PCI DSS Compliance Vendors Evaluation
For the evaluation and verification of payment card service providers, the following documents must be submitted to Merchant Services:
- Acknowledgement from the Office of the Treasurer (OOT) that a PCI Compliance review has been requested.
- An Attestation of Compliance (AOC) must be submitted by using the PCI Security Standards Council (SSC) official form.
Please note the following:
- The AOC must be valid within 12 months.
- Every vendor must submit the AOC as a service provider, unless an exception is granted by Treasury Office and UIT Compliance Office.
- If the AOC is not signed by a PCI SSC certified QSA or ISA, the vendor must also submit their current quarter's Approved Scanning Vendor (ASV) report and the current year's penetration test report for external network.
- In a 12 month period, the PCI Compliance team will only accept a maximum of 3 versions of an AOC from the same vendor for review.
If needed at a later stage of the evaluation, the PCI Compliance team might request that the vendor provide a demo on payment processing workflow through its services.