Choosing a PCI compliant, Level 1 service provider

Organizations can improve their compliance status and reduce the internal burden of compliance by carefully choosing PCI compliant service providers. Selecting the right provider for your company requires careful attention to detail since there is a wide variety of service providers and levels of services they offer. This guide is intended to assist you in that evaluation process.

The key question: Does the service provider have a current PCI DSS Attestation of Compliance (AOC)?

Knowing a provider has (and is willing to share) a current AOC demonstrates awareness of the complexities of PCI compliance and is a great first step in evaluating whether they are right for your organization. If a provider does not have a current AOC, this does not necessarily mean you can’t use their services; however, it does place a higher burden on your organization when it comes time for your annual audit.

If the service provider has a current Attestation of Compliance:

Can they share it with you?
Many companies will ask you to sign a non-disclosure agreement (NDA) first since the AOC can contain sensitive information, but they should be willing to share it with you.
Is it current, and when is it up for renewal?
AOCs are completed annually, so if the date on the AOC is coming up soon, ask the service provider what they are doing to renew their AOC.
What is in their scope (Section 1, Part 2)?
The executive summary of what’s covered by the AOC in Part 2 gives you a good idea of what services from the provider have been assessed. Do you see the services you are purchasing listed in the AOC? Additionally, is the service provider saying, “you can be compliant with our services” or “we provide compliant services?” — there’s a subtle but important difference!
Does the service provider have a roles and responsibilities matrix (R&R) to complement the AOC?
Most service providers have an extended R&R that details line by line in the PCI DSS how their services help merchants with their compliance goals.

If the service provider DOES NOT have a current Attestation of Compliance:

Do they have plans to become compliant?
Do they have any other similar compliance certifications (i.e., SOC II)?
Are they aware of the PCI compliance requirements?
Are they willing to speak to your auditor?
Have other customers gained PCI compliance with their services?
Can they describe how they secure your data and contribute to your compliance?
What types of background checks are performed on authorized employees who will have access to your data and/or support your services?
Do they have regular security scans performed by a third party?
Do they have an incident response plan?
Do they have healthy practices for identity verification and documentation of support requests?
Do they have accurate documentation regarding their services?
Do they keep your data in a multi-tenant or single-tenant platform?
One is not necessarily inherently better than the other. However, if the burden of compliance is being shifted to your organization, there can be advantages to a single-tenant platform.
Are they acquiring, transmitting, processing, or storing any cardholder data as part of the services you’ll be purchasing from them?
If so, and they don’t have a current AOC or are not in the process of obtaining one, you should proceed cautiously with your evaluation.

Bottom Line

Choosing a PCI Compliant Level 1 Service Provider is a key decision in your organization’s compliance strategy. Ensuring your service provider has a current Attestation of Compliance, with adequate coverage for the services you are purchasing from them, is the best way to improve your compliance and reduce your audit burden.

To learn more about choosing a PCI compliant, Level 1 service provider, contact Acumera at sales@acumera.net or 512.687.7410.