Skip to content Skip to navigation


PCI DSS Compliance Vendors Evaluation

For the evaluation and verification of payment card service providers, the following documents must be submitted to Merchant Services:

  • Acknowledgement from the Office of the Treasurer (OOT) that a PCI Compliance review has been requested.
  • An Attestation of Compliance (AOC) must be submitted by using the PCI Security Standards Council (SSC) official form.
    Please note the following:
    • The AOC must be valid within 12 months.
    • Every vendor must submit the AOC as a service provider, unless an exception is granted by Treasury Office and UIT Compliance Office.
    • If the AOC is not signed by a PCI SSC certified QSA or ISA, the vendor must also submit their current quarter's Approved Scanning Vendor (ASV) report and the current year's penetration test report for external network.
    • In a 12 month period, the PCI Compliance team will only accept a maximum of 3 versions of an AOC from the same vendor for review.

If needed at a later stage of the evaluation, the PCI Compliance team might request that the vendor provide a demo on payment processing workflow through its services.

Note: Payment card service providers, please note that according to PCI SSC, all of the organizations that process, transmit, and/or store payment card information must be PCI Security Standard Requirements and Security Assessment Procedures (PCI DSS) compliant.