Not rendering correctly? View this email as a web page here.
pci-assessor-newsletter
April 2021

In this issue:

  • RFCs Coming Soon!
  • New Terminal Software Module Introduced in PCI Secure Software Standard Version 1.1
  • New PA-DSS Application Submission Deadline: Top 5 Things Assessors need to Know
  • New Technical FAQs for PCI 3DS Core and PCI 3DS SDK Security Standards
  • Reminder: Reduced Industry Certification Requirements Ending Soon
  • Digital Badging Coming Soon!
  • Just Published: Optional P2PE Solution Inventory Template
  • QSA Program Changes
  • P2PE Qualification Requirements with changes for PA-QSA(P2PE) Published
  • CPSA and QPA Audits
  • The QSA Annual QA Questionnaire has launched!
  • FAQ #1325
  • Register for the 2021 PCI SSC Security Summit: India
  • Save the Date: PCI SSC Announces Global Online Event
  • Register for the Q2 All Assessor Webcast on Thursday 15 June 2021
  • Hurry! Register Point-to-Point Encryption v3 Assessor (P2PE) Training on 13 May
  • Take SSF Training Before the PA-DSS Deadline for Payment Application Validations
  • Upcoming Instructor-led Training Schedule
  • Corporate Group Training is Available via eLearning

A Message from Elizabeth Terry, Senior Manager, Community Engagement

Happy Spring, Assessors!

As we enter the second quarter of 2021, we are starting our preparations for our PCI SSC community events. From our security summits that kicked off recently in South Africa to the recently announced PCI SSC Global Community Forum, we are reviewing speaker submissions and planning the agendas for our online events. More information on our Global Community Forum will be available soon!

We recently published the Secure Software Standard v1.1, Terminal Software Module, completing the initial expansion of the Software Security Framework. We encourage you to review the latest version of the document in the document library. We will be discussing this topic on the next quarterly webcast in June.

For all P2PE assessors, the first P2PE v3 eLearning class will be on 13 May and there is still time to register. We have also opened the eLearning training calendar up to August 2021 and classes are open for registration. Be sure to check the training schedule for full details on upcoming trainings.  We hope to see you in class soon!

Enjoy reading more about what’s happening at the Council below.

Sincerely,

Elizabeth Terry
Senior Manager, Community Engagement


PCI News & Program Updates

RFCs Coming Soon!
Here are the upcoming Request for Comment Periods (RFCs) for this quarter with expected timeframes:

  • P2PE v3.1 Draft Standard - Minor Revision: May / June 2021
  • PCI DSS v4.0 Draft Validation Documents: June 2021
    • Report on Compliance (ROC) Reporting Template
    • Attestation of Compliance (AOC)
    • Self-Assessment Questionnaires (SAQs)
  • PCI Card Production v3 Draft Standard RFC2: June / July 2021
  • PCI PTS HSM v4 Draft Standard RFC2: June / July 2021

For more information on RFCs and eligibility for participation, please visit the RFC page on our website or our blog for details. 

> More on RFC

coming-soon

New Terminal Software Module Introduced in PCI Secure Software Standard Version 1.1
Recently, PCI SSC published version 1.1 of the PCI Secure Software Standard and its supporting program documentation. The PCI Secure Software Standard is one of two standards that are part of the PCI Software Security Framework (SSF). The PCI Secure Software requirements provide assurance that payment software is designed, engineered, developed, and maintained in a manner that protects payment transactions and data, minimizes vulnerabilities, and defends itself from attacks.

Version 1.1 of the PCI Secure Software Standard introduces the Terminal Software Module, a new security requirements module for payment software intended for deployment and operation on PCI-approved PIN Transaction Security (PTS) Point-of-Interaction (POI) devices. Software intended for deployment and operation on other platforms are not affected by the new requirements.

To support the addition of the Terminal Software Module, as well as future modules, the SSF Assessor Qualification Requirements have also been updated to include module training and exam requirements.

The PCI Secure Software Standard v1.1 also addresses errata, adds minor clarifications, and aligns key terms and definitions across the Standard and program documentation.

