FAQ #1220 Diff
What is a ?PCI DSS compliance certificate??
Earlier Version
Later Version
Removed
Added
No. The only documentation recognized for PCI DSS validation are the official form documents from the PCI SSC website. Any other form of certificate or documentation issued for the purposes of illustratingdocumenting compliance to PCI DSS or any other PCI SSC standard are not authorized or validated,validated by PCI SSC, and their use is not acceptable for evidencing compliance. The use of certificates or other non-authorized documentation to validate PCI DSScompliance with PCI DSS requirements according to PCI DSS Requirements 12.8 and/or Requirement 12.8 and/or Requirement 12.9 is also not acceptable.
Theacceptable.The PCI SSC website is the onlyofficial source offor reporting templates and forms that are approved by PCI SSC for the purposes of documenting compliance to PCI DSS or any other PCI SSC standard. These include template versions of the Report on Compliance (ROC), Attestations of Compliance (AOC), Self-Assessment Questionnaires (SAQ), and Attestations of Scan Compliance for ASV scans.Entities that receive certificates or documents that purport to indicate compliance to PCI DSS or other PCI SSC standards, which are not in the form of the above templates available from the PCI SSC website, should request that documentation be provided using the official reporting templatesPCI SSC templates. Any organization issuing, providing, or using certificates or other documents not provided by PCI SSC as an indication of compliance with PCI DSS or other PCI SSC standards must also be able to provide corresponding documentation using the official PCI SSC forms and forms that are approved and accepted by all payment brands. These include Report on Compliance (ROC) templates, Attestations of Compliance (AOC), Self-Assessment Questionnaires (SAQ), and Attestations of Scan Compliance for ASV scans. Only these official documents and forms are acceptable for the purposes of compliance validation.
Because certificates and other non-authorized documentation are not officially recognized, entities that receive these documents to indicate their own compliance (for example, from a QSA or ASV) or another entity?s compliance (for example, from a service provider) should request that official PCI SSC documentation be provided. Any organization issuing, providing, or using certificates as an indication of compliance must also be able to provide the official documents.templates.
The
Because certificates and other non-authorized documentation are not officially recognized, entities that receive these documents to indicate their own compliance (for example, from a QSA or ASV) or another entity?s compliance (for example, from a service provider) should request that official PCI SSC documentation be provided. Any organization issuing, providing, or using certificates as an indication of compliance must also be able to provide the official documents.
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.