Payment Card Industry

Data Security Standard

Attestation of Compliance for Report

on Compliance – Service Providers
Version 4.0.1
Publication Date: August 2024
PCI DSS v4.0.1 Attestation of Compliance for Report on
Compliance – Service Providers

Entity Name:

Date of Report as noted in the Report on Compliance:

Date Assessment Ended:

PCI DSS v4.0.1 Attestation of Compliance for Report on Compliance - Service Providers August 2024
© 2006−2024 PCI Security Standards Council, LLC. All rights reserved. Page i
Section 1: Assessment Information
Instructions for Submission
This Attestation of Compliance (AOC) must be completed as a declaration of the results of the service provider’s
assessment against the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing
Procedures (“Assessment”). Complete all sections. The service provider is responsible for ensuring that each section
is completed by the relevant parties, as applicable. Contact the entity(ies) to which this AOC will be submitted for
reporting and submission procedures.
This AOC reflects the results documented in an associated Report on Compliance (ROC). Associated ROC sections
are noted in each AOC Part/Section below.
Capitalized terms used but not otherwise defined in this document have the meanings set forth in the PCI DSS
Report on Compliance Template.

Part 1. Contact Information

Part 1a. Assessed Entity
(ROC Section 1.1)
Company name:

DBA (doing business as):

Company mailing address:

Company main website:

Company contact name:

Company contact title:

Contact phone number:

Contact e-mail address:

Part 1b. Assessor

(ROC Section 1.1)
Provide the following information for all assessors involved in the Assessment. If there was no assessor for a given
assessor type, enter Not Applicable.

PCI SSC Internal Security Assessor(s)

ISA name(s):

Qualified Security Assessor

Company name:

Company mailing address:

Company website:

Lead Assessor name:

Assessor phone number:

Assessor e-mail address:

Assessor certificate number:

PCI DSS v4.0.1 Attestation of Compliance for Report on Compliance − Service Providers August 2024
© 2006−2024 PCI Security Standards Council, LLC. All rights reserved. Page 1
 Part 2. Executive Summary

Part 2a. Scope Verification

Services that were INCLUDED in the scope of the Assessment (select all that apply):

Name of service(s) assessed:

Type of service(s) assessed:

Hosting Provider: Managed Services: Payment Processing:

Applications / software Systems security services POI / card present
Hardware IT support Internet / e-commerce
Infrastructure / Network Physical security MOTO / Call Center
Physical space (co-location) Terminal Management System ATM
Storage Other services (specify): Other processing (specify):
Web-hosting services
Security services
3-D Secure Hosting Provider
Multi-Tenant Service Provider
Other Hosting (specify):

Account Management Fraud and Chargeback Payment Gateway/Switch

Back-Office Services Issuer Processing Prepaid Services

Billing Management Loyalty Programs Records Management

Clearing and Settlement Merchant Services Tax/Government Payments

Network Provider

Others (specify):

Note: These categories are provided for assistance only and are not intended to limit or predetermine an entity’s
service description. If these categories do not apply to the assessed service, complete “Others.” If it is not clear
whether a category could apply to the assessed service, consult with the entity(ies) to which this AOC will be
submitted.

PCI DSS v4.0.1 Attestation of Compliance for Report on Compliance − Service Providers August 2024
© 2006−2024 PCI Security Standards Council, LLC. All rights reserved. Page 2
 Part 2. Executive Summary (continued)

Part 2a. Scope Verification (continued)

Services that are provided by the service provider but were NOT INCLUDED in the scope of the
Assessment (select all that apply):

Name of service(s) not assessed:

Type of service(s) not assessed:

Hosting Provider: Managed Services: Payment Processing:

Applications / software Systems security services POI / card present
Hardware IT support Internet / e-commerce
Infrastructure / Network Physical security MOTO / Call Center
Physical space (co-location) Terminal Management System ATM
Storage Other services (specify): Other processing (specify):
Web-hosting services
Security services
3-D Secure Hosting Provider
Multi-Tenant Service Provider
Other Hosting (specify):

Account Management Fraud and Chargeback Payment Gateway/Switch

Back-Office Services Issuer Processing Prepaid Services

Billing Management Loyalty Programs Records Management

Clearing and Settlement Merchant Services Tax/Government Payments

Network Provider

Others (specify):

Provide a brief explanation why any checked services

were not included in the Assessment:

Part 2b. Description of Role with Payment Cards

(ROC Sections 2.1 and 3.1)

Describe how the business stores, processes, and/or

transmits account data.