Download PCI Secure Software Standard v1.1 

> Read more on the blog

update

New PA-DSS Application Submission Deadline: Top 5 Things Assessors need to Know
As part of the PA-DSS Program closure, new PA-DSS submissions will not be accepted after 30 June 2021. This date marks the cutoff to submit new payment software products for PA-DSS validation and listing. To aid in planning and timing activities related to this milestone, here are the top 5 things Assessors need to know:

  1. Submissions must be complete (i.e., all required documentation supplied and submitted for review) and have a paid invoice to be accepted and placed in the queue for PCI SSC review. PA-DSS Submissions that are incomplete (in a draft state) or do not have a paid invoice by end of day (8pm EST) 30 June 2021 will be closed at that time.
  2. Submissions in the queue for review by PCI SSC will have until 30 September 2021 to complete.
  3. A paid invoice will not act as a placeholder for a draft submission to allow it to be completed after the 30 June 2021 deadline. As a reminder and as stated in the PA-DSS Program Guide, PA-DSS Payment Application Acceptance fees are non-refundable. Moreover, payments will be forfeited if the submission is incomplete after the deadline.
  4. A new PA-DSS Submission that did not meet the deadline cannot be reclassified as a High Impact Change Submission. Only listed PA-DSS payment applications will be permitted to use the existing PA-DSS support/change processes from 1 July 2021 until the PA-DSS Program closes 28 October 2022.
  5. Any new PA-DSS submissions that are validated and listed between now and 30 June 2021 will have an expiry date of 28 October 2022 when the PA-DSS Program is scheduled to close. After that date, these applications will be moved to the “Acceptable Only for Pre-Existing Deployments” tab on the List of Validated Payment Applications. Changes to these listings will be supported per the normal process until PA-DSS Program closure at the end of October 2022.

PCI SSC is here to provide support for questions, however it is the Assessor’s responsibility to relay this information directly to the vendors they work with on PA-DSS submissions.

If you do have questions, please reach out to: pa-dss@pcisecuritystandards.org

> Read more on the blog

resources-binders

New Technical FAQs for PCI 3DS Core and PCI 3DS SDK Security Standards
The PCI Security Standards Council recently published two new Technical FAQ documents for the PCI 3-D Secure (3DS) Core and SDK security standards:

  • PCI 3DS Core v1.x Technical FAQs – April 2021
  • PCI 3DS SDK v1.x Technical FAQs – April 2021

As with all PCI SSC Technical FAQ documents, these Technical FAQs provided answers to questions regarding the application of security requirements defined within their respective security standards. Technical FAQs are an integral part of those requirements and are intended to be considered as part of assessments to the PCI 3DS Core and PCI 3DS SDK security standards, respectively.

These 3DS Core and SDK Technical FAQ documents can be found here in the PCI SSC Document Library.

> More information

SSF-lifecycle-vendors-monitor

Reminder: Reduced Industry Certification Requirements Ending Soon
Until 30 June 2021, Secure Software Assessor candidate applications from eligible PA-QSAs and PA-QSA (P2PE)s are not required to have “List C – Software Development” industry-recognized, professional certifications. Beginning 1 July 2021, all Secure Software Assessor candidates - and all Secure Software Assessors who requalify on or after 1 July 2021, must possess at least one industry-recognized certification from List A – Information Security OR List B – Audit AND at least one certification from List C – Software Development.

Please refer to the Software Security Framework Qualification Requirements for Assessors, v1.1 for the full list of qualifying certifications.

Thank you to those Secure Software Assessors who have obtained the necessary List C certification and have added this detail to their Consolidated Statement via the Portal. For all others, so you are aware, you do not need to wait until your requalification date to update your information if you already possess the certification.

> Read more on the blog

reduced-requirements-pa-dss-monitor

Digital Badging Coming Soon!
PCI SSC has partnered with Credly to offer digital badges as a way for individuals to share their achievements and to promote an individual’s abilities. Badges are web-enabled versions of certifications that can be verified in real time, online through a trusted platform. Just like badges an assessor may receive for their ISACA or ISC² certifications, PCI SSC will be providing badging to those certified through any of the PCI SSC programs.

You will be notified soon when your badge is available to claim via email. In the meantime, watch this space for updates!

> More information

coming-soon-2

Just Published: Optional P2PE Solution Inventory Template
The PCI Security Standards Council has published an optional P2PE Solution Inventory Template. This template can be found in the PCI SSC document library.

