Service Providers

By Brittany Ward,2014-04-30 22:43
11 views 0
Service ProvidersServ

Attestation of Compliance Service Providers

    Payment Card Industry (PCI)

    Data Security Standard

    Attestation of Compliance for

    Onsite Assessments Service Providers

    Version 2.0

    October 2010

Instructions for Submission

    The Qualified Security Assessor (QSA) and Service Provider must complete this document as a declaration of the

    Service Provider’s compliance status with the Payment Card Industry Data Security Standard (PCI DSS). Complete

    all applicable sections and submit to the requesting payment brand. Part 1. Service Provider and Qualified Security Assessor Information

    Service Provider Organization Information

    Company Name: DBA(s):

    Contact Name: Title:

    Telephone: E-mail:

    Business Address: City:

    State/Province: Country: Zip:


Qualified Security Assessor Company Information

    Company Name:

    Lead QSA Contact Name: Title:

    Telephone: E-mail:

    Business Address: City:

    State/Province: Country: Zip:


Part 2 PCI DSS Assessment Information

    Part 2a. Services Provided that WERE INCLUDED in the Scope of the PCI DSS Assessment

    (check all that apply)

     Tax/Government Fraud and Chargeback Payment Processing-POS Payments Services

     Payment Processing Payment Processing Payment Processing-Internet ATM MOTO

     Issuer Processing Payment Gateway/Switch Clearing and Settlement

     3-D Secure Hosting Account Management Loyalty Programs Provider

     Back Office Services Prepaid Services Merchant Services

     Hosting Provider Web Managed Services Billing Management

     Hosting Provider Network Provider/Transmitter Hardware

     Records Management Data Preparation

     Others (please specify):

    List facilities and locations included in PCI DSS review:

Part 2b. Relationships

    Does your company have a relationship with one or more third-party service providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc.)? Yes No

Part 2c. Transaction Processing

    How and in what capacity does your business store, process and/or transmit cardholder data?

    Please provide the following information regarding the Payment Applications your organization uses:

PCI DSS Attestation of Compliance for Onsite Assessments Service Providers, Version 2.0 October 2010

    Copyright ? 2010 PCI Security Standards Council LLC Page 2

Payment Application in Use Version Number Last Validated according to PABP/PA-DSS

Part 3. PCI DSS Validation

    Based on the results noted in the Report on Compliance (“ROC”) dated (date of ROC), (QSA Name) asserts

    the following compliance status for the entity identified in Part 2 of this document as of (date) (check one):

    1 Compliant: All requirements in the ROC are marked “in place,” and a passing scan has been

    completed by the PCI SSC Approved Scanning Vendor (ASV Name) thereby (Service Provider Name)

    has demonstrated full compliance with the PCI DSS (insert version number).

     Non-Compliant: Some requirements in the ROC are marked “not in place,” resulting in an overall

    NON-COMPLIANT rating, or a passing scan has not been completed by a PCI SSC Approved Scanning

    Vendor, thereby (Service Provider Name) has not demonstrated full compliance with the PCI DSS.

    Target Date for Compliance:

    An entity submitting this form with a status of Non-Compliant may be required to complete the Action

    Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4, since not all

    payment brands require this section.

    Part 3a. Confirmation of Compliant Status

    QSA and Service Provider confirm:

    The ROC was completed according to the PCI DSS Requirements and Security Assessment

    Procedures, Version (insert version number), and was completed according to the instructions therein.

    All information within the above-referenced ROC and in this attestation fairly represents the results of

    the assessment in all material respects.

    The Service Provider has read the PCI DSS and recognizes that they must maintain full PCI DSS

    compliance at all times.

    234No evidence of magnetic stripe (that is, track) data, CAV2, CVC2, CID, or CVV2 data, or PIN data

    storage after transaction authorization was found on ANY systems reviewed during this assessment.

Part 3b. QSA and Service Provider Acknowledgments

Signature of Service Provider Executive Officer ; Date:

    Service Provider Executive Officer Name: Title:

    Signature of Lead QSA ; Date:

    Lead QSA Name: Title:

1 “In place” results should include compensating controls reviewed by the QSA. If compensating controls are determined to

    sufficiently mitigate the risk associated with the requirement, the QSA should mark the requirement as “in place. 2 Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction. Entities may not retain full magnetic stripe data after transaction authorization. The only elements of track data that may be retained are account number, expiration date, and name. 3 The three- or four-digit value printed on the signature panel or face of a payment card used to verify card-not-present transactions. 4 Personal Identification Number entered by cardholder during a card-present transaction, and/or encrypted PIN block present within the transaction message.

    PCI DSS Attestation of Compliance for Onsite Assessments Service Providers, Version 2.0 October 2010 Copyright ? 2010 PCI Security Standards Council LLC Page 3

Part 4. Action Plan for Non-Compliant Status

    Please select the appropriate “Compliance Status” for each requirement. If you answer “No” to any of

    the requirements, you are required to provide the date Company will be compliant with the requirement

    and a brief description of the actions being taken to meet the requirement. Check with the payment brand(s) before completing Part 4 since not all payment brands require this section.


    PCI Status Remediation Date and Actions

    Description Requirement (Select One) (if Compliance Status is “No”)

     Install and maintain a firewall Yes 1 configuration to protect No cardholder data.

     Do not use vendor-supplied Yes 2 defaults for system passwords No and other security parameters.

     Yes 3 Protect stored cardholder data. No

     Encrypt transmission of Yes 4 cardholder data across open, No public networks.

     Yes Use and regularly update anti-5 virus software. No

     Yes Develop and maintain secure 6 systems and applications. No

     Yes Restrict access to cardholder data 7 by business need to know. No

     Yes Assign a unique ID to each 8 person with computer access. No

     Yes Restrict physical access to 9 cardholder data. No

     Track and monitor all access to Yes 10 network resources and cardholder No data.

     Yes Regularly test security systems 11 and processes. No

     Yes Maintain a policy that addresses 12 information security. No

PCI DSS Attestation of Compliance for Onsite Assessments Service Providers, Version 2.0 October 2010

    Copyright ? 2010 PCI Security Standards Council LLC Page 4

Report this document

For any questions or suggestions please email