thePCI Portal

PCI DSS compliance for Service Providers

There are 4 generally accepted levels of PCI compliance assessment for a service provider, in ascending order of Service Provider effort:

 

Compliance Assessment Method Completion and signing Info Annual Service Provider relative effort Annual QSA effort
Service provider assessed as part of (each) client’s assessment None May require onsite visit. Hours/days Client’s QSA:  Hours/days
Self Assessment Questionnaire (SAQ) D for Service Providers and accompanying Attestation of Compliance (AOC) Completed by service provider.

Signed by an officer of the service provider entity.

Service provider attests that they are compliant. Hours/days None
Self Assessment Questionnaire (SAQ) D for Service Providers and accompanying Attestation of Compliance (AOC) Completed by service provider.

Signed by an officer of the service provider entity AND a PCI Qualified Security Assessor (QSA).

Service provider attests that they are compliant.

QSA verifies that the service provider understands the requirements.

Hours/days Days
Onsite Assessment.  The Report on Compliance (ROC) for Service Providers and accompanying Attestation of Compliance (AOC) Completed by a QSA.

Signed by an officer of the service provider entity AND a PCI Qualified Security Assessor (QSA).

QSA and Service provider attest that they are compliant.

QSA verifies that the controls are in place and functioning.

Eligible to be listed on Visa’s global list of compliant service providers.

 

Weeks Weeks

 

Not all customers will accept all compliance validation methods.  This varies based on a client’s risk tolerance and the services provided.

Ad below this line:

Leave a Reply

Your email address will not be published. Required fields are marked *