In additionNo. The only documentation recognized for PCI DSS validation are the official documents from the PCI SSC website. Any other form of certificate or documentation issued for the purposes of illustrating compliance to the official PCI SSC reporting forms and templates, some QSA and ASV companies provide certificates, letters orPCI DSS or any other PCI standard are not authorized or validated, and their use is not acceptable for evidencing compliance. The use of certificates or other non-authorized documentation as confirmation that an organizationto validate PCI DSS Requirement 12.8 and/or Requirement 12.9 is PCI DSS compliant. The PCI SSC doesalso not prevent QSAs or ASVs from producing this type of documentation, as it is considered an additional service which the assessor company may elect to provide and is therefore outside of the purview of the Council. However, in accordance with the ethical requirements for QSA and ASV companies, any such certificates, letters and other documentation must be accurate and not be in any way misleading. Additionally, these certificates, letters and other documentation should be clearly identified as supplemental materials provided by the QSA or ASV; these materials are not endorsed by the PCI SSC, nor should they be considered replacements for the official PCI SSC templates and forms which have been approved by the payment brands.acceptable.
The PCI SSC website containsis the only source of official reporting templates and forms which have beenthat are approved and accepted by all payment brands, including ROCbrands. These include Report on Compliance (ROC) templates, Attestations of Compliance,Compliance (AOC), Self-Assessment Questionnaires,Questionnaires (SAQ), and Attestations of Scan Compliance for ASV scans. Compliance validation and reporting requirementsOnly these official documents and forms are determined by the individual payment card brands and, irrespective of whetheracceptable for the purposes of compliance validation.
Because certificates and other non-authorized documentation are not officially recognized, entities that receive these documents to indicate their own compliance (for example, from a QSA or ASV) or another entity?s compliance (for example, from a service provider) should request that official PCI SSC documentation be provided. Any organization issuing, providing, or using certificates as an organization is performing a self-assessment or has an onsite review completed by a QSA company, acceptance of a validation method outside of those listed on the Council website is ultimately upindication of compliance must also be able to the entity accepting the validation (that is, the acquiring bank or payment card brand). In many cases, certificates, letters or other documentation issued by QSA or ASV companies outside ofprovide the official PCI SSC templates may not be accepted by acquiring banks or payment card brands. Organizations should check with their acquirer or the payment brands directly to determine their compliance reporting requirements, including whether the submission of such certificates is acceptable.documents.
