Skip to content Skip to navigation


PCI DSS Compliance Vendors Evaluation

For the evaluation and verification of payment card service providers, you must submit an Attestation of Compliance (AOC) using the PCI Security Standards Council (SSC) official form. Submit the document(s) to PCI Compliance Services or Merchant Services.

Please note the following:

  • The AOC must be valid within 12 months.
  • Every vendor must submit the AOC as a service provider.
  • Every vendor must submit their current quarter's Approved Scanning Vendor (ASV) report and the current year's penetration test report for the external network. For Quarterly ASV scan reports, no vulnerabilities should exist that are scored 4.0 or higher by the CVSS.
  • In a 12 month period, the PCI Compliance team will only accept a maximum of 3 versions of an AOC from the same vendor for review.
  • The PCI Compliance team might request that the vendor provide a demo on payment processing workflow through its services.
Note: Payment card service providers, please note that according to PCI SSC, all of the organizations that process, transmit, and/or store payment card information must be PCI Security Standard Requirements and Security Assessment Procedures (PCI DSS) compliant.