PCI Compliance Certificates Rear Their Ugly Head Again

Apparently, a bad practice started a number of years ago is appearing in other parts of the world.  That practice is PCI Compliance Certificates.

I wrote a post a number of years ago about this practice and provided the direct quote from the PCI SSC’s FAQ on the subject.  If you need more proof, go to the PCI SSC Web site and click on FAQ and search for ‘PCI DSS Compliance Certificate’.

This is a marketing ploy and it needs to stop.

These certificates are not worth the paper they are printed on and anyone purporting them to have meaning is uninformed, or worse, lying.

I would highly recommend that if you encounter anyone that tells you such nonsense, they should be immediately reported to the PCI SSC –  qsa AT pcisecuritystandards DOT org. Include their name and the name of their organization in your message.

UPDATE: Only a few minutes after I put up this post I received just such a certificate from a major bank as proof that their business partner was PCI compliant. Unbelievable.


9 Responses to “PCI Compliance Certificates Rear Their Ugly Head Again”

  1. April 6, 2018 at 11:19 AM

    Probably should include a link to the Council’s published documentation that directs entities to request certificates of compliance from service providers. Seems relevant to the discussion.

  2. November 4, 2014 at 4:03 PM

    I agree to some extent and I’ve seen some merchants use misleading marketing for things like this. But as long as the QSA firm provides clear “certificates” that don’t mislead on their own, I don’t see the problem with it. Its marketing.

    • November 5, 2014 at 6:27 AM

      The Council has been very clear, you can provide such things to your clients but they are not to be relied upon by QSAs.

      The reason this is important is that service providers (the whole reason you’re getting the proof in the first place) are required to publish what services were assessed as PCI compliant. All of the “certificates of compliance” I’ve encountered cover none of that information which is required so that I can determine if my client is doing what they are required.

      The Attestation of Compliance (AOC) provides that information and has been extensively revised in v3 to provide additional information. Without that information, a QSA is in the dark as to whether or not a service provider is truly compliant for the services being provided to their client. Without that proof, a QSA is required to assess the service provider for the services provided to their client. Based on that, you can see how things can escalate and get out of hand in a hurry as the service provider complains and keeps pointing to that worthless “certificate”.

      The bottom line is that they are not worth anything and prove nothing. The people handing them out are doing a disservice to their clients and the PCI industry.

      • 5 Dave
        November 7, 2014 at 7:48 AM

        They have become the norm these days but agree they serve no real purpose, our QSA said the same sometime ago and now they also produce them. Ultimately they are a gimmick and a quick display, anyone who understands PCI should know that the proof they need is the AoC. Service providers should appear on the PCI directory anyway regardless of pointless certificate.

      • November 8, 2014 at 4:25 PM

        The service provider registries are operated by Visa and MasterCard. Service providers are not required to list on either. Service providers that appear on those lists spent money to get listed. It also requires the sponsorship of the card brand or a bank and the service provider must go through a ROC. The Visa and MasterCard service provider lists are just marketing tools and a way for the card brands to make money.

        The list I think you are thinking of is the PA-DSS list managed by the PCI SSC which ahs nothing to do with service providers.

      • 7 Dave
        November 10, 2014 at 5:25 AM

        All Level 1 Service Providers as I understood it appear on the lists produced by Visa and Mastercard as they are all required to complete external assessment and as such have a RoC produced.

        I wasn’t aware that they had to pay for the privilege? Obviously a Level 2 could go through an external QSA assessment which adds cost.

      • November 10, 2014 at 6:27 AM

        What you may be referring to is a process Visa introduced this year for all service providers. Visa is requiring all service providers to register with them so that they can create a complete inventory of service providers. But that is separate from Visa’s public Global Registry list.

        It is true that all Level 1 service providers are required to conduct a Report On Compliance (ROC), but they are not automatically listed on the public Visa and MasterCard service provider lists unless they go through the process to be listed. The one change that has been made to the public lists is that Visa and MasterCard will sponsor those service providers that are not directly processing transactions such as managed security service providers (MSSP) and network management service providers. Otherwise a service provider must be sponsored by their acquiring bank. In all cases there are initiation fees and then annual maintenance fees that are paid to Visa and MasterCard for service providers to be listed on the public service provider lists. Those lists are more a marketing ploy for the service providers and really have nothing to do with how well a service provider complies with the PCI standards.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

October 2014

%d bloggers like this: