Ask a QSA


‘Ask a QSA’ has received the below question that we feel will resonate with some of our clients. Seasoned QSA, Natasja Bolton stepped up to the challenge.


One of our merchants has provided their Attestation of Compliance (AOC) as a Service Provider, can we accept that AOC as covering their merchant compliance too?


Natasja Bolton, Acquirer Support Manager


It is unlikely that the cardholder data environment (CDE) and cardholder data handling/processing activities are the same for the organisation’s merchant activities as they are for their service provider activities.  The organisation’s service provider compliance assessment and AOC may not cover their merchant payment processing scope and cardholder data handling/processing activities.


Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below



Consider an ecommerce hosting provider or payment gateway provider, with very specific services and activities provided to and managed on behalf of merchants included in the scope of their Service Provider compliance assessment. That service provider may also accept card payments from their customers paying for provision of those services. 


The merchant assessment scope and CDE may be entirely separate from the Service Provider assessment scope and CDE. 


For example, if the assessed Service Provider CDE is a segmented network environment hosted at an external data centre and the assessment scope includes those teams and processes involved in operating and supporting that environment; whereas customer card payments are taken by the organisation’s customer service team, using corporate PCs accessing a Virtual Terminal. 


As the scope of assessment for service provider activities is different to the scope of assessment for merchant activities, the organisation should separately assess the compliance for their merchant card data handling activities and processes.


Even where the CDE and associated card data handling people, processes, premises and activities are the same; hence the requirements in scope for assessment are the same, the organisation should still complete a separate Attestation of Compliance as a merchant. 


The organisation should explicitly declare their compliance as a merchant for the merchant business and payment channels recorded in the merchant AOC.  Using the previous example again, the ecommerce hosting provider or payment gateway provider may use their own in-scope service provider infrastructure to offer an online payment gateway for their own customers to pay them for the services provided. 


In that case, the merchant AOC might describe in Part 2c (Locations), Part 2d (Payment Application) and Part 2e (Description of Environment) the same scope as in their Service Provider AOC, but other sections of the AOC would be specific to those merchant card payment acceptance activities, including Part 2a (Type of Merchant Business) and Part 2b (Description of Payment Card Business). 


A Service Provider AOC has no space to record the merchant business, it covers only the assessment of services.


Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms