procedures, quality assurance, and protection of confidential and sensitive information. Section 5: ASV Qualification Maintenance briefly outlines the yearly re-qualification process, as well as remediation and revocation procedures if there is a breach of the ASV Agreement. 1.5 Related Publications This document should be used in conjunction with the current publically available versions of the following other PCI SSC publications (or successor documents), each available through the PCI SSC web site: Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS) Payment Card Industry (PCI) Approved Scanning Vendors Program Guide 1.6 ASV Application Process In addition to explaining the requirements that an ASV Company and its ASV Employees must meet to be recognized by PCI SSC to perform PCI Scanning Services, this document describes the information that must be provided to PCI SSC as part of the application and qualification process. Each outlined requirement is followed by the information that must be submitted to document that the security company meets or exceeds the stated requirements. To facilitate preparation of the application package, refer to Appendix B: ASV Application Process Checklist. All application materials and the signed ASV Agreement must be submitted in English. The ASV Agreement is binding in English even if the ASV Agreement was translated and reviewed in another language. All other documentation provided by the ASV Company in a language other than English must be accompanied by a certified English translation (examples include business licenses and insurance certificates). All application packages must include a signed ASV Agreement and the required documentation. Applicants should send the completed packages by mail to the following address: submissions will not be accepted. PCI SSC 401 Edgewater Place, Suite 600 Wakefield, MA Phone number: Important Note: PCI SSC reserves the right to reject any application from any applicant (company or employee) that PCI SSC determines has committed, within two (2) years prior to PCI Security Standards Council, LLC Page 4

8 the application date, any conduct that would have been considered a Violation (defined in Section 5.4 below) if committed by an ASV Company or ASV Employee. The period of ineligibility will be a minimum of one (1) year, as determined by PCI SSC in a reasonable and non-discriminatory manner, in light of the circumstances. 1.7 Additional Information Requests In an effort to maintain the integrity of the ASV Program, PCI SSC may from time to time request that ASV Companies and ASV Employees submit additional information or materials in order to demonstrate adherence to applicable requirements or as part of the applicable qualification or re-qualification process. All such additional information and materials must be submitted in English or with a certified English translation. ASV Companies are required to respond to each such request with the required information or documentation no later than three (3) weeks from receipt of the corresponding written request PCI Security Standards Council, LLC Page 5

9 2 ASV Business Requirements This section describes the minimum business requirements and related information that must be provided to PCI SSC. The provisions requested include information about the company s business legitimacy, independence, and required insurance coverage. 2.1 Business Legitimacy Requirement The ASV Company must be recognized as a legal entity Provisions 2.2 Independence The following information must be provided to PCI SSC: Copy of current ASV Company organizational document or equivalent approved by PCI SSC (the Business License ), including year of incorporation and location(s) of offices (see the Website Business License Requirements) Written statements describing any past or present allegations or convictions of any fraudulent or criminal activity involving the ASV Company (and ASV principals), and the status and resolution Requirement The ASV Company must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing PCI Scanning Services. The ASV Company must have a code of conduct policy, and provide this code of conduct policy to PCI SSC upon request. The ASV Company must adhere to all independence requirements as established by PCI SSC, including without limitation, the following: The ASV Company must not undertake to perform PCI Scanning Services of entities that it controls or entities that it is controlled by or with which it is under common control or in which it holds any investment. The ASV Company must (and will) not have offered, been offered, provided or received any gift, gratuity, service, or other inducement to any employee of PCI SSC, or to any Scan Customer, in order to enter into the ASV Agreement or any agreement with any Scan Customer, or to provide ASV-related services. The ASV Company must fully disclose in a separate document and attach to the scan report if they perform PCI Scanning Services to customers who use any security-related devices or security-related applications that have been developed or manufactured by the ASV Company, or to which the ASV Company owns the rights, or that the ASV Company has configured or manages, including the following: Application or network firewalls Intrusion detection/prevention systems PCI Security Standards Council, LLC Page 6

