Working at MasterCard and Visa level 1 service providers, I’ve been asked for my “PCI Certificate” on a regular basis. But in the PCI DSS world, there is nothing called a PCI Certificate. So what’s really being requested?
Ultimately, a PCI compliance certificate would be a piece of evidence showing that a company complies with the PCI DSS (Data Security Standard). You are demonstrating that your company knows how to properly secure credit and debit card data.
When do you have to show PCI DSS Compliance?
When do you need to show you comply with PCI DSS? In day-to-day operations, there are two different scenarios:
- Your company handles card numbers, putting you in scope for PCI DSS. You’re being asked to provide it by some other company (possibly an acquiring bank) so they know they can do business with you; or
- Your business handles credit or debit cards, and you want to use some service provider to help with some aspect of the work. A non-obvious example would be a colocation provider who handles physical security for your computers. You need to be sure they can meet the PCI DSS requirements that apply to the service (physical security) they provide.
Either you’re showing someone else you comply, or your asking someone else to demonstrate that they comply.
A third scenario is during during corporate due diligence. If you are in the payments space, then whether or not you are PCI DSS compliant is potentially material to the value of your company or services. We won’t consider that here as it’s outside the PCI DSS program itself.
Compliance Status Monitoring
Companies subject to PCI DSS are required to regularly monitor the PCI compliance status of any service providers they use to handle card data, or which could impact the security of the Cardholder Data Environment (PCI DSS v3.2.1 req. 12.8.4). The easiest way to do this is to ask them to give you a copy of their “PCI certificate”.
So back to the original question: what is a PCI compliance certificate?
Attestation of Compliance (AOC)
There’s only really one thing that can be described as a “PCI Certificate”, and that’s the Attestation of Compliance (AOC). This is a certificate signed and issued by a PCI auditor (known as a QSA / Qualified Security Assessor) after they’ve completed a successful assessment of a company. The AOC is a summary document which basically states which basically outlines the scope of the audit and services covered, and your current compliance status.
At completion of a PCI DSS assessment, you are also issued a second document called the Report of Compliance (ROC). The PCI DSS ROC is a very different beast to the AOC. A typical ROC is at least tens of pages with detailed information about the scope of the assessment, infrastructure diagrams, and descriptions of you business activities, in addition to the findings of the assessment. As the QSA goes through the audit, they fill in the ROC Reporting Template with their findings. The ROC is issued to you at the completion of the audit regardless of whether all items are in place.
Because a PCI DSS ROC contains so much detailed information about the inner workings of your business, it’s not intended to be a public document. You may need to provide copies to the card brands, or to your banks. Beyond this, it’s not something you should give to other companies by default. Like any other confidential information internal to your business, the decision to release a copy of the ROC should be risk based. You balance the upside of the disclosure (a new business deal?) against the risks of disclosure.
On the other hand, the AOC is very much intended to be a public document. It outlines your current compliance status, and provides enough information about scoping to allow a reviewer to determine whether it covers the services they care about. It’s becoming somewhat common for service providers to give out copies of their AOC to interested parties as part of their sales literature and without NDA.
What if I don’t have an AOC?
Standalone AOC documents are signed and issued by a QSA at the completion of a PCI DSS assessment. But many (most?) entities subject to PCI DSS have volumes too low to need an on-site QSA assessment. For those companies, how do they show their compliance?
If you must demonstrate compliance with PCI DSS, but aren’t required to have an on-site assessment done by a QSA, there is a separate path available. There are a set of Self Assessment Questionnaires (SAQ) which are aimed at companies in this situation. Which SAQ to use depends on your type of business. The biggest distinction is whether you’re a merchant or a service provider, but there are others. The PCI SSC publishes guidance on how to select the correct SAQ.
Each SAQ includes an attestation section. After completing the full questionnaire, you check a box in the SAQ attestation which states whether you believe you are:
- compliant with approved exceptions
- not compliant.
Since there is no QSA involved in this process, the SAQ is instead signed by an officer of your company authorized to make legally significant representations on behalf of the company.
Can I accept some other certificate as evidence of PCI DSS compliance?
For PCI DSS purposes, no. There is a cottage industry of consultants who are not QSAs, and who do independent PCI reviews or perform PCI readiness consulting for small merchants. That’s all well and good, there’s nothing wrong with bringing in outside expert help for your business!
At the completion of these engagements, these firms will often issue some kind of “PCI Certificate” to the merchant. That’s still OK, as long as the recipient recognizes it for what it is, which is not an AOC.
As a security professional, I regularly get “Certificates of Completion” for sitting through 1 hour webinars. We issue our employees completion certificates for their annual security awareness training. These show that you’ve participated or completed some activity, but they’re not formal qualifications of anything. Third party PCI certificates are similar. They have a certain feel-good factor, but they’re not valid within the PCI world.
Where this becomes a problem is if the merchant or service provider believes this certificate can be used to demonstrate their compliance with PCI DSS. As far as the PCI SSC is concerned, these independent certificates aren’t worth the paper they’re printed on. In fact, this is such a big issue that the PCI SSC issued a FAQ on the topic. It clearly states that these certificates cannot to be recognized as PCI DSS validation.