Another good question from our recent PCI Dream Team session.
“Are service providers to a service provider be required to provide report on compliance (ROC) to the service provider in a private cloud scenario?”
It depends.
The reason it depends is because the answer will depend on whether or not the service provider in question directly processes, stores or transmits sensitive authentication data (SAD) or cardholder data (CHD). While our session this time was on ‘The Cloud’, the cloud has nothing to do with the answer, so the answer will be the same regardless.
If you are unsure if you are a service provider, read this post. If you are trying to construct a story that gets your out of scope as a service provider, read this post.
Reporting Requirements
Before we can talk about what a service provider needs to provide to a merchant or another service provider, we need to ensure that everyone understands the PCI reporting requirements.
For any service provider that directly processes, stores or transmits SAD or CHD, if the volume of Visa/MasterCard/Discover transactions is greater than or equal to 300,000, then the service provider must go through a PCI assessment that produces a Service Provider ROC and Attestation Of Compliance (AOC).
For service providers that directly process, store or transmit less than 300K transactions or does not directly process, store or transmit, then that service provider can self-assess using the Service Provider SAQ D and related AOC.
Another key point regarding reporting that needs to be made is that there are differences between the Merchant AOC and the Service Provider AOC. It is very important that service providers use the Service Provider AOC and not the Merchant AOC.
I still get too many Merchant AOCs from service providers. Most often this is because these service providers are also merchants and they mistakenly believe their merchant PCI assessment serves as their service provider PCI assessment. Not so! These service providers need two assessments. One that covers their merchant payment processes (usually a very small assessment) and one that covers their service provider processes which is usually the larger of the two.
The first key AOC difference is that the Service Provider AOC has a section 2a that discusses what services were assessed in the assessment and what services were not assessed. This is important to customers of service providers because it allows them to ensure that all of their services have been assessed in this AOC. If they have not, then the customer knows to ask the service provider for additional AOCs that cover those services.
The other key AOC difference is section 2g which documents the requirements tested during the assessment for each service assessed from section 2a. The PCI SSC requires that individual 2g sections be used if the services assessed have different requirements matrices.
Finally, section 2c is also very important to customers as it explains what locations were included in the assessment. I cannot tell you the number of AOCs I have reviewed from large service providers only to find that the location used to service my client was not part of the service provider’s assessment. As a result, the AOC has no use to my client in their assessment.
Who Needs What?
Under the PCI rules, a service provider is required to provide their Service Provider AOC to all merchants and other service providers to which they provide services. Yet time and again as a QSA, I end up in fights with service providers who refuse to provide their AOC to my clients.
This requirement of providing an AOC is all about proper vendor management and ensuring there are no gaps in meeting controls responsibilities. The Service Provider’s AOC has a matrix in section 2g for each service assessed that explains what requirements the service provider is responsible, what requirements are the customer’s responsibility and those requirements where there is shared responsibility. Without that matrix, a customer has no way to understand their responsibilities in maintain PCI compliance between themselves and their service providers.
Please notice that nowhere have a I mentioned sending anyone the ROC, only the AOC. As you will recall, the question involved the sending of the ROC to another service provider. That is not to say that you cannot send your ROC, it is just not required by the PCI SSC.
As a QSA, I have encountered a few situations where section 2g is not clear enough and have asked a service provider for their ROC to ensure that my client properly sets up their controls to mesh with the service provider’s controls. If the service provider was unwilling to provide their ROC or even the section needed, I hold a lot of conference calls to clarify the situation.
With that said, if you want your organization listed on either the Visa or MasterCard Global Service Provider lists, you will have to submit your ROC and AOC to those card brands (as well as some money) to get on those lists. If you are a service provider and can use the Service Provider SAQ D and you want to get listed on either brand’s service provider list, you will have to go through the ROC assessment process. Visa and MasterCard will only accept a ROC for listing on their sites.
Hopefully you now understand what is required and what is not.
PCI Guru 
Quick question, not sure if this is the right place to ask but couldn’t find any other article related.
When is required for a Service Provider to be listed under the visa website portal as a “service provider”.
is this mandatory for SP and or regardless if they are SP Level 1?
Also, do you or anyone reading this, know how can a SP register there?. not sure if a sponsor is needed from a visa direct customer or through a bank. cost?
this is basically as one customer says the company SP must register with visa, so not sure if it is mandatory from a PCI perspective or just a “nice to have” or just a plain customer requirement.