10 Database or other encryption solutions Security audit log solutions File integrity monitoring solutions Anti-virus solutions The ASV Company must have an internal separation of duties between the scanning service they provide and any managed security services provided to Scan Customers. The ASV Company agrees that when the ASV Company recommends remediation actions which include one of its own solutions or products, the ASV Company will also recommend other market options that exist. The ASV Company agrees that it will not use its status as a listed ASV to market services unnecessary to bring ASV Company subjects into compliance with the PCI DSS. The ASV Company must not, and agrees that it will not, misrepresent requirements of the PCI DSS in connection with its promotion or sales of services to ASV Company clients, or state or imply that the PCI DSS requires use of the ASV Company's products or services Provisions 2.3 Insurance Coverage The ASV Company must describe company practices to maintain scanning independence, including but not limited to practices, organizational structure, separation of duties, and employee education in place to prevent conflicts of interest in a variety of scenarios, such as the following: ASV Company customer uses products or applications developed or manufactured by the ASV Company. ASV Company customer uses products or applications managed or configured by the ASV Company. The description must include details with respect to compliance with the independence requirements described in Section above Requirement At all times while its ASV Agreement is in effect, the ASV Company shall maintain sufficient insurance, insurers, coverages, exclusions, and deductibles that PCI SSC reasonably requests to adequately insure the Vendor for its obligations and liabilities under the ASV Agreement, including without limitation, the ASV Company's indemnification obligations. The ASV Company must adhere to all requirements for insurance coverage required by PCI SSC, including without limitation, the requirements in Appendix C Insurance Coverage, which includes details of required insurance coverage PCI Security Standards Council, LLC Page 7

11 2.4 ASV Fees Provisions The ASV Company must sign the ASV Agreement, which states that the ASV Company meets locally applicable PCI SSC insurance coverage requirements. The ASV Company must provide a proof of coverage statement to PCI SSC to show that insurance coverage matches locally-mandated insurance coverage requirements Requirement Each ASV Company applicant must provide to PCI SSC an Initial Test for New Solution fee (see the Website - PCI SSC Programs Fee Schedule). Notification will be sent providing instructions for enrolling in training, and the ASV Company applicant must provide ASV Training Initial Qualification fees for a minimum of two employees. The fee check(s) should be made payable to PCI SSC and mailed once the ASV application is approved. See Section 1.6 of this document for the mailing address. The Initial Test for New Solution fee, which must be paid in full within 30 days of notification. An annual ASV re-qualification test fee for subsequent years. For each ASV Employee, a fee for PCI SSC training. This is an annual fee. Note: All of the fees described herein ( ASV Program Fees ) are specified on the Website see PCI SSC Programs Fee Schedule and are subject to change. 2.5 ASV Agreements Requirement PCI SSC requires that all agreements between PCI SSC and the ASV Company (including the ASV Agreement) be signed by a duly authorized officer of the ASV Company, submitted in unmodified form to PCI SSC, and submitted with the completed ASV application package. The ASV Agreement requires, among other things, that the ASV Company and its ASV Employees comply with all applicable ASV Requirements PCI Security Standards Council, LLC Page 8

12 3 ASV Capability Requirements This section describes the minimum ASV capability requirements and related documentation the ASV Company and ASV Employees must provide to PCI SSC. The provisions requested include information to demonstrate necessary information security vulnerability assessment expertise, work history, and industry experience. 3.1 ASV Company Services and Experience Requirement The ASV Company must possess security scanning assessment experience similar or related to the PCI Scanning Services. The ASV Company must have a dedicated security practice that includes staff with specific job functions that support the security practice Provisions The following information must be provided to PCI SSC: ASV Company s experience and knowledge with information security vulnerability assessment engagements and penetration testing, preferably related to payment systems Description of the ASV Company s relevant areas of specialization within information security (for example, network security, database and application security, and incident response) Evidence of a dedicated security practice, such as: The total number of employees on staff and the number and specific roles of those performing security scanning assessments; and The percentage of time dedicated to PCI Scanning Services Brief description of other core business offerings Description of size and types of market segments in which the ASV Company tends to focus, such as Fortune 500, financial industry, insurance industry, or small-medium sized businesses List of languages supported by the ASV Company Two client references from security engagements within the last 12 months 3.2 ASV Employee Skills and Experience At least two ASV Employees performing or managing PCI Scanning Services must be qualified by PCI SSC. ASV Employees are responsible for performance of the PCI Scanning Services in accordance with the ASV Program Guide Requirement Each ASV Employee(s) performing or managing PCI Scanning Services must satisfy the following requirements: Demonstrate sufficient knowledge about the PCI DSS and the ASV Program by PCI Security Standards Council, LLC Page 9