This optional template is intended to provide merchants, QSAs, Solution Providers, etc. a Standardized, Consistent, and Comprehensive means to capture information about a P2PE Solution implemented in a merchant environment where the solution, in whole or in part, is expired.

This template is not submitted to the PCI SSC and is not required for the PCI SSC P2PE Standard or Program. Contact the payment brands and/or acquirer regarding the use of the optional P2PE Solution Inventory Template.

For more information, refer to the following PCI SSC Blog Post.

> More information

optional-p2pe-solution-template-monitor

QSA Program Changes
As reported in last month’s newsletter, New Program Documents, the updated QSA Qualification Requirements and QSA Program Guide, were published in March. The documents can be found in the Document Library and available for your review.

Please be aware that as of March 24, 2021, QSAs are no longer required to report CPEs to the PCI SSC since they already have two active industry certifications that require CPEs. This change currently only applies to QSAs.

Additional clarification on two of the new requirements added to the QSA Program, based on industry feedback, include:

  • QA reviewers within QSA Companies must possess at least one PCI SSC credential (QSA, AQSA, ISA, or PCIP):
    • This requirement is future dated one year and will apply to the QA reviewer that has final signoff on the Report on Compliance (ROC).
    • The expectation is that a QA reviewer with a PCI SSC credential reads the report top-to-bottom; however, this does not preclude use of additional QA resources without a PCI SSC credential to provide additional reviews (e.g., spelling, grammar). Such reviews should occur before the final signoff by a QA reviewer with a PCI SSC credential.
  • QSAs can only perform assessments using versions of the standard for which they have received PCI SSC training:
    • This requirement only applies to major releases of the standard, it does not apply to minor revisions.
    • Once a QSA completes the PCI DSS v4 Transitional Training, an indicator will be added to the QSA Assessor listing on the Website.

You can see the new documents here. If you have any questions, please contact the QSA Program Manager at qsa@pcisecuritystandards.org.

> More information

update-bubble

P2PE Qualification Requirements with changes for PA-QSA(P2PE) Published
A revision to the P2PE Qualification Requirements was published on 31 March 2021, primarily to provide flexibility in the requirements for the P2PE application assessors.

At a high level, until the PA-DSS program closes in October 2022, P2PE application assessor qualification options will allow either the PA-QSA Qualification Requirements or the new Secure Software Assessor Qualification Requirements. After 28 October 2022, all P2PE application assessors must meet the Secure Software Assessor qualifications.

Changes to the PA-QSA(P2PE) Company and Assessor requirements include the following:

  • Assessor Company requirements will provide the option to become either a PA-QSA Company or a Software Security Framework Company (or both).
  • A candidate PA-QSA(P2PE) will be required to be a PA-QSA or a Secure Software Assessor
  • A candidate Assessor Company or PA-QSA(P2PE) will be required to have completed either two PA-DSS Assessments or two Secure Software Assessments (or one of each)

Please note, before 30 June 2021, PA-QSAs will not be required to have the ‘List C – Software Development industry-recognized professional certification’ to apply to be a Secure Software Assessor and will have until their next requalification date after June 30, 2021 to satisfy this requirement. No exceptions will be made to this requirement; we recommend proper planning in advance of these dates.

View the new P2PE Qualification Requirements here.

Please contact the P2PE Program Manager at P2PE@pcisecuritystandards.org if you have any questions.

> More information

pts-poi-deadline-extended-monitor

CPSA and QPA Audits
PCI SSC’s Assessor Quality Management (AQM) will initiate the first QPA and CPSA assessor company audits in Q2 2021, as defined in Section 6 of the QPA Qualification Requirements and the CPSA Qualification Requirements.

AQM audits for QPAs and CPSAs will follow the same approach as the existing QSA audit process for PCI DSS assessments and include a holistic review of the following:

  • Assessor Company’s internal documentation including the QA Manual, Evidence (Workpaper) Retention Policy, Security Incident Response Plan and Code of Conduct Policy.
    Note, if the company currently participates in other PCI Programs, existing internal quality assurance processes and quality assurance manual(s) may be updated to reflect additional programs, or separate processes and separate quality assurance manual(s) may be used.
  • PIN ROCs and CPSA ROCs, redacted in accordance with PCI SSC policy.
  • Sample of Evidence/Workpapers collected for the assessment(s).