Describe how the business is otherwise involved in or

has the ability to impact the security of its customers’
account data.

Describe system components that could impact the

security of account data.

PCI DSS v4.0.1 Attestation of Compliance for Report on Compliance − Service Providers August 2024
© 2006−2024 PCI Security Standards Council, LLC. All rights reserved. Page 3
 Part 2. Executive Summary (continued)

Part 2c. Description of Payment Card Environment

Provide a high-level description of the environment covered by
this Assessment.
For example:
• Connections into and out of the cardholder data
environment (CDE).
• Critical system components within the CDE, such as POI
devices, databases, web servers, etc., and any other
necessary payment components, as applicable.
• System components that could impact the security of
account data.

Indicate whether the environment includes segmentation to reduce the scope of the Yes No
Assessment.
(Refer to the “Segmentation” section of PCI DSS for guidance on segmentation)

Part 2d. In-Scope Locations/Facilities

(ROC Section 4.6)

List all types of physical locations/facilities (for example, corporate offices, data centers, call centers and mail
rooms) in scope for this Assessment.

Total Number of
Locations Location(s) of Facility
Facility Type
(How many locations of (city, country)
this type are in scope)

Example: Data centers 3 Boston, MA, USA

PCI DSS v4.0.1 Attestation of Compliance for Report on Compliance − Service Providers August 2024
© 2006−2024 PCI Security Standards Council, LLC. All rights reserved. Page 4
 Part 2. Executive Summary (continued)

Part 2e. PCI SSC Validated Products and Solutions

(ROC Section 3.3)

Does the entity use any item identified on any PCI SSC Lists of Validated Products and Solutions ♦?
Yes No

Provide the following information regarding each item the entity uses from PCI SSC's Lists of Validated
Products and Solutions:

Name of PCI SSC Version of PCI SSC Standard to PCI SSC Listing
Expiry Date of
validated Product or Product or which Product or Reference
Listing
Solution Solution Solution Was Validated Number

YYYY-MM-DD

YYYY-MM-DD

YYYY-MM-DD

YYYY-MM-DD

YYYY-MM-DD

YYYY-MM-DD

* For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions,
and/or components, appearing on the PCI SSC website (www.pcisecuritystandards.org) (for example, 3DS Software
Development Kits, Approved PTS Devices, Validated Payment Software, Point to Point Encryption (P2PE) solutions,
Software-Based PIN Entry on COTS (SPoC) solutions, Contactless Payments on COTS (CPoC) solutions), and Mobile
Payments on COTS (MPoC) products.

PCI DSS v4.0.1 Attestation of Compliance for Report on Compliance − Service Providers August 2024
© 2006−2024 PCI Security Standards Council, LLC. All rights reserved. Page 5
 Part 2. Executive Summary (continued)
Part 2f. Third-Party Service Providers
(ROC Section 4.4)

For the services being validated, does the entity have relationships with one or more third-party service providers
that:

• Store, process, or transmit account data on the entity’s behalf (for example, payment Yes No
gateways, payment processors, payment service providers (PSPs, and off-site storage))

• Manage system components included in the entity’s Assessment (for example, via Yes No
network security control services, anti-malware services, security incident and event
management (SIEM), contact and call centers, web-hosting companies, and IaaS, PaaS,
SaaS, and FaaS cloud providers)

• Could impact the security of the entity’s CDE (for example, vendors providing support via Yes No
remote access, and/or bespoke software developers).