13 attending annual training provided by PCI SSC, and legitimately pass of his or her own accord without any unauthorized assistance the examination conducted as part of training. If an ASV Employee fails to pass any exam in connection with such training, the ASV Employee must no longer perform or manage PCI Scanning Services until successfully passing all required exams on a future attempt. Possess a minimum of three (3) years of information security experience as follows: o o A minimum of one (1) year in vulnerability scanning and/or penetration testing At least two (2) years in any two of the following areas of expertise (with a minimum of one year in each discipline): Network security Application security System security IT security auditing IT security risk assessment Possess ONE of the following: o A current industry-recognized security certification: CISA, CISM, CISSP OR o An additional two (2) years of information security experience, in at least two of the following areas of expertise, with a minimum of one year in each discipline: Network security Application security System security IT security auditing IT security risk assessment Provisions Note: This section is intended to draw out specific experience from the Candidate (defined below). The Candidate must provide examples (including the timeframe) of how their work experience meets the ASV Program requirements. This section is intended to measure the Candidate s skills against the required skills. The following information must be provided to PCI SSC for each individual to be qualified as an ASV Employee: A current copy of the Candidate s Résumé or Curriculum Vitae : Years of working experience and responsibilities PCI Security Standards Council, LLC Page 10

14 Years of experience related to payment industry and responsibilities A description of a minimum of three (3) years of information security experience as follows: o o A description of a minimum of one (1) year in vulnerability scanning and/or penetration testing A description of at least two (2) years in any two of the following areas of expertise (with a minimum of one year in each discipline): Network security Application security System security IT security auditing IT security risk assessment ONE of the following: o A copy of a current industry-recognized security certification: CISA, CISM, CISSP OR o A description of an additional two (2) years of information security experience, in at least two of the following areas of expertise, with a minimum of one year in each discipline: Network security Application security System security IT security auditing IT security risk assessment PCI Security Standards Council, LLC Page 11

15 4 ASV Administrative Requirements This section describes the administrative requirements for ASV Companies, including company contacts, background checks, adherence to PCI SSC procedures, quality assurance, and protection of confidential and sensitive information 4.1 Contact Person Requirement The ASV Company must provide PCI SSC with a primary and secondary contact Provisions The following contact information must be provided to PCI SSC, for both primary and secondary contacts: Name Job Title Address Phone number Fax number address 4.2 Background Checks Requirements The ASV Company must perform a background check satisfying the Minimum Background Check Requirements (described below) when hiring each ASV Employee, to the extent legally permitted within the applicable jurisdiction. The ASV Company must adhere to all legally permissible background check requirements as required by PCI SSC from time to time. Upon request, the ASV Company must provide to PCI SSC the background check history for each ASV Employee, to the extent legally permitted within the applicable jurisdiction Provisions The ASV Company must provide the following to PCI SSC to the extent legally permitted within the applicable jurisdiction: For each employee to be qualified, a written statement that the ASV Employee successfully completed the background check in accordance with the ASV Company s policies and procedures An officer of the ASV Company must sign the ASV Agreement, which includes a statement that the ASV Company will perform background checks for each ASV Employee, in accordance with applicable ASV procedures A summary description of current ASV Company personnel background check policies and procedures, to confirm the procedures include at least the following PCI Security Standards Council, LLC Page 12