Any guidance?
“When is required for a Service Provider to be listed under the visa website portal as a “service provider”. is this mandatory for SP and or regardless if they are SP Level 1?”
Never required. The Visa and MasterCard sites are just marketing schemes and nothing more. They are not even allowed to be a source of compliance proof under the PCI DSS. They are only a way for someone to easily find PCI compliant service providers and nothing else. The only positive proof that a SP is PCI compliant is to obtain their Service Provider PCI Attestation Of Compliance (AOC).
If you process payment transactions, then you register through your acquiring bank. If you do not process transactions, you contact Visa directly and they will guide you through the process. Not sure if MasterCard has a similar process for organizations that do not have a bank.
Be aware though that registering at either site costs money. More than your organization may deem realistic given the number of organizations that are asking. It may be cheaper to educate your sales/marketing people and provide your AOC to any customers and prospects.
“The other key AOC difference is section 2g which documents the requirements tested during the assessment for each service assessed from section 2a.”
Since this is missing from the ROC (though, section 1.5 is similar), is there an equivalent to section 2g to give to the Merchant when a service provider that has a volume over 300k completes the ROC? Or how can the Merchant know what is the responsibility of their SP and what is their own responsibility?
The Attestation Of Compliance (AOC) is an entirely separate document that you need to download from the PCI SSC Documentation Library. The AOCs are just below the ROC Reporting Template.
“For service providers that directly process, store or transmit less than 300K transactions or does not directly process, store or transmit, then that service provider can self-assess using the Service Provider SAQ D and related AOC.”
Given this, I am curious, what is your experience with reviewing self-signed Service Provider AOCs? It seems highly likely self-signed SP AOCs would be lacking, especially if only the SP had written/reviewed the AOC.
Great post!
As a QSA/ISA you are not supposed to question any AOC you receive whether it is from a self-assessment or a ROC unless it is not properly filled out or is missing required information. The reason is that an officer is signing off on the AOC so the organization providing the AOC is legally representing what is in that AOC is factual and accurate. If something goes wrong, they and their organization are on the hook for any repercussions. Not a perfect solution, but that is how it works.
I would also comment that SPs are contractual based to the merchant or customer they are serving. So, a SP not validating their compliance to a merchant does not necessarily prevent the merchants compliance as the merchant should via contract have the right to audit/assess the SP during the assessment. I find the contracts interesting as merchants typically don’t have the vehicle to fine a SP for non-compliance or missing a valaidation of compliance deadline. Merchants sometimes are left with breach of contract or simply breaking the contract if a SP doesn’t validate in time or ever. It would be a great blog post on taking about the contracts and suggestions on what they should include. Just a thought.
While the PCI SSC states that it is okay to work with a SP that is not PCI compliant, the card brands (particularly Visa and MasterCard) state differently in their security programs. So a merchant or even SP need to keep in mind those brand program requirements as well as the PCI DSS requirements.
Thanks for the blog post suggestion. I will have to see what I can do for that topic.
From a contract perspective, how can Visa / MC enforce the validation or compliance of a SP? The contract is with the upstream party. Right?
Granted it is not good from a marketing or Security perspective for SP not to be and the DSS only states a written agreement to understand what requirements are and the data security responsibility for CHD of the SP so the upstream party understands the risks. Just not understanding the comment about brand requirements. I will look into the Visa/MC Operating agreements.
Great post and conversation.
The card brands catch up with an organization when they end up with a problem such as excessive chargebacks or, heaven forbid, a breach. BTW The breach does not have to be the organization’s, it could be part of a larger investigation into another organization’s (usually a service provider) breach. It is then that all of an organization’s “dirty laundry” gets aired out and fines and penalties get assessed as a result of non-compliance with the PCI standards or card brand agreements.
Hey bud! Do you have a reference for this? Where do they state this in their security programs?
Sounds like you would be compliant with PCI DSS but out of compliance with the op regs. Can you link to this?
It’s in the Visa and MasterCard Merchant Agreements which I cannot access since I am not a merchant of theirs. I have always relied on my client to provide that to me. You may have to contact the brands directly regarding their individual programs like I did to obtain this insight.
Ahh, right. So in that case it would not have PCI DSS impact, but it could have op-regs impact. 🙂
Yes. And that is the problem. Organizations get fixated on the PCI DSS and neglect their obligations under their Merchant agreements with the various Brands.