Skip to content Skip to navigation

Vendors

PCI DSS Compliance Vendors Evaluation

For the evaluation and verification of payment card service providers, the following documents must be submitted to Merchant Services:

  • Acknowledgement from the Office of the Treasurer (OOT) that a PCI Compliance review has been requested.
  • An Attestation of Compliance (AOC) must be submitted by using the PCI Security Standards Council (SSC) official form.
    Please note the following:
    • The AOC must be valid within 12 months.
    • Every vendor must submit the AOC as a service provider, unless an exception is granted by Treasury Office and UIT Compliance Office.
    • If the AOC is not signed by a PCI SSC certified QSA or ISA, the vendor must also submit their current quarter's Approved Scanning Vendor (ASV) report and the current year's penetration test report for external network.
    • In a 12 month period, the PCI Compliance team will only accept a maximum of 3 versions of an AOC from the same vendor for review.

If needed at a later stage of the evaluation, the PCI Compliance team might request that the vendor provide a demo on payment processing workflow through its services.

Note: Payment card service providers, please note that according to PCI SSC, all of the organizations that process, transmit, and/or store payment card information must be PCI Security Standard Requirements and Security Assessment Procedures (PCI DSS) compliant.