Receiver PCI DSS compliance validation

The Payment Card Industry Data Security Standard is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data, such as payment processors, acquirers, issuers, and service providers.

PCI Proxy’s Forward API allows you to distribute and share credit card data freely across PCI compliant level 1 and level 2 third-party service providers (Receivers). In order to ensure that you only share credit card data with compliant and trustworthy receivers, we have to validate the compliance status of the respectively third-party receiver to ensure continued protection of your customers credit card data.

PCI DSS Level 1 Service Provider (Onsite-Assessment)
PCI DSS Level 2 Service Provider (Self-Assessment)
PCI DSS Level 1 Service Provider (Onsite-Assessment)

Stores, processes, or transmits more than 300,000 credit card transactions annually

PCI DSS Level 2 Service Provider (Self-Assessment)

Stores, processes, or transmits less than 300,000 credit card transactions annually

Validation for Level 1 Service Providers (onsite-assessment)

All Level 1 third party receiver must complete an annual onsite assessment conducted by a PCI SSC certified Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). Therefore, please obtain the document stated below:

1) Request a signed copy of the Attestation of Compliance (AOC) for onsite assessments.

2) Provide a copy of the AOC to contact@pci-proxy.com

3) You will be notified once the AOC is approved.

Validation for Level 2 Service Providers (self-assessment)

All Level 2 third party receiver must complete an annual self-assessment with Self-Assessment Questionnaire D. Therefore, please obtain the documents stated below:

1) Request a signed copy of the Attestation of Compliance (AOC) for Self-Assessment Questionnaire D Service Provider

2) To obtain an additional measure of assurance, obtain a written and signed acknowledgement about the responsibility for the security of cardholder data with your third party receiver. Please contact your account manager at PCI Proxy for an example Letter of Acknowledgment (PCI DSS requirement 12.8.2 and 12.9).

3) Provide a copy of all documents to contact@pci-proxy.com

4) You will be notified once the AOC is approved.

Please note that the only documentation recognized for PCI DSS validation are the official documents from the PCI SSC website. Any other form of certificate or documentation issued for the purposes of illustrating compliance to PCI DSS or any other PCI standard are not authorized or validated, and their use is not acceptable for evidencing compliance. The use of certificates or other non-authorized documentation to validate PCI DSS Requirement 12.8 and/or Requirement 12.9 is also not acceptable.

PCI DSS Glossary

Acronym

Definition

Further information

PCI SSC

Payment Card Industry Security Standards Council

PCI Security Standards

PCI DSS

Payment Card Industry Data Security Standard

PCI DSS v3.2.1

AOC

Attestation of Compliance

AOC for onsite assessments: AOC-ServiceProviders.docx

SAQ-D

Self-Assessment Questionnaire type D -

Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.

Self Assessment Questionnaire - D

QSA

Qualified Security Assessor -

QSAs are qualified by PCI SSC to perform PCI DSS on-site assessments.

Search for a Qualified Security Assessor

ISA

Internal Security Assessor - professionals of qualifying organizations which received PCI DSS training and certification that will improve the organization's understanding of the PCI DSS

Verify an ISA Employee