16 minimum background check requirements to the extent legally permissible in the applicable jurisdiction (the Minimum Background Check Requirements ): Verification of aliases (when applicable) Review of records of any criminal activity, arrests, or convictions, updated annually Misdemeanors and non-us equivalents are allowed, but felonies and non-us equivalents automatically disqualify an employee from consideration as an ASV Employee 4.3 Adherence to PCI Procedures Requirements 4.4 Quality Assurance The ASV report must follow the procedures documented in the ASV Program Guide An officer of the ASV Company must sign the ASV Agreement, which includes a statement that the ASV Company will adhere to all ASV Requirements Requirements The ASV Company must have an implemented quality assurance process, documented in a quality assurance manual that includes a description of the controls for quality assurance reviewing of processes and documentation and controls to maintain the integrity of the scanning tools. The ASV Company must adhere to all PCI SSC quality assurance requirements. The ASV Company must provide an ASV Feedback Form to their Scan Customer at the completion of the PCI Scanning Service. The ASV Feedback Form is an on-line form available on the PCI SSC Website. PCI SSC reserves the right to conduct site-visits and audit the ASV Company at the discretion of the PCI SSC. Upon request, the ASV Company must provide the quality assurance manual to PCI SSC Provisions The ASV Company must provide the following to PCI SSC: The ASV Company s executed ASV Agreement, which includes a statement that the ASV Company has developed and implemented, and will adhere to, a quality assurance process and manual A description of the contents of the ASV Company s quality assurance process, to confirm the procedures fully document the PCI Scanning Services and the review process for generation of the report requirements contained in the ASV Program Guide, including at least the following: Reviews of scanning procedures, scan reports and supporting documentation, and additional information documented in the ASV Program Guide related to the appropriate selection of system components PCI Security Standards Council, LLC Page 13

17 Requirement that ASV Employees must adhere to the ASV Program Guide Requirement that the ASV Company has controls to maintain the integrity of their ASV Scan Solution tool(s). ASV Scan Solutions must: o o o o Be protected from unauthorized access Adhere to the ASV Company s change management policy and processes for changes to the ASV Scan Solution Be monitored or able to produce an alert when changes are made Ensure the ASV Company s systems cannot be used to gain unauthorized access to a Scan Customer s environment 4.5 Protection of Confidential and Sensitive Information Requirements The ASV Company must maintain adequate physical, electronic, and procedural safeguards consistent with industry-accepted practices to protect sensitive and confidential information against any threats or unauthorized access during storage, processing, and/or communicating of this information. The ASV Company must adhere to all requirements to protect sensitive and confidential information, as required by PCI SSC. The ASV Company must maintain the privacy and confidentiality of information obtained in the course of performing duties under the ASV Agreement, unless (and to the extent) disclosure is required by legal authority Provisions The ASV Company must provide the following: Description of the ASV Company s confidential and sensitive data protection handling practices, including physical, electronic, and procedural safeguards, including at least the following: Systems storing customer data do not reside on Internet accessible systems Protection of systems storing customer data by adequate network and application layer controls including a firewall and IDS/IPS The following physical and logical access controls: Restricting access (for example, via locks) to the physical office space Restricting access (for example, via locked file cabinets) to paper files Restricting logical access to electronic files by role-based access control Encryption of sensitive customer information when transmitted over the Internet either by or other means Secure transport and storage of backup media PCI Security Standards Council, LLC Page 14

18 Encryption of customer data on employees laptops Description of requirements and processes used to ensure employee confidentiality of customer data, including a (blank) copy of confidentiality agreements required to be signed by employees An officer of the ASV Company must sign the ASV Agreement, which includes a statement that the ASV Company will adhere to all ASV Requirements 4.6 Evidence Retention Requirements The ASV Company must securely maintain digital and/or hard copies of case logs, scanning results and work papers, notes, and any technical information that was created and/or obtained during the PCI Scanning Services for a minimum of three (3) years. The ASV Company must adhere to all requirements to protect sensitive and confidential information, as required by PCI SSC. This information must be available upon request by PCI SSC and its Affiliates for a minimum of three (3) years. The ASV Company must provide a copy of evidence retention policy and procedures to PCI SSC upon request Provisions A description of the ASV Company s evidence retention policy and procedures that covers the requirements must be provided to PCI SSC PCI Security Standards Council, LLC Page 15

