A lot of companies, from small businesses to Fortune 500s, have to deal with the Payment Card Industry Data Security Standard (PCI DSS). Depending on your size and business processes, a lot of your work with PCI could simply be verifying that third-party service providers maintain PCI compliance. But we’ve seen that even something so seemingly straightforward can be confusing for those in charge of compliance. Specifically, it can be hard to understand exactly what makes a company “PCI compliant” and how you should verify that. Is there a flashy seal on the website? Do they have to provide some sort of standardized documentation? Is a PowerPoint slide that says “Don’t worry, we’re compliant” enough?
What to Ask for to Verify PCI Compliance
There’s really only one right answer here, and it’s their AOC. A company’s AOC, or Attestation of Compliance, is their formal proof that they are in compliance with PCI DSS requirements. You can access and view what the most recent version of these forms look like here. This document will show:
- An overview of the in-scope environment and business processes
- What level they’ve been assessed at (Self-Assessment or formal Level 1 Assessment w/ third party validation)
- What specific requirements and sub-requirements they attest to being compliant (or non-compliant) with
- When their last assessment was performed
Who Should I Get an AOC From?
Any third-party service providers your company works with that are involved in the storage, transmission, or processing of cardholder data for you, or that could affect the security of that cardholder data, should be a part of your compliance monitoring program. It should be part of your maintenance program to request an updated AOC from all service providers on an annual basis. This documentation should then be kept on file internally. Additionally, as discussed above, you should be very wary of any company that provides you with anything besides an AOC as verification that they are PCI compliant. The AOC is specifically made for sharing with third-parties to prove compliance, so there is no good reason they shouldn’t provide that to you.
Ensuring your service providers are PCI compliant and actively tracking their compliance is an important and often overlooked part of meeting PCI requirements. Most of the time, this aspect is just a small part of your overall compliance program, and you should be considering things like security testing as well. We’ve also previously explored some of best ways to boost the compliance level of your PCI program. As always, we’re here to answer any questions you may have regarding compliance. We’d be happy to help “demystify” any aspect of the PCI DSS or help you on your journey to compliance any way we can, so please reach out.