3rd-Party Receiver Validation

PCI Proxy’s Forward API allows you to distribute and share credit card tokens freely across PCI compliant level 1 and level 2 third-party service providers (Receivers). In order to ensure that you only share tokens with compliant and trustworthy receivers, we have to validate the compliance status of the respectively third-party receiver to ensure continued protection of your customers credit card data.

PCI DSS Level 1 Service Provider (Onsite-Assessment)
PCI DSS Level 2 Service Provider (Self-Assessment)
PCI DSS Level 1 Service Provider (Onsite-Assessment)

Stores, processes, or transmits more than 300,000 credit card transactions annually

PCI DSS Level 2 Service Provider (Self-Assessment)

Stores, processes, or transmits less than 300,000 credit card transactions annually

Validation for Level 1 Service Providers (onsite-assessment)

All Level 1 third party receiver must complete an annual onsite assessment conducted by a PCI SSC certified Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). Therefore, please obtain the document stated below:

1) Request a signed copy of the Attestation of Compliance (AOC) for onsite assessments.

2) Provide a copy of the AOC to contact@pci-proxy.com

3) You will be notified once the AOC is approved.

Validation for Level 2 Service Providers (self-assessment)

All Level 2 third party receiver must complete an annual self-assessment with self-assessment Questionnaire D. Therefore, please obtain the documents stated below:

1) Request a signed copy of the Attestation of Compliance (AOC) for Self-Assessment Questionnaire D.

2) To obtain an additional measure of assurance, obtain a written and signed acknowledgement about the responsibility for the security of cardholder data with your third party receiver. Please contact your account manager at PCI Proxy for an example Letter of Acknowledgment.

3) Provide a copy of all documents to contact@pci-proxy.com

4) You will be notified once the AOC is approved.

Please keep in mind that the only documentation recognized for PCI DSS validation are the official documents from the PCI SSC website. Any other form of certificate or documentation issued for the purposes of illustrating compliance to PCI DSS or any other PCI standard are not authorized or validated, and their use is not acceptable for evidencing compliance. The use of certificates or other non-authorized documentation to validate PCI DSS Requirement 12.8 and/or Requirement 12.9 is also not acceptable.