19 5 ASV Initial Qualification and Annual Re-qualification This section describes the process after initial qualification and activities related to the annual ASV Company and Employee re-qualification. This section includes 1) the ASV List, 2) annual maintenance of ASV Company and Employee qualification, 3) remediation, if necessary, and 4) revocation, if necessary, of an ASV Company s or Employee s qualification. 5.1 ASV List Once a company has met all requirements specified in this document, PCI SSC will add the ASV Company to the ASV List. Only those ASV Companies on this list are authorized by PCI SSC to perform PCI Scanning Services. This list is posted on the PCI SSC Website. PCI SSC reserves the right to perform random site audits of the ASV Company. In the event a company does not meet the requirements in this document, PCI SSC will notify the company. The company will have 30 days from the date of notification to appeal the decision. Appeals must be addressed to PCI SSC General Manager. If a company s appeal is denied, its name will not be placed on the ASV List. 5.2 ASV Re-qualification Requirements All ASV Companies and Employees must be re-qualified by PCI SSC on an annual basis, based on the ASV Company s original qualification date. Re-qualification by PCI SSC is based on payment of annual fees, proof of training attended, achieving a passing result on the annual ASV Lab Scan Test and satisfactory feedback from the ASV Company Scan Customers (the merchants or service providers that received PCI Scanning Services) to PCI SSC. PCI SSC reserves the right to perform random on-site audits of the ASV Company Provisions The following must be provided to PCI SSC and/or will be considered by PCI SSC during the re-qualification process: Proof of information systems vulnerability assessment training within the last 12 months to support professional certifications (even if the employee does not have professional certifications), of a minimum 20 hours per year and 120 hours over the rolling three year period. This is in addition to training provided by PCI SSC. Payment of annual re-qualification fees (fees can be found on the Website PCI SSC Programs Fee Schedule). 5.3 ASV Remediation Process ASV Companies that do not meet all applicable ASV Requirements may be required to participate in remediation. When an ASV Company qualifies for remediation, the Primary Contact will be notified and its listing on the ASV List will be flagged (e.g. updated to show the ASV Company in red) PCI Security Standards Council, LLC Page 16

20 The Remediation Statement on the Website affirms the Council s position on remediation, and any external queries about the ASV Company s status should be directed either to that statement, or to the ASV Program Manager. ASV Companies in remediation may continue to perform PCI Scanning Services unless otherwise instructed by PCI SSC in connection with the remediation process. Issues such as failure to submit annual re-qualification fees, failure to meet annual training requirements, failure to meet Continuing Education (CE) requirements or failure to pass the annual ASV Lab Scan Test requirement within 30 days after the re-qualification date will result in remediation. ASV Companies who fail to meet such requirements will remain in remediation until the issue is resolved or until 60 days past the re-qualification date. ASV Companies who are unable to resolve their issues 60 days past the re-qualification date may be removed from the ASV List. ASV Companies that have been removed from the ASV List in connection with remediation will receive an notifying them that they are no longer an ASV Company and are not recognized by PCI SSC to perform PCI Scanning Services. ASV Companies that are removed from the ASV List as part of the remediation process (for any reason other than failure to pass the annual ASV Lab Scan Test) and desire to be reinstated must re-apply to the ASV Program. Failure to pass the Annual ASV Lab Scan Test ASV Companies are encouraged to begin the process of re-qualification at least 60 days prior to their re-qualification date. ASV Companies which have not passed the annual ASV Lab Scan Test within 30 days after their re-qualification date will be placed in remediation. ASV Companies which do not pass the annual ASV Lab Scan Test within 60 days past their re-qualification date will be removed from the ASV List. A de-listed company is no longer an ASV Company and is not recognized by PCI SSC to provide PCI Scanning Services. ASV Companies which have not passed the annual ASV Lab Scan Test within 60 days past their re-qualification date may continue to attempt to pass the ASV Lab Scan Test for up to 120 days past their re-qualification date without the need to re-apply to the ASV Program. Under no circumstances can an ASV Company re-test at the ASV Lab more than 120 days past their re-qualification date; they will be required to re-submit their application to the ASV Program. If an ASV Company fails three consecutive ASV Lab Scan Tests during the re-qualification process, they will be removed from the ASV List, will no longer be recognized by PCI SSC to perform PCI Scanning Services as an ASV Company, and cannot re-apply to the ASV Program for six months. Unfavorable feedback Unfavorable feedback is handled on a case-by-case basis and may result in qualifying an ASV Company for remediation PCI Security Standards Council, LLC Page 17

