There are 4 generally accepted levels of PCI compliance assessment for a service provider, in ascending order of Service Provider effort:
| Compliance Assessment Method | Completion and signing | Info | Annual Service Provider relative effort | Annual QSA effort |
| Service provider assessed as part of (each) client’s assessment | None | May require onsite visit. | Hours/days | Client’s QSA: Hours/days |
| Self Assessment Questionnaire (SAQ) D for Service Providers and accompanying Attestation of Compliance (AOC) | Completed by service provider.
Signed by an officer of the service provider entity. |
Service provider attests that they are compliant. | Hours/days | None |
| Self Assessment Questionnaire (SAQ) D for Service Providers and accompanying Attestation of Compliance (AOC) | Completed by service provider.
Signed by an officer of the service provider entity AND a PCI Qualified Security Assessor (QSA). |
Service provider attests that they are compliant.
QSA verifies that the service provider understands the requirements. |
Hours/days | Days |
| Onsite Assessment. The Report on Compliance (ROC) for Service Providers and accompanying Attestation of Compliance (AOC) | Completed by a QSA.
Signed by an officer of the service provider entity AND a PCI Qualified Security Assessor (QSA). |
QSA and Service provider attest that they are compliant.
QSA verifies that the controls are in place and functioning. Eligible to be listed on Visa’s global list of compliant service providers.
|
Weeks | Weeks |
Not all customers will accept all compliance validation methods. This varies based on a client’s risk tolerance and the services provided.
More information on what a Service Provider’s customers (who are likely Merchants) may ask for can be found in the Council’s information supplement titled Third Party Security Assurance.
Ad below this line:
