I was on a call with our person who coordinates and does most of our quality assurance (QA) reviews for the firm. They were asked if they had any updates to provide the team regarding PCI. They took over the meeting and had us go to Part 2g of the Service Provider Attestation Of Compliance (AOC). The topic of the discussion was that we needed to make sure that we followed the Note in that section that states:
“Note: One table to be completed for each service covered by this AOC. Additional copies of this section are available on the PCI SSC website.”
They said that in conversations with other QA people in the PCI arena, this had come up in the discussions as to how he was dealing with the requirement. They said that, until it had been pointed out, they really had not thought about it until just recently when one of our Service Provider clients needed their AOC created and their multiple services necessitated multiple 2g tables.
But that brought up the concern as to how many QSAs and their QA people have noticed this requirement, let alone are doing it correctly? Likely only a few.
However, it is important that the Service Provider AOC gets properly filled out as the service providers’ customers are relying on the AOC to fill out their own matrices based on the service provided by the service provider.
As a result, for every check box checked below in Part 2a, there needs to be a corresponding table filled out in Part 2g.
If you are doing service provider assessments and are not following that process expect a big black checkmark in your next PCI SSC AQM review. The question is, will it cause any QSACs to go into remediation?
Happy holidays.
Does this mean that Service Providers will no longer have multiple entries on the Visa Global listing? Do they get to consolidate all their services into one ROC too? Or is the consolidation only in the AOC? This one is weird.
It is up to your sponsoring bank and/or the card brands to make the determination as to one or multiple ROCs. That has always depended upon what made sense as well as what the banks and/or brands thought.
However, there was never an absolute requirement that separate ROCs were required. That was always up to the banks and brands.
This is great catch, thank you so much!!!