21 5.4 ASV Revocation Process Each of the events below is an example of a Violation (as defined in the ASV Agreement) that may result in immediate Revocation of ASV Company qualification (including removal from the ASV List), subject to reinstatement pending a successful appeal in accordance with the ASV Agreement, and/or termination of the ASV Agreement. This list is not exhaustive. Among other things, ASV Company qualification may be revoked if PCI SSC determines that the ASV Company is in breach of the ASV Agreement, including but not limited to: The ASV Company fails to validate compliance in accordance with the ASV Program Guide. The ASV Company violates any provision regarding non-disclosure of confidential materials. The ASV Company fails to maintain physical, electronic, and procedural safeguards to protect confidential and sensitive information and/or fails to report unauthorized access to systems storing confidential and sensitive information. The ASV Company engages in unprofessional or unethical business conduct. The ASV Company fails to provide quality services, based on customer feedback or evaluation by PCI SSC or its Affiliates. The ASV Company fails to satisfy any other ASV Requirement. When ASV Company qualification is revoked, the ASV Company will have 30 days from the date of notification to appeal the revocation. Appeals must be addressed to the PCI SSC General Manager. If an ASV Company s appeal is denied, the following will result: The ASV Company s name will be removed from the ASV List. PCI SSC may notify third parties, including but not limited to Members (defined in the ASV Agreement) PCI Security Standards Council, LLC Page 18

22 Appendix A. PCI ASV Compliance Test Agreement THIS AGREEMENT (the "Agreement") is entered into between PCI Security Standards Council, LLC, a Delaware limited liability company, having its principal place of business at 401 Edgewater Place, Suite 600, Wakefield, Massachusetts ("PCI SSC") and the entity identified on the signature page below ("Vendor"), effective as of the date executed by PCI SSC as set forth on the signature page hereto (the "Effective Date"). PCI SSC and Vendor are hereinafter each referred to as a "Party" and collectively as the Parties. RECITALS A. PCI SSC is an international consortium of payment systems companies, established by its founding Members to maintain, develop and support the implementation of standards relating to payment account security. B. PCI SSC offers a global security solution called the PCI SSC Approved Scanning Vendor Compliance Test Program ("ASV Program"), which provides security compliance solution vendors with the ability to provide PCI Scanning Services (defined in the ASV Qualification Requirements) to deploy security compliance programs to assist their Scan Customer to better protect against illegitimate network intrusions and account data compromises (collectively, "Vendor Services"). C. PCI SSC publishes the PCI DSS (defined below). D. Vendor is the provider of one or more ASV Scan Solutions that it believes are compliant with the PCI DSS. E. PCI SSC is willing to assist and to check whether such ASV Scan Solutions are compliant with the PCI DSS and Vendor meets the requirements for PCI SSC-approved scanning vendor companies ("ASV Companies"). In case an ASV Scan Solution is deemed compliant with the PCI DSS and Vendor meets such requirements, Vendor will be entitled to present itself to Scan Customers as an ASV Company with respect to such ASV Scan Solution in the framework of the ASV Program, as provided in this Agreement. F. Vendor has submitted an application package, requesting participation in the ASV Program, and PCI SSC has determined that Vendor is eligible to move to the initial approval Testing phase of the ASV Program. NOW THEREFORE, in consideration of the mutual promises herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows: PCI Security Standards Council, LLC Page 19