If Yes:

Name of Service Provider: Description of Services Provided:

Note: Requirement 12.8 applies to all entities in this list.

PCI DSS v4.0.1 Attestation of Compliance for Report on Compliance − Service Providers August 2024
© 2006−2024 PCI Security Standards Council, LLC. All rights reserved. Page 6
 Part 2. Executive Summary (continued)

Part 2g. Summary of Assessment (ROC Section 1.8.1)

Indicate below all responses provided within each principal PCI DSS requirement.
For all requirements identified as either “Not Applicable” or “Not Tested,” complete the “Justification
for Approach” table below.
Note: One table to be completed for each service covered by this AOC. Additional copies of this
section are available on the PCI SSC website.

Name of Service Assessed:

Requirement Finding
Select If a
PCI DSS More than one response may be selected for a given requirement. Compensating
Requirement Indicate all responses that apply. Control(s) Was
Used
In Place Not Applicable Not Tested Not in Place

Requirement 1:

Requirement 2:

Requirement 3:

Requirement 4:

Requirement 5:

Requirement 6:

Requirement 7:

Requirement 8:

Requirement 9:

Requirement 10:

Requirement 11:

Requirement 12:

Appendix A1:

Appendix A2:

Justification for Approach

For any Not Applicable responses, identify which sub-
requirements were not applicable and the reason.

For any Not Tested responses, identify which sub-

requirements were not tested and the reason.

PCI DSS v4.0.1 Attestation of Compliance for Report on Compliance − Service Providers August 2024
© 2006−2024 PCI Security Standards Council, LLC. All rights reserved. Page 7
Section 2 Report on Compliance

(ROC Sections 1.2 and 1.3)

Date Assessment began: YYYY-MM-DD

Note: This is the first date that evidence was gathered, or observations were made.

Date Assessment ended: YYYY-MM-DD

Note: This is the last date that evidence was gathered, or observations were made.

Were any requirements in the ROC unable to be met due to a legal constraint? Yes No

Were any testing activities performed remotely? Yes No

PCI DSS v4.0.1 Attestation of Compliance for Report on Compliance − Service Providers August 2024
© 2006−2024 PCI Security Standards Council, LLC. All rights reserved. Page 8
Section 3 Validation and Attestation Details

Part 3. PCI DSS Validation (ROC Section 1.7)

This AOC is based on results noted in the ROC dated (Date of Report as noted in the ROC YYYY-MM-
DD).
Indicate below whether a full or partial PCI DSS assessment was completed:
Full Assessment – All requirements have been assessed and therefore no requirements were marked
as Not Tested in the ROC.
Partial Assessment – One or more requirements have not been assessed and were therefore marked
as Not Tested in the ROC. Any requirement not assessed is noted as Not Tested in Part 2g above.

Based on the results documented in the ROC noted above, each signatory identified in any of Parts 3b-3d,
as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document
(select one):

Compliant: All sections of the PCI DSS ROC are complete, and all assessed requirements are
marked as being either In Place or Not Applicable, resulting in an overall COMPLIANT rating; thereby
(Service Provider Company Name) has demonstrated compliance with all PCI DSS requirements
except those noted as Not Tested above.

Non-Compliant: Not all sections of the PCI DSS ROC are complete, or one or more requirements are
marked as Not in Place, resulting in an overall NON-COMPLIANT rating; thereby (Service Provider
Company Name) has not demonstrated compliance with PCI DSS requirements.
Target Date for Compliance: YYYY-MM-DD
An entity submitting this form with a Non-Compliant status may be required to complete the Action
Plan in Part 4 of this document. Confirm with the entity to which this AOC will be submitted before
completing Part 4.

