thePCI Portal

Does your service provider know what PCI DSS is?

Sometimes your service providers are not up to speed on how to comply with PCI DSS.  An example of that is a service provider completing an SAQ A-EP. This table can help you judge how PCI aware they are.  The relative value of a service provider’s assessment verification method declines as you progress through the table.

Service provider says they are compliant via: Ask them for: Comment
Onsite Report on Compliance by a QSA Attestation of Compliance for

Onsite Assessments – Service Providers

Version 3.2 signed by an officer of the organization AND a QSA.

Gold Standard for Service Provider Compliance.  They might even be listed at Visa’s global service provider list now.

If the service they provide you is listed as assessed in the form and the dates are current, you are in a great place.

Service Provider Self Assessment form Attestation of Compliance for Service Providers from Self-Assessment Questionnaire D signed by an officer of the organization AND a QSA The QSA didn’t verify that all controls were in place, but at least verified the assessed entity knew the intent of the controls.

If the service they provide you is listed as assessed in the form and the dates are current, you are in a good place.

Service Provider Self Assessment form Attestation of Compliance for Service Providers from Self-Assessment Questionnaire D signed by an officer of the organization They filled out the right form and an officer of the company says they are compliant.

If the service they provide you is listed as assessed in the form and the dates are current, you are in a OK place.

Merchant Self Assessment form A meeting to explain. Wrong form for your needs.  Maybe the right form for something the service provider does for payment or maybe they just filled out the wrong form.

Call your PCI DSS trusted advisor!

Ad below this line:

Leave a Reply

Your email address will not be published. Required fields are marked *