
Organizations can improve their compliance status and reduce the internal burden of compliance by carefully choosing PCI compliant service providers. Selecting the right provider for your company requires careful attention to detail since there is a wide variety of service providers and levels of services they offer. This guide is intended to assist you in that evaluation process.
The key question: Does the service provider have a current PCI DSS Attestation of Compliance (AOC)?
Knowing a provider has (and is willing to share) a current AOC demonstrates awareness of the complexities of PCI compliance and is a great first step in evaluating whether they are right for your organization. If a provider does not have a current AOC, this does not necessarily mean you can’t use their services; however, it does place a higher burden on your organization when it comes time for your annual audit.
If the service provider has a current Attestation of Compliance:
- Can they share it with you?
Many companies will ask you to sign a non-disclosure agreement (NDA) first since the AOC can contain sensitive information, but they should be willing to share it with you. - Is it current, and when is it up for renewal?
AOCs are completed annually, so if the date on the AOC is coming up soon, ask the service provider what they are doing to renew their AOC. - What is in their scope (Section 1, Part 2)?
The executive summary of what’s covered by the AOC in Part 2 gives you a good idea of what services from the provider have been assessed. Do you see the services you are purchasing listed in the AOC? Additionally, is the service provider saying, “you can be compliant with our services” or “we provide compliant services?” — there’s a subtle but important difference! - Does the service provider have a roles and responsibilities matrix (R&R) to complement the AOC?
Most service providers have an extended R&R that details line by line in the PCI DSS how their services help merchants with their compliance goals.
If the service provider DOES NOT have a current Attestation of Compliance:
- Do they have plans to become compliant?
- Do they have any other similar compliance certifications (i.e., SOC II)?
- Are they aware of the PCI compliance requirements?
- Are they willing to speak to your auditor?
- Have other customers gained PCI compliance with their services?
- Can they describe how they secure your data and contribute to your compliance?
- What types of background checks are performed on authorized employees who will have access to your data and/or support your services?
- Do they have regular security scans performed by a third party?
- Do they have an incident response plan?
- Do they have healthy practices for identity verification and documentation of support requests?
- Do they have accurate documentation regarding their services?
- Do they keep your data in a multi-tenant or single-tenant platform?
One is not necessarily inherently better than the other. However, if the burden of compliance is being shifted to your organization, there can be advantages to a single-tenant platform. - Are they acquiring, transmitting, processing, or storing any cardholder data as part of the services you’ll be purchasing from them?
If so, and they don’t have a current AOC or are not in the process of obtaining one, you should proceed cautiously with your evaluation.
Other general questions to ask include:
- Do they have references or client recommendations?
- Has their company ever experienced a data breach? If so, how did they respond?
- Does their company have any complaints filed against them with an entity like the Better Business Bureau?
Bottom Line
Choosing a PCI Compliant Level 1 Service Provider is a key decision in your organization’s compliance strategy. Ensuring your service provider has a current Attestation of Compliance, with adequate coverage for the services you are purchasing from them, is the best way to improve your compliance and reduce your audit burden.
To learn more about choosing a PCI compliant, Level 1 service provider, contact Acumera at sales@acumera.net or 512.687.7410.
Acumera Resources
Secure edge computing drives ROI for multi-site businesses
Edge computing can increase efficiencies and drive ROI through many innovative and practical uses. The value of edge computing is that it speeds up data processing and saves bandwidth costs by locally processing computations, storing data and delivering services. Edge computing reduces latency and the time …
Choosing a QSA Company for Third-party Audits
Organizations that require an annual PCI compliance audit have many options when it comes to choosing a Qualified Security Assessor (QSA) company. While the PCI Security Standards Council validates each QSA company’s adherence to the PCI DSS, there are still differences between QSA companies, their approaches …
Secure, remote connections to POS, ATG, DVR and other devices for fewer onsite tech visits and faster issue resolution
In the current environment of social distancing and uncertainty, as a store or restaurant operator, you are focusing on protecting staff, customers and your business. However, it’s also critical to make sure you don’t let your guard down when it comes to protecting your network. Even …