‘Ask a QSA’ has received the below question that we feel will resonate with some of our clients. Seasoned QSA, Natasja Bolton stepped up to the challenge.

One of our merchants has provided their Attestation of Compliance (AOC) as a Service Provider, can we accept that AOC as covering their merchant compliance too?

Natasja Bolton, Acquirer Support Manager

It is unlikely that the cardholder data environment (CDE) and cardholder data handling/processing activities are the same for the organisation’s merchant activities as they are for their service provider activities.  The organisation’s service provider compliance assessment and AOC may not cover their merchant payment processing scope and cardholder data handling/processing activities.

Consider an ecommerce hosting provider or payment gateway provider, with very specific services and activities provided to and managed on behalf of merchants included in the scope of their Service Provider compliance assessment. That service provider may also accept card payments from their customers paying for provision of those services. 

The merchant assessment scope and CDE may be entirely separate from the Service Provider assessment scope and CDE. 

For example, if the assessed Service Provider CDE is a segmented network environment hosted at an external data centre and the assessment scope includes those teams and processes involved in operating and supporting that environment; whereas customer card payments are taken by the organisation’s customer service team, using corporate PCs accessing a Virtual Terminal. 

As the scope of assessment for service provider activities is different to the scope of assessment for merchant activities, the organisation should separately assess the compliance for their merchant card data handling activities and processes.

Even where the CDE and associated card data handling people, processes, premises and activities are the same; hence the requirements in scope for assessment are the same, the organisation should still complete a separate Attestation of Compliance as a merchant. 

The organisation should explicitly declare their compliance as a merchant for the merchant business and payment channels recorded in the merchant AOC.  Using the previous example again, the ecommerce hosting provider or payment gateway provider may use their own in-scope service provider infrastructure to offer an online payment gateway for their own customers to pay them for the services provided. 

In that case, the merchant AOC might describe in Part 2c (Locations), Part 2d (Payment Application) and Part 2e (Description of Environment) the same scope as in their Service Provider AOC, but other sections of the AOC would be specific to those merchant card payment acceptance activities, including Part 2a (Type of Merchant Business) and Part 2b (Description of Payment Card Business). 

A Service Provider AOC has no space to record the merchant business, it covers only the assessment of services.