23 1 Definitions 1.1 In addition to the definitions established elsewhere in this Agreement, the following terms, when capitalized in this Agreement, shall have the following meanings ascribed to them: ASV Requirements has the meaning ascribed to it in the ASV Qualification Requirements; ASV Qualification Requirements means the then-current version of (or successor documents to) the Payment Card Industry (PCI) Qualification Requirements for Approved Scanning Vendors (ASV), as from time to time amended and made available on the Website; "Compliance Notification" shall mean a letter or electronic correspondence in the form attached as Schedule 1 (or in such other form as PCI SSC may approve from time to time), which is hereby incorporated into this Agreement; "Confidential Information" shall mean (i) all terms of this Agreement; (ii) any and all information designated in this Agreement as Confidential Information; (iii) any and all originals or copies of, any information that either Party has identified in writing as confidential at the time of disclosure; and (iv) any and all Personal Information, proprietary information, merchant information, technical information or data, scan reports, trade secrets or know-how, information concerning either Party's past, current, or planned products, services, fees, finances, member institutions, Issuers, Acquirers, concepts, methodologies, research, experiments, inventions, processes, formulas, designs, drawings, business activities, markets, plans, customers, equipment, card plastics or plates, software, source code, hardware configurations or other information disclosed by either Party or any Member, or their respective directors, officers, employees, agents, representatives, independent contractors or attorneys, in each case, in connection with the ASV Program or other PCI SSC activities and in whatever form embodied (e.g., oral, written, electronic, on tape or disk, or by drawings or inspection of parts or equipment or otherwise), including without limitation, any and all other information that reasonably should be understood to be confidential. "Personal Information" means any and all Participating Payment Brand payment card account numbers, Participating Payment Brand transaction information, IP addresses or other PCI SSC, or Member or third party information relating to a natural person received in connection with the ASV Program or other PCI SSC activities, where the natural person could be identified from such information. Without limiting the foregoing, Personal Information further includes any information related to any Participating Payment Brand accountholder that is associated with or organized or retrievable by an identifier unique to that accountholder, including accountholder names, addresses, or account numbers; "Intellectual Property Rights" shall mean all present and future patents, trade marks, service marks, design rights, database rights (whether registrable or unregistrable, and whether registered or not), applications for any of the foregoing, copyright, know-how, trade secrets, and all other industrial or intellectual property rights or obligations whether registrable or unregistrable and whether registered or not in any country; Member means an entity that, as of the time in question, is then formally admitted as (or an affiliate of) a member of PCI SSC in accordance with its governing documents (status as a PCI SSC Participating Organization does not establish that an entity is a Member ); Participating Payment Brand means a payment card brand that, as of the time in question, is also a Member and owner of PCI SSC or affiliate thereof. Participating PCI Security Standards Council, LLC Page 20

24 Payment Brands as of the release of this version of the Agreement were American Express Travel Related Services Company, Inc., DFS Services LLC, JCB Advanced Technologies, Inc., MasterCard International Incorporated, Visa International Service Association (and their affiliates); "PCI DSS" is defined in the ASV Qualification Requirements; "ASV Scan Solution" is defined in the ASV Qualification Requirements. Each ASV Scan Solution is identified and referred to in the applicable Compliance Notification (as further described in Section 5.1(b) below); "Testing" means evaluating an ASV Scan Solution to determine whether or not it complies with the PCI DSS for ASV Program purposes; "Test" and "Tested" will be interpreted accordingly; "Scan Customer" means any person or entity for which Vendor performs Testing, including without limitation, any member financial institution of a Participating Payment Brand (each a "Financial Institution"), issuer of Participating Payment Brand payment cards (each an "Issuer"), merchant authorized to accept any Participating Payment Brand payment cards (each a "Merchant"), acquirer of Merchant accounts ( Acquirer ) or data processing entity performing services for any Financial Institution, Issuer, Merchant or Acquirer ( Processor ); and Website Means the then-current PCI SSC Web site (and its accompanying Web pages), which is currently available at In this Agreement and unless the context otherwise requires, words importing the singular include the plural and vice versa, words importing the masculine gender include the feminine and neuter and vice versa. References to Sections and schedules are, unless otherwise stated, references to Sections of, and schedules to this Agreement. Headings are for convenience only and are not to affect the interpretation of this Agreement. 1.3 This Agreement is comprised of the following: Sections 1 to 14 Schedule 1: Compliance Notification (sample) 2 Vendor Services and obligations 2.1 Subject to the terms and conditions of this Agreement, while Vendor is in Good Standing (defined below) or as otherwise expressly approved by PCI SSC in writing, PCI SSC hereby approves Vendor to perform Vendor Services for Scan Customers in accordance with the ASV Program using those of Vendor s ASV Scan Solutions that appear on PCI SSC's then current published registry of validated ASV Scan Solutions. Vendor shall provide all reasonable assistance as well as accurate information and documentation to PCI SSC and its agents as may be needed for the purpose of Testing and the ASV Program. 2.2 Vendor shall disclose the results of the Test or any other technical information exchanged in the scope of Testing only in accordance with the provisions of Section Vendor acknowledges and agrees that it shall only advertise, offer, or use for ASV Program purposes those ASV Scan Solutions that have been Tested and qualified by PCI SSC, and that it shall use such ASV Scan Solutions in accordance with Section 5.1(b). Consequently, PCI Security Standards Council, LLC Page 21

