• United States




A tale of two PCI attestation documents

Aug 30, 20164 mins
Critical InfrastructureData and Information SecurityEnterprise Applications

Getting your PCI service providers attestation of compliance (AoC) should be easy as pie. If it’s not, start worrying.

A pediatrician I know told me that after nearly 25 years in the field, he can accurately make a diagnosis within 2 minutes with 90 percent accuracy. Naturally, he still has to do a complete workup and examination, in addition to calming down the often nervous and anxious parents.

Similarly, when it comes to PCI DSS (Payment Card Industry Data Security Standard) compliance, I’ve found a good indicator of a service providers level of compliance is the ease in which they share their attestation of compliance (AoC). Let me give you two recent examples.

As an introduction, any service provider that stores, processes or transmits cardholder data (CHD) must be in compliance with PCI. They must also complete an AoC which attests to that. For the merchant using a service provider, PCI requirement 12.8 states that they must monitor the PCI compliance of any vendor or service provider they use.

I’ve recently dealt with two vendors and the manner in which I received the AoC was determinant of the true level of their PCI compliance. The first one was for Spreedly. The other vendor shall remain anonymous.

Spreedly is a PCI payment provider. From their PCI Compliance page, you can easily download their AoC. They also provide links to their compliance levels at the Visa Global Registry of Service Providers and MasterCard Compliant Service Provider List.

From going to their web site to downloading the documentation, took me all of 5 minutes. For those looking for a source to tokenize CHD and minimize their PCI footprint; Spreedly offers a number of excellent solutions.

Vendor #2 wasn’t so obliging in sharing their AoC. Even though this service provider is storing and transmitting CHD, there’s nothing on their compliance page about PCI. After numerous email requests, the vendor said they would only share their AoC under an NDA. When I asked why, they went into radio silence.

I eventually was able to get their AoC from the client. With that, their AoC was the equivalent of a Picasso.

As a start, the vendor is a service provider. They filled out a PCI Self-Assessment Questionnaire (SAQ) B-IP, which is meant only for merchants who process CHD via standalone, approved point-of-interaction devices with a direct IP connection to the payment processor. This obviously was not the case here.

What they should have completed is the SAQ-D for Service Providers. Perhaps the 37 pages of the B-IP was more enticing than the 96 pages of the SAQ-D.

Once I looked at the SAQ, I quickly understood why they were so reticent in sharing it. Neither the QSA (Qualified Security Assessor) firm nor the QSA consultant was listed on the PCI web site as being certified.

As to section 2e, their description of environment was all of two sentences and extremely vague.

In part 3a – Acknowledgement of Status requires that vulnerability scans be completed by a PCI approved scanning vendor. But they never detailed who the scanning vendor is, even though it’s required.

Finally, part 3d – Internal Security Assessor (ISA) involvement lists the QSA. Obviously, the QSA can’t be the ISA.

Plenty of vendors state in marketing material, Facebook, LinkedIn and the like that they are PCI compliant. But if you really want to know how compliant they are, the ease in which they make their AoC available is often a good indicator.

You can tell a lot about a vendor by the documentation they submit, and in these two cases, they were quite indicative. I’ve found the overall state of PCI service provider documentation to be good, and the non-compliant vendor was while woefully inadequate, somewhat of an anomaly.

For my client who is now going to have to deal with a non-compliant service provider, that makes their PCI program that much more difficult. And that should be a cautionary tale when selecting a PCI service provider: trust and verify.

In a future blog piece here, I will detail what this company will now have to do seeing that they have a service provider who doesn’t want to play by the rules.

In these two cases, it worked. Your mileage may vary and of course, as a PCI QSA you have to complete the entire assessment.


Ben Rothke, CISSP, CISM, CISA is a Senior Information Security Manager at Tapad has over 20 years of industry experience in information systems security and privacy. He’s the co-author of the recently published book - The Definitive Guide to PCI DSS Version 4: Documentation, Compliance, and Management.