Continuing our campaign for the good use of terms in the ICP field, this time we analyse the use of the concept of "certification" and the issuance of certificates or diplomas after the formal evaluation, in order to avoid conceptual errors that could lead to misinterpretation of the results of the compliance process.

It is a very common and widespread practice among companies offering QSA services (QSA Companies – QSAC) issuing a own certificate (or "diploma") confirming that the trade or advised/assessed service provider complies with the PCI DSS standard controls upon completion of the self-assessment questionnaire (SAQ) or annual PCI DSS compliance assessment.

On the other hand, it is also common to see how merchants and service providers use PCI SSC logos (including custom or tailored logos) on their websites, email feet or in official documentation as "evidence" of their compliance with the standard:

However, is this practice valid? Can compliance with PCI DSS (or any other PCI SSC standard) be demonstrated through these actions?

‘Compliance assessment’ or ‘certification’?

The use of erroneous terms in the environment of PCI SSC standards was already discussed in PCI Hispano in the article.It is not said: "PCI DSS Audit". It should read: ‘PCI DSS Compliance Assessment’‘. However, many companies still use the term ‘certification’ to refer to a PCI DSS compliance assessment (‘PCI DSS certification’).

In that sense, it is important to clarify that compliance with the PCI DSS standard is not "certifiable". To assess whether the standard’s controls are satisfactorily implemented, a ‘compliance assessment’ is carried out, resulting in the generation of three main documents: RoC or SAQ and their respective AoCs.

Depending on the type of evaluation, the findings can be described in two additional documents:

  • Report on Compliance (RoC): The "Compliance Report" or RoC is a report that contains specific and confidential details about the entire evaluation process, including asset information, interviewee information, list of documents and evidence reviewed, IP address data and network diagrams, as well as the results (findings) of the review by each of the controls. For this reason, this document is confidential and can be shared upon express request, being advisable to sign a confidentiality agreement before proceeding.
  • Self-Assessment Questionnaire (SAQ): The "Self-Assessment Questionnaire" or SAQ is a document in which those designated entities can report the status of each of the PCI DSS standard controls that apply to them. This document is not usually as detailed as a RoC, since its creation does not require the express intervention of a Qualified Security Adviser (Qualified Security Assessor – QSA).

Likewise, each RoC/SAQQ must have its related AoC:

  • Attestation of Compliance (AoC) – This document contains general information about the assessed entity, including its data, scope environment, supplier information, details of the entity that carried out the assessment (if applicable), outcome of the assessment (compliant/non-compliant), signatures of those responsible and action plans in case of non-compliance. This document can be shared with third parties to demonstrate the state of alignment with the standard.

The evaluation process is not a "certification", since upon completion, a certificate or diploma is not officially received.

What the PCI SSC says about the use of certificates of compliance or diplomas

Since the release of the first versions of PCI DSS, the PCI SSC has been emphatic in clarifying that the use of certificates of compliance or any other unofficial documentation issued unilaterally by QSAC companies to demonstrate alignment with the standard is not acceptable as evidence of compliance. Following the same line, such certificates cannot be used to demonstrate compliance with requirements 12.8 and 12.9 related to the management of service providers.

According to this, it can be concluded that the use of certificates is a merely symbolic action, with no effective value to demonstrate compliance with PCI DSS.

More information in the FAQ #1220: Are compliance certificates registered for PCI DSS validation?

What the PCI SSC says about the use of logos

On the other hand, the use of any type of logo or image to demonstrate compliance with PCI DSS is also prohibited by the PCI SSC. In fact, the PCI SSC logo is a registered trademark and cannot be used without authorization.

More information in the FAQ #1325: Does PCI SSC provide a “PCI DSS Compliant” logo?

How to check if a merchant or service provider is PCI DSS compliant?

Because of these restrictions, the only valid options for checking whether an organization is PCI DSS compliant are listed below:

In the case of shops (merchants):

  • In the case of level 1 merchants, compliance with PCI DSS must be demonstrated exclusively through the ‘compliance report’ document (Report on ComplianceRoC) and/or its declaration of compliance (Attestation of Compliance – AoC) related.
  • In the case of level 2, 3 or 4 shops, compliance with PCI DSS must be demonstrated exclusively through the self-assessment questionnaire (self-assessment questionnaireSAQ) and/or its related AoC.

It is important to clarify that neither the brands nor the PCI SSC maintain a public list of businesses that comply with PCI DSS.

For service providers:

  • In the case of service providers of Level 1, compliance with PCI DSS must be demonstrated exclusively through the ‘compliance report’ document (Report on Compliance – RoC) and/or its related AoC.
  • Complementary to this, PCI DSS compliance of Tier 1 service providers can also be found in the lists regularly published by VISA and MasterCard:
  • In the case of level 2, 3 and 4 service providers and other entities that have been defined by the brands, compliance with PCI DSS must be strictly validated through the SAQ and/or the related AoC.

What if an entity refuses to provide its RoC/SAQ/AoC?

As a general rule, any company that complies with PCI DSS controls must have available its RoC (in the case of a formal on-site compliance assessment) or its SAQ and its related AoCs to be shared with any entity that requests them.

If the service provider refuses to provide evidence of its compliance with PCI DSS or does not appear on the brands' lists (if it is a Tier 1 provider), then you are facing a case of negligence. If this situation occurs, the vendor will not comply with the requirements of controls 12.8 and 12.9 and must be immediately removed from the PCI DSS compliance environment.

More information in the following links:

Therefore, it is good practice that contracts with service providers or retailers include contractual clauses that allow these documents to be requested on a discretionary basis by the entity that contracts them.

Posted by David Acosta

Qualified Security Assessor (QSA) for PCI DSS, PCI PIN, PCI 3DS, P2PE and PCI TSP. CISSP, CISA, CISM, CRISC, C|EH, C|HFI.

Leave to Reply