25 Vendor shall immediately inform PCI SSC of any significant or material change in any ASV Scan Solution as provided in Section Vendor acknowledges that even though an ASV Scan Solution receives a Compliance Notification, such ASV Scan Solution shall be subject to an annual Testing maintenance process. Such annual Testing maintenance process shall ensure that such ASV Scan Solution remains capable of identifying newly reported public domain vulnerabilities. Consequently, Vendor shall submit each ASV Scan Solution for annual maintenance Testing within three (3) months upon request from PCI SSC. 2.5 Vendor shall make nonrefundable payment to PCI SSC of all applicable ASV Program Fees (defined in the ASV Qualification Requirements) in accordance with the ASV Qualification Requirements. Vendor acknowledges that PCI SSC may review and modify these fees at any time and from time to time. Whenever a change in such fees occurs, PCI SSC shall notify Vendor in accordance with the terms of Section 12 of this Agreement. Such change(s) will be effective immediately after the date of PCI SSC's notification of such changes. However, should Vendor not agree with such change(s), Vendor shall have the right to terminate this Agreement in accordance with the provisions of Section 6.2(iii) (A) at any time within thirty days of delivery of the aforementioned notice. Except to the extent otherwise expressly provided in the ASV Qualification Requirements, all ASV Program Fees must be paid in US dollars (USD) to PCI SSC as specified on the applicable PCI SSC invoice. Vendor acknowledges and agrees that the ASV Program Fees do not include any taxes, such as value added taxes (VAT), sales, excise, gross receipts and withholding taxes, universal service fund fee, or any similar tax or other government imposed fees or surcharges which may be applicable thereto. Vendor shall pay all such taxes and fees as invoiced in accordance with local law, and agrees to pay or reimburse PCI SSC for all such taxes or fees, excluding tax on PCI SSC's income. In respect of withholding tax, Vendor will pay such additional amounts as may be necessary, such that PCI SSC receives the amount it would have received had no withholding been imposed. 2.6 Vendor shall comply with all ASV Requirements and agrees to monitor the Website at least weekly for changes to the ASV Qualification Requirements and the ASV Program Guide (defined in the ASV Qualification Requirements), and to implement all such changes within 15 days of the effective dates thereof. 3 Terms and conditions of Testing 3.1 In accordance with the terms of Section 2.3 (regarding Vendor s obligationto inform PCI SSC of any significant or material change in each ASV Scan Solution), PCI SSC may in its sole discretion (i) determine that such ASV Scan Solution is deemed to remain compliant by sending a new Compliance Notification or (ii) require Vendor to (a) resubmit a modified ASV Scan Solution for a new Testing within one (1) month of receipt by PCI SSC of said information given pursuant to Section 2.3 and (b) pay all applicable ASV Program Fees for such new Testing. 3.2 Notwithstanding Section 3.1, if at any time PCI SSC believes that an ASV Scan Solution is no longer compliant with the PCI DSS, PCI SSC shall be entitled to require Vendor to resubmit such ASV Scan Solution for a new Testing within three (3) months of such request from PCI SSC and subject to Vendor s payment of all applicable ASV Program Fees. 3.3 Vendor shall have no "right of access" to any data associated with the ASV Program or Testing, except as allowed by PCI SSC under this Agreement PCI Security Standards Council, LLC Page 22