This question came up recently on one of the LinkedIn PCI groups and drove a lot of discussion. However, one of the things that concerned me the most is that no one belonging to this group bothered to submit the question to the PCI SSC to be answered.
When such questions come up, the first thing you should do is go to the PCI SSC Web site’s FAQ page to see if the question has already been answered. There is an amazing wealth of information contained in the FAQs.
If you search the FAQs and you do not come up with an answer to your questions, then submit your question to the PCI SSC. Technically, anyone can submit a question to the PCI SSC. However, if you are a QSA in a QSAC, the person listed in your QSAC listing should be the focal point and should submit all questions you have to the PCI SSC.
Questions are submitted to email@example.com. Expect a few days to a few weeks to get a response. Simple procedural questions such as whether an ISA can sign a ROC or SAQ like a QSA can get a response in a day or two. Questions that require the PCI SSC to formulate a position, may take a number of weeks before a response is provided.
So, can an Internal Security Assessor (ISA) sign off on a Report On Compliance (ROC) or Self-Assessment Questionnaire (SAQ)? The answer provided by Cathy Levie, Senior ISA Program Manager, PCI SSC, is as follows.
“The ISA can sign off as long as their Processor/Acquirer has approved of that. This is not up to the PCI SSC.”
In the future, if you have a question and cannot find an answer, ask the PCI SSC. When you get your answer, please post the answer to any of the PCI groups on LinkedIn or send them to me so that the rest of the PCI world can benefit from the knowledge. One of the unfortunate issues the PCI SSC has is that not all questions seem to make it into the FAQs or the FAQs are not updated as quickly.