It is becoming obvious that there are a lot of QSAs out there did not get the message when v3 of the PCI DSS came out and the new AOC for service providers was introduced. This has been a big topic at the last few community meetings as well and recently became a big topic with a number of my clients as I continue to see service provider AOCs that are not correct. I have even mentioned this problem already in a post about service providers, but the problem continues.
As a result, I have decided this is a great time to discuss the problem and get everyone to ensure it is fixed so that we stop the arguments over something that is clearly documented in the service provider AOC form and needs to be done correctly. Because there is no excuse for messing this up.
Section 2a
Before we get to the actual problem, we need to talk about section 2a in the service provider AOC as it drives the problem.
In section 2a of the service provider AOC, a QSA is call out in the ‘Name of service(s) assessed’ and to check every box in the ‘Type of Service(s) assessed’ for every service named as part of the service provider’s PCI assessment.
QSAs seem to be doing very well in checking the appropriate boxes for ‘Type of Service(s) assessed’ on the AOCs that I encounter. However for the ‘Name of service(s) not assessed’, QSAs seem to not necessarily doing quite as well. The reason will become obvious when I discuss section 2g.
One important note though. When checking the ‘Others’ box (or any of the ‘Other’ boxes), please make sure to list ALL the other services that were assessed and NEVER, EVER use “etc” in that explanation. All the services in the ‘Others’ category MUST BE listed individually and specifically. Again, this will become obvious as to why when we get to section 2g.
And before we move on, I get questions about cloud services, i.e., SaaS, PaaS and IaaS. Those are services and should be listed as such in the ‘Name of service(s) assessed’.
Section 2g
Notice that shaded ‘Note’ that is in bold and italics that states:
“One table to be completed for each service covered by this AOC. Additional copies of this section are available on the PCI SSC website.”
What this note means is you need to have the same number of section 2g’s as you have named services in section 2a. And this is where a lot of QSAs and their QA reviewers are going wrong with their service provider AOCs
For example, if you have named five services in 2a, there had better be five pages of 2g filled out. One for each of those five named services. By the same token, if you are relying on check boxes under the ‘Type of Service(s) assessed’ section to define the services covered, then you should call those out separately in 2g.
The bottom line though is that, however a QSA breaks things out, there must be multiple 2g sections for each individual service provided.
In some very rare instances there can be some services that might have the same coverages/responsibilities for the requirements in the matrix and those may be combined into one table. The Council has even said as much in clarifying this form. However the Council has also been very clear that when combining those services into one 2g section, those services MUST have EXACTLY the same responsibilities and that is where a lot of QSAs get into trouble. So the recommendation I would make is just do one 2g for every service and stop trying to combine things.
Now the QSAs that I have had discussions (arguments) with over their flawed service provider AOCs always bring up the fact that the AOC Word document is locked and they cannot make changes. I always point them back to that ‘Note’ in 2g which states:
“Additional copies of this section are available on the PCI SSC website.”
According to the guidance provided by the Council at the Community Meetings, QSAs are to append those additional 2g sections to the end of the AOC.
That said, some of us in the QSA community have unlocked the Word document (NOT approved by the Council) and just copy section 2g and insert it inline in the AOC for the number of services we need sections for and fill them out.
One final note about section 2g. Please follow the instructions to the letter when filling out the table/matrix for the service. I cannot tell you the number of those that I encounter where ‘Partial’ or ‘None’ are checked and then there is nothing documented in the ‘Justification’ column. The instructions are very clear in how you are supposed to fill the ‘Justification’ column out so there is no excuse for leaving it blank.
And for the merchants that have to deal with these service provider AOCs. It is up to you to police these documents. If you receive an AOC and it is not properly filled out, it is up to you to point out your concerns to the service provider. If the service provider does not address your concerns, you have a couple of options at your disposal.
- Contact the PCI SSC with your concerns at qsa@pcisecuritystandards.org. Document your concern(s) in your email as well as including the AOC in question.
- If the service provider is listed on either the Visa or MasterCard service provider lists on their respective Web site, you should notify them as well. This is because both of those card brands should have caught this error before listing the service provider on their Web site. For Visa, go to http://www.visa.com/splisting/learnmore.html and use the appropriate email address for your region under the PCI DSS Validated Service Providers row. For MasterCard, use the pcireports@mastercard.com email address and as with the Council document your concern(s) in an email as well as including the AOC in question.
By contacting the Council, you will provide the Council feedback that a QSAC is not conducting their assessments for service providers appropriately and that the Council may need to conduct an assessor quality management (AQM) process for that QSAC.
Notifying the card brands will do two things. It will point out a potential flaw in their service provider listing process that needs to be addressed. But it could also potentially put the service provider in a different status on the card brands’ lists.
PCI Guru 
I can’t help feeling that the PCI SSC contributes to this problem by over-complicating. To illustrate: most of the service providers I come across are simply hosting web sites for the merchants I am assessing and these web sites redirect to compliant PSPs. If the web host is not compliant all I have to do is include them in scope for the merchant and assess the requirements in SAQ A. In practice many say that they are compliant and then produce a merchant SAQ A. This is, of course incorrect, they should produce a service provider SAQ D. And yet it covers all the relevant requirements. We then get into long and pointless debates about whether I can accept their SAQ.
Like it or not, service providers only have two choices, SAQ D or a ROC. The reason is that in a LOT of cases, the company or QSA find that more is being provided than what is covered in just SAQ A.
The lock-down of theAoC template is really the main problem. If the AoC template was a normal document (like the RoC), it would probably be a very rare problem.
I would be worried about manipulating the AoC template to remove the locking, as it would probably violate the instructions from PCI SSC. I’d say the PCI SSC has managed to prevent QSAs from following their own instructions and the lack of quality in AoCs is the result.
The Council will tell you (and they have done it at least two times I am aware) that is not the case. You can append 2g sections at the end of the AOC and that additional 2g section are available at their Web site. As far as they are concerned, it is the QSAs’ problem.
I think this would be a good topic to discuss on the All Assessor Webcast tomorrow.
Please note that my personal views are that:
Whilst I agree with you regards QSA’s, Merchants also clearly need to understand what are there responsibilities and clearly document them as in 12.8.2 so the service providers can fulfill 12.9. In addition Merchants also need to understand clarity around what a Service Provider and Component Provider are in the P2PE standard and what they can and cannot be accredited for as in some areas this cannot be done. (such as Warehousing, Logistics controls only)