Please take this opportunity to review your documentation and internal QA processes to ensure they adequately and effectively address QPA and/or CPSA assessments, as appropriate, and address all required elements (as defined in Section 4 of each program’s Qualification Requirements).

> More information

secure-slc-blog-2-2021-monitor

The QSA Annual QA Questionnaire has launched!
The first round of QSA Annual QA Questionnaires have been distributed through the PCI SSC Portal. As a reminder, PCI SSC will initiate a batch of QSA Annual QA Questionnaires to a subset of QSA Companies on the 1st day of each month. As of the March 1, 2022 batch, each QSA Company will have received a questionnaire to complete. The process will then restart, with the April 1, 2022 batch expected to contain the QSA Companies who received their first questionnaire in the April 1, 2021 batch.

In a previous newsletter article, PCI SSC stated that once the questionnaire is initiated in the Portal, the QSA Primary Contact would have 30 days to complete the QSA Annual QA Questionnaire. However, in response to QSA feedback, we have increased the time to 60 days, for the Primary Contact to complete the questionnaire.

Please note that instructions for completing the QSA Annual QA Questionnaire, including a copy of all questions, is available on-demand in the Resource Center in the Portal under “Additional Resources.” The form includes an editable section for questions to assist the QSA Primary Contact in gathering relevant data before uploading to the Portal. We encourage QSA Companies to review the questions immediately in case there are data points the QSA Company is not already gathering that they may need to.

> Visit the PCI SSC portal

bullhorn

FAQ of the Month

FAQ #1325:
Does PCI SSC provide a “PCI DSS Compliant” logo?
PCI SSC does not issue an official PCI seal, mark or logo that companies can use when they achieve PCI DSS compliance. Please note that the PCI logo is a registered trademark and may not be used without authorization. You may not use the marks PCI Compliant, PCI Certified, PCI DSS Compliant, PCI DSS Certified or PCI with check marks or any other mark or logo that suggests or implies compliance or conformance with our standards. If your company is a member of one of PCI SSC's programs, i.e. PO, QSA, ASV, ISA, or QIR, please contact your Program Manager who can provide a program logo that can be used for members of that program only. Note that authorized use of an applicable PCI logo by a program member is not an indication of that organization’s PCI compliance status or an endorsement by PCI SSC.


April
Article Number 1325

> View the FAQ

PCI-FAQ-of-the-Month

Participation Opportunities

Register for the 2021 PCI SSC Security Summit: India
Join the PCI Security Standards Council and invited guests for a special free online program for payment security professionals in India. The PCI SSC Security Summit: India is scheduled for Thursday, 3 June 2021 and will include updates from the Council, regional insights, and a panel discussion with local industry leaders.

Continue to check the PCI SSC website for more information. Be sure to mark your calendars and register for this free program today!

> More information

flag-of-india

Save the Date: PCI SSC Announces Global Online Event
PCI SSC is excited to announce the most important global online event for the payment card industry. New this year, the PCI SSC Global Community Forum will bring together industry experts from all over the world to share the latest in information security, update you on changes to PCI standards and programs as well as opportunities to network with peers. The PCI SSC Global Community Forum will take place online from Tuesday, 26 October – Thursday, 28 October.

This global online event held over the course of three days will include all the things you expect from PCI SSC events - important Council updates, regional insights, opportunities for feedback, networking, and fun engagement activities. Given the uncertainty of travel and international border restrictions, the Council has made the decision to offer this online event with dedicated days for each region presented in local time zones and cancel its 2021 in-person Community Meetings in North America, Europe, and Asia-Pacific.

Be sure to check our event website for the most up-to-date information for registration and details.

> PCI SSC Event Information

save-the-date

Register for the Q2 All Assessor Webcast on Thursday 15 June 2021
Now is the time to register for the Q2 All Assessor Webcast on Tuesday, 15 June 2021. This is your opportunity as an assessor to hear about the latest updates and initiatives the Council has been working on. This will now be presented in a 90 minute format and there will feature an extended live Q&A session to address questions that we receive during the webcast as well as questions submitted from Q1 too.

> Register here

laptop-7

Training

Hurry! Register Point-to-Point Encryption v3 Assessor (P2PE) Training on 13 May
Registration is now open for P2PE v3 training classes delivered in eLearning format! As a reminder, eLearning is a combination of computer-based training and live instructor-led training.

