11
Dec
15

Have You Noticed?

I was on a call with our person who coordinates and does most of our quality assurance (QA) reviews for the firm. They were asked if they had any updates to provide the team regarding PCI. They took over the meeting and had us go to Part 2g of the Service Provider Attestation Of Compliance (AOC). The topic of the discussion was that we needed to make sure that we followed the Note in that section that states:

Note: One table to be completed for each service covered by this AOC. Additional copies of this section are available on the PCI SSC website.”

PCI SP AOC Part 2gThey said that in conversations with other QA people in the PCI arena, this had come up in the discussions as to how he was dealing with the requirement. They said that, until it had been pointed out, they really had not thought about it until just recently when one of our Service Provider clients needed their AOC created and their multiple services necessitated multiple 2g tables.

But that brought up the concern as to how many QSAs and their QA people have noticed this requirement, let alone are doing it correctly? Likely only a few.

However, it is important that the Service Provider AOC gets properly filled out as the service providers’ customers are relying on the AOC to fill out their own matrices based on the service provided by the service provider.

As a result, for every check box checked below in Part 2a, there needs to be a corresponding table filled out in Part 2g.

PCI SP AOC Part 2aIf you are doing service provider assessments and are not following that process expect a big black checkmark in your next PCI SSC AQM review. The question is, will it cause any QSACs to go into remediation?

Happy holidays.


3 Responses to “Have You Noticed?”


  1. December 11, 2015 at 2:38 PM

    Does this mean that Service Providers will no longer have multiple entries on the Visa Global listing? Do they get to consolidate all their services into one ROC too? Or is the consolidation only in the AOC? This one is weird.

    • December 11, 2015 at 4:02 PM

      It is up to your sponsoring bank and/or the card brands to make the determination as to one or multiple ROCs. That has always depended upon what made sense as well as what the banks and/or brands thought.

      However, there was never an absolute requirement that separate ROCs were required. That was always up to the banks and brands.

  2. 3 Felix A Tapia
    December 11, 2015 at 2:29 PM

    This is great catch, thank you so much!!!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

December 2015
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
28293031  


%d bloggers like this: