Apparently, a bad practice started a number of years ago is appearing in other parts of the world. That practice is PCI Compliance Certificates.
I wrote a post a number of years ago about this practice and provided the direct quote from the PCI SSC’s FAQ on the subject. If you need more proof, go to the PCI SSC Web site and click on FAQ and search for ‘PCI DSS Compliance Certificate’.
This is a marketing ploy and it needs to stop.
These certificates are not worth the paper they are printed on and anyone purporting them to have meaning is uninformed, or worse, lying.
I would highly recommend that if you encounter anyone that tells you such nonsense, they should be immediately reported to the PCI SSC – qsa AT pcisecuritystandards DOT org. Include their name and the name of their organization in your message.
UPDATE: Only a few minutes after I put up this post I received just such a certificate from a major bank as proof that their business partner was PCI compliant. Unbelievable.
PCI Guru 
Probably should include a link to the Council’s published documentation that directs entities to request certificates of compliance from service providers. Seems relevant to the discussion.
http://thepciportal.com/2018/04/06/certificates-of-compliance/
The Council issued an FAQ #1220 on the subject that apparently a LOT of QSAs and their employers never read.
I agree to some extent and I’ve seen some merchants use misleading marketing for things like this. But as long as the QSA firm provides clear “certificates” that don’t mislead on their own, I don’t see the problem with it. Its marketing.
The Council has been very clear, you can provide such things to your clients but they are not to be relied upon by QSAs.
The reason this is important is that service providers (the whole reason you’re getting the proof in the first place) are required to publish what services were assessed as PCI compliant. All of the “certificates of compliance” I’ve encountered cover none of that information which is required so that I can determine if my client is doing what they are required.
The Attestation of Compliance (AOC) provides that information and has been extensively revised in v3 to provide additional information. Without that information, a QSA is in the dark as to whether or not a service provider is truly compliant for the services being provided to their client. Without that proof, a QSA is required to assess the service provider for the services provided to their client. Based on that, you can see how things can escalate and get out of hand in a hurry as the service provider complains and keeps pointing to that worthless “certificate”.
The bottom line is that they are not worth anything and prove nothing. The people handing them out are doing a disservice to their clients and the PCI industry.
They have become the norm these days but agree they serve no real purpose, our QSA said the same sometime ago and now they also produce them. Ultimately they are a gimmick and a quick display, anyone who understands PCI should know that the proof they need is the AoC. Service providers should appear on the PCI directory anyway regardless of pointless certificate.
The service provider registries are operated by Visa and MasterCard. Service providers are not required to list on either. Service providers that appear on those lists spent money to get listed. It also requires the sponsorship of the card brand or a bank and the service provider must go through a ROC. The Visa and MasterCard service provider lists are just marketing tools and a way for the card brands to make money.
The list I think you are thinking of is the PA-DSS list managed by the PCI SSC which ahs nothing to do with service providers.
All Level 1 Service Providers as I understood it appear on the lists produced by Visa and Mastercard as they are all required to complete external assessment and as such have a RoC produced.
I wasn’t aware that they had to pay for the privilege? Obviously a Level 2 could go through an external QSA assessment which adds cost.
What you may be referring to is a process Visa introduced this year for all service providers. Visa is requiring all service providers to register with them so that they can create a complete inventory of service providers. But that is separate from Visa’s public Global Registry list.
It is true that all Level 1 service providers are required to conduct a Report On Compliance (ROC), but they are not automatically listed on the public Visa and MasterCard service provider lists unless they go through the process to be listed. The one change that has been made to the public lists is that Visa and MasterCard will sponsor those service providers that are not directly processing transactions such as managed security service providers (MSSP) and network management service providers. Otherwise a service provider must be sponsored by their acquiring bank. In all cases there are initiation fees and then annual maintenance fees that are paid to Visa and MasterCard for service providers to be listed on the public service provider lists. Those lists are more a marketing ploy for the service providers and really have nothing to do with how well a service provider complies with the PCI standards.