PCI DSS Compliance Vendors Evaluation
For the evaluation and verification of payment card service providers, you must submit an Attestation of Compliance (AOC) using the PCI Security Standards Council (SSC) official form. Submit the document(s) to PCI Compliance Services or Merchant Services.
Please note the following:
- The AOC must be valid within 12 months.
- Every vendor must submit the AOC as a service provider, unless an exception is granted by Treasury Office, the Information Security Office (ISO) and the UIT Compliance Office.
- If the AOC is not signed by a PCI SSC certified QSA or ISA, the vendor must also submit their current quarter's Approved Scanning Vendor (ASV) report and the current year's penetration test report for external network.
- In a 12 month period, the PCI Compliance team will only accept a maximum of 3 versions of an AOC from the same vendor for review.
- If needed at a later stage of the evaluation, the PCI Compliance team might request that the vendor provide a demo on payment processing workflow through its services.