PCI DSS Validation

Third-party partners must be PCI DSS compliant.

The Payment Card Industry Data Security Standard is a set of security standards designed to ensure that all companies that accept, process, store or transmit payment information maintain a secure environment. The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits or stores any payment data. Payment processors, acquirers, issuers and service providers are examples of such organizations.

Using the Forward Proxy allows you to distribute sensitive payment data freely across PCI-compliant endpoints (Receivers). In order to ensure that you only share payment data with compliant and trustworthy Receivers, we can help you to validate the compliance status of the respectively third-party Receiver to ensure continued protection of your customers' payment data.

PCI DSS Compliance for merchants and third-parties is usually defined in terms of levels. Each of these levels vary slightly according to the card schemes and is quoted in transactions per year. A summary of Level 1 and Level 2 Service Providers is given here.

SchemeLevel 1 DefinitionLevel 2 DefinitionSource
VisaOver 6 million Visa transactions1 to 6 million transactionshttps://usa.visa.com/support/small-business/security-compliance.html
MastercardOver 6 million Mastercard and Maestro transactions1 to 6 million transactionshttps://www.mastercard.us/en-us/business/overview/safety-and-security/security-recommendations/site-data-protection-PCI/merchants-need-to-know.html
American ExpressOver 2.5 million American Express transactions50,000 to 2.5 million transactionshttps://www.americanexpress.com/us/merchant/us-data-security.html
DiscoverOver 6 million Discover transactions1 to 6 million transactionshttps://www.discoverglobalnetwork.com/solutions/pci-compliance/identify-merchant-level/

Validation for Level 1 Service Providers


Level 1 Service Providers must complete an annual On-site Assessment conducted by a PCI SSC certified Qualified Security Assessor (QSA) or Internal Security Assessor (ISA).

For each third-party you engage with to send or receive PCI sensitive data to or from, you should:

  • Request a signed copy of their AOC for On-site Assessments
  • Upload a copy to the Dashboard under the Receiver AOC section
Upload third-party AOCs on the Dashboard

Upload third-party AOCs on the Dashboard

Validation for Level 2 Service Providers


Level 2 Service Providers must complete an annual self-assessment the Self-Assessment Questionnaire D.

See below for a link to the template.

For Level 2 Service Providers, you should:

  • Request a signed copy of their AOC for Self-Assessment Questionnaire D
  • Obtain a written and signed acknowledgment about the responsibility for the security of cardholder data (PCI DSS requirements 12.8.2 and 12.9). Reach out to your Technical Account Manager at PCI Proxy for an example Letter of Acknowledgement.
  • Upload a copy of each of them to the Dashboard under the Receiver AOC section (see above)
  • For new integrations, send a copy of the AOC and Letter of Acknowledgement to [email protected].

You will be notified when your uploaded documents are approved.


Only official documents from the PCI SSC website are recognized for PCI DSS validation.

Any other documentation or form of certificate issued for the purposes of demonstrating compliance to PCI DSS or any other PCI standard are not authorized or valid and their use is not acceptable for showing compliance. The use of certificates or other non-authorized documentation to validate PCI DSS Requirement 12.8 and/or 12.9 is also not acceptable.

PCI DSS Terminology

AcronymDefinitionFurther information
PCI SCCPayment Card Industry Security Standards CouncilPCI Security Standards
PCI DSSPayment Card Industry Data Security StandardDownload the latest standard
AOCAttestation of ComplianceDownload the latest template for service providers
SAQ-DSelf-Assessment Questionnaire type D. A reporting tool used to document self-assessment results from an entity's PCI DSS assessment.Download the latest template for service providers
QSAQualified Security Assessor. QSAs are qualified by PCI SSC to perform PCI DSS on-site assessments.Search for a QSA
ISAInternal Security Assessor. ISAs are professionals of qualifying organizations that received PCI DSS training and certifications which will improve the organization's understanding of PCI DSS.Verify an ISA employee