The Point-to-Point Encryption Assessor program teaches you how to perform assessments of entities in accordance with version 3 of the PCI Point-to-Point Encryption Standard.

The next instructor-led P2PE v3 training class will be 13 May 2021.

Register here

> More information

hurry

Take SSF Training Before the Reduced Industry Certifications Deadline
Software Security Framework Assessors (SSF Assessors) are independent security organizations that are qualified by PCI SSC to perform assessments to the Secure Software Standard, the Secure SLC Standard or both. 

Eligible organizations can apply now to become SSF Assessor Companies by visiting the Secure SLC Assessor or Secure Software Assessor pages on the PCI SSC website and following the steps outlined in the registration process.

Important information: Please be aware that these are the ONLY instructor-led classes being offered before the reduced industry certifications. Take advantage of these upcoming classes to get your team trained before the deadline. These online classes are available for qualification or informational training:

Hurry: This is your last chance for SSF training before the reduced industry certifications deadline!

Informational training is for individuals who would like to increase their knowledge but do not necessarily need to achieve qualification. This training is a great fit for any individual who may want to understand what the standard and program entail, what to expect from an assessment, but who does not need or want to qualify as an assessor for that program. Participating Organizations receive discounts for informational classes!

> More on the Secure SLC program
> More on the Secure Software Assessor program

last-chance-1

Upcoming Instructor-led Training Schedule
The 2021 training schedule is current through August 2021. The training classes and the exams will be conducted as remote Instructor Led Training or eLearning. The classes are a combination of computer-based training as well as an instructor-led session that must be completed prior to the exam. The exam will be delivered remotely using a proctoring service or can be taken at a local Pearson Vue location, if available.

3DS Assessor:
8 July: 12:00 - 18:00 BST

Internal Security Assessor Training (ISA):
2 June: 9:00 - 17:00 BRT - Class conducted in Portuguese.
7-8 June: 8:00 - 16:00 JST - Class conducted with Japanese language translation.
23 June: 10:00 - 17:00 EDT - Class conducted in Spanish.
29 June: 9:00 - 17:00 EDT
29 July: 10:00 - 18:00 EDT - Class conducted in Spanish.
11 August: 9:00 - 17:00 EDT

P2PE V3 Assessor:
13 May: 9:00 - 17:00 EDT - Hurry!
27 July: 9:00 - 17:00 EDT

Qualified PIN Assessor (QPA):
9 June: 9:00 - 17:00 EDT
17 August: 9:00 - 17:00 EDT

Qualified Security Assessor (QSA):
25 May: 17:00 - 1:00 EDT (26 May: 7:00 - 15:00 AEST) - Hurry!
16 June: 9:00 - 17:00 BST
5 August: 9:00 - 17:00 EDT
7 September: 8:00 - 16:00 JST - Class conducted with Japanese language translation.

Qualified PIN Assessor (CPSA):
17 June - Logical: 9:00 - 17:00 EDT
18 June - Physical: 9:00 - 17:00 EDT 

Registration for all classes is open and seats are filling fast!

> More information

calendars

Corporate Group Training is Available via eLearning
Get your team trained online in 2021! We are pleased to offer all our PCI training programs via eLearning with remote exam for organizations wishing to train their teams remotely. Corporate Group Training offered as eLearning incorporates a combination of computer-based training as well as remote instructor-led training sessions with online exam.

> More information

cpe-gears
 

Subscribe to the Blog

Keep up to date with PCI SSC blog notifications delivered straight to your email inbox. Subscribe here.

 > Subscribe to the blog

 

Events

PCIP Q2 Webcast
20 May - Webcast

Security Summit: India
3 June - Online

Latin America Forum
12 August - Online

PCI SSC Global Community Forum
26 - 28 October - Online

 > View all upcoming events

 

FAQ of the Month Archives

March 2021: FAQ 1491

February 2021: FAQ 1492

January 2021: FAQ 1486

November 2020: FAQ 1485

October 2020: FAQ 1146

September 2020: FAQ 1483

August 2020: FAQ 1477

July 2020: FAQ 1091

June 2020: FAQ 1481

May 2020: FAQ 1333

April 2020: FAQ 1210

 > View all FAQs