The case against certificates of compliance:
- They aren’t a real thing. The AOC (attestation of compliance) is a real thing. Please don’t ask your service providers for a certificate of compliance.
- You will make the PCI Guru angry. He correctly guides us to FAQ 1220 and thinks they aren’t worth the paper they are printed on (no thoughts if that extends to linking to them on your website though.) If you purport them to have any meaning, things will get ugly. And the council is very clear in the FAQ that they have no value and that only council supplied forms should be used for the purposes of compliance validation.
The case for certificates of compliance:
- They are usually pretty. They can have the date of the next required assessment on them. 2 reasons to hang them on a wall.
- Some people request them. They have been getting them for years and now demand them. (I know they shouldn’t).
- And probably the top reason for certificates is the council’s document titled “Ten Common Myths of PCI DSS” (from 2008?). Myth #2 reads:
Outsourcing simplifies payment card processing but does not provide automatic compliance. Don’t forget to address policies and procedures for cardholder transactions and data processing. Your business must protect cardholder data when you receive it, and process charge backs and refunds. You must also ensure that providers’ applications and card payment terminals comply with respective PCI standards and do not store sensitive cardholder data. You should request a certificate of compliance annually from providers.
Uh, Maybe step #1 would be to get this document pulled down or amended before reporting QSAC’s to the council? (Doc is still online and Bing’s #1 result for relevant search terms as of April 2018).
The moral of the story is DO NOT USE CERTIFICATES OF COMPLIANCE FOR THE PURPOSES OF COMPLIANCE VALIDATION! (Or diplomas as proof of education. Or resumes as proof of experience. Or a list of references as a reference. And don’t believe everything you read on the internet either.)
Ad below this line: