PCI DSS Compliance Vendors Evaluation
For the evaluation and verification of payment card service providers, you must submit an Attestation of Compliance (AOC) using the PCI Security Standards Council (SSC) official form. Submit the document(s) to PCI Compliance Services or Merchant Services.
Please note the following:
- The AOC must be valid within 12 months.
- Every vendor must submit the AOC as a service provider, unless an exception is granted by Treasury Office, the Information Security Office (ISO) and the UIT Compliance Office.
- Every vendor must submit their current quarter's Approved Scanning Vendor (ASV) report and the current year's penetration test report for the external network.
- In a 12 month period, the PCI Compliance team will only accept a maximum of 3 versions of an AOC from the same vendor for review.
- If needed at a later stage of the evaluation, the PCI Compliance team might request that the vendor provide a demo on payment processing workflow through its services.