Compliant but with Legal exception: One or more assessed requirements in the ROC are marked
as Not in Place due to a legal restriction that prevents the requirement from being met and all other
assessed requirements are marked as being either In Place or Not Applicable, resulting in an overall
COMPLIANT BUT WITH LEGAL EXCEPTION rating; thereby (Service Provider Company Name) has
demonstrated compliance with all PCI DSS requirements except those noted as Not Tested above or
as Not in Place due to a legal restriction.
This option requires additional review from the entity to which this AOC will be submitted.
If selected, complete the following:

Details of how legal constraint prevents

Affected Requirement
requirement from being met

PCI DSS v4.0.1 Attestation of Compliance for Report on Compliance − Service Providers August 2024
© 2006−2024 PCI Security Standards Council, LLC. All rights reserved. Page 9
 Part 3. PCI DSS Validation (continued)

Part 3a. Service Provider Acknowledgement

Signatory(s) confirms:
(Select all that apply)

The ROC was completed according to PCI DSS, Version 4.0.1 and was completed according to the
instructions therein.

All information within the above-referenced ROC and in this attestation fairly represents the results of the
Assessment in all material respects.

PCI DSS controls will be maintained at all times, as applicable to the entity’s environment.

Part 3b. Service Provider Attestation

Signature of Service Provider Executive Officer  Date: YYYY-MM-DD

Service Provider Executive Officer Name: Title:

Part 3c. Qualified Security Assessor (QSA) Acknowledgement

If a QSA was involved or assisted with this QSA performed testing procedures.
Assessment, indicate the role performed:
QSA provided other assistance.
If selected, describe all role(s) performed:

Signature of Lead QSA  Date: YYYY-MM-DD

Lead QSA Name:

Signature of Duly Authorized Officer of QSA Company  Date: YYYY-MM-DD

Duly Authorized Officer Name: QSA Company:

Part 3d. PCI SSC Internal Security Assessor (ISA) Involvement

If an ISA(s) was involved or assisted with this ISA(s) performed testing procedures.
Assessment, indicate the role performed:
ISA(s) provided other assistance.
If selected, describe all role(s) performed:

PCI DSS v4.0.1 Attestation of Compliance for Report on Compliance − Service Providers August 2024
© 2006−2024 PCI Security Standards Council, LLC. All rights reserved. Page 10
 Part 4. Action Plan for Non-Compliant Requirements
Only complete Part 4 upon request of the entity to which this AOC will be submitted, and only if the Assessment
has Non-Compliant results noted in Section 3.
If asked to complete this section, select the appropriate response for “Compliant to PCI DSS Requirements” for
each requirement below. For any “No” responses, include the date the entity expects to be compliant with the
requirement and provide a brief description of the actions being taken to meet the requirement.

Compliant to PCI Remediation Date and

DSS Requirements Actions
PCI DSS
Description of Requirement (Select One) (If “NO” selected for any
Requirement
Requirement)
YES NO
Install and maintain network security
1
controls

Apply secure configurations to all system

2
components

3 Protect stored account data

Protect cardholder data with strong

4 cryptography during transmission over
open, public networks

Protect all systems and networks from

5
malicious software

Develop and maintain secure systems and

6
software

Restrict access to system components and

7
cardholder data by business need to know

Identify users and authenticate access to

8
system components

9 Restrict physical access to cardholder data

Log and monitor all access to system

10
components and cardholder data

Test security systems and networks

11
regularly

Support information security with

12
organizational policies and programs

Additional PCI DSS Requirements for Multi-

Appendix A1
Tenant Service Providers

Additional PCI DSS Requirements for

Appendix A2 Entities using SSL/early TLS for Card-
Present POS POI Terminal Connections

Note: The PCI Security Standards Council is a global standards body that provides resources for payment security
professionals developed collaboratively with our stakeholder community. Our materials are accepted in numerous
compliance programs worldwide. Please check with your individual compliance accepting organization to ensure that this
form is acceptable in their program. For more information about PCI SSC and our stakeholder community please visit:
https://www.pcisecuritystandards.org/about_us/

PCI DSS v4.0.1 Attestation of Compliance for Report on Compliance − Service Providers August 2024
© 2006−2024 PCI Security Standards Council, LLC. All rights reserved. Page 11