Another good question from our recent PCI Dream Team session.
“Are service providers to a service provider be required to provide report on compliance (ROC) to the service provider in a private cloud scenario?”
It depends.
The reason it depends is because the answer will depend on whether or not the service provider in question directly processes, stores or transmits sensitive authentication data (SAD) or cardholder data (CHD). While our session this time was on ‘The Cloud’, the cloud has nothing to do with the answer, so the answer will be the same regardless.
If you are unsure if you are a service provider, read this post. If you are trying to construct a story that gets your out of scope as a service provider, read this post.
Reporting Requirements
Before we can talk about what a service provider needs to provide to a merchant or another service provider, we need to ensure that everyone understands the PCI reporting requirements.
For any service provider that directly processes, stores or transmits SAD or CHD, if the volume of Visa/MasterCard/Discover transactions is greater than or equal to 300,000, then the service provider must go through a PCI assessment that produces a Service Provider ROC and Attestation Of Compliance (AOC).
For service providers that directly process, store or transmit less than 300K transactions or does not directly process, store or transmit, then that service provider can self-assess using the Service Provider SAQ D and related AOC.
Another key point regarding reporting that needs to be made is that there are differences between the Merchant AOC and the Service Provider AOC. It is very important that service providers use the Service Provider AOC and not the Merchant AOC.
I still get too many Merchant AOCs from service providers. Most often this is because these service providers are also merchants and they mistakenly believe their merchant PCI assessment serves as their service provider PCI assessment. Not so! These service providers need two assessments. One that covers their merchant payment processes (usually a very small assessment) and one that covers their service provider processes which is usually the larger of the two.
The first key AOC difference is that the Service Provider AOC has a section 2a that discusses what services were assessed in the assessment and what services were not assessed. This is important to customers of service providers because it allows them to ensure that all of their services have been assessed in this AOC. If they have not, then the customer knows to ask the service provider for additional AOCs that cover those services.
The other key AOC difference is section 2g which documents the requirements tested during the assessment for each service assessed from section 2a. The PCI SSC requires that individual 2g sections be used if the services assessed have different requirements matrices.
Finally, section 2c is also very important to customers as it explains what locations were included in the assessment. I cannot tell you the number of AOCs I have reviewed from large service providers only to find that the location used to service my client was not part of the service provider’s assessment. As a result, the AOC has no use to my client in their assessment.
Who Needs What?
Under the PCI rules, a service provider is required to provide their Service Provider AOC to all merchants and other service providers to which they provide services. Yet time and again as a QSA, I end up in fights with service providers who refuse to provide their AOC to my clients.
This requirement of providing an AOC is all about proper vendor management and ensuring there are no gaps in meeting controls responsibilities. The Service Provider’s AOC has a matrix in section 2g for each service assessed that explains what requirements the service provider is responsible, what requirements are the customer’s responsibility and those requirements where there is shared responsibility. Without that matrix, a customer has no way to understand their responsibilities in maintain PCI compliance between themselves and their service providers.
Please notice that nowhere have a I mentioned sending anyone the ROC, only the AOC. As you will recall, the question involved the sending of the ROC to another service provider. That is not to say that you cannot send your ROC, it is just not required by the PCI SSC.
As a QSA, I have encountered a few situations where section 2g is not clear enough and have asked a service provider for their ROC to ensure that my client properly sets up their controls to mesh with the service provider’s controls. If the service provider was unwilling to provide their ROC or even the section needed, I hold a lot of conference calls to clarify the situation.
With that said, if you want your organization listed on either the Visa or MasterCard Global Service Provider lists, you will have to submit your ROC and AOC to those card brands (as well as some money) to get on those lists. If you are a service provider and can use the Service Provider SAQ D and you want to get listed on either brand’s service provider list, you will have to go through the ROC assessment process. Visa and MasterCard will only accept a ROC for listing on their sites.
Hopefully you now understand what is required and what is not.
PCI Guru 