What type of documentation do we need to get from our 3rd party service providers (e-commerce web-application hosting) around compliance with PCI. Somewhere I heard that a simple letter (option a)from them stating they comply with PCI DSS, but I find it hard to believe. Should they get their own annual report on compliance and quarterly scans (option b), or should we doe do an audit on them for compliance and include them on our quarterly scans (option c). Any other options? which is the correct one? how is this typically done? Can someone who's done it before shed some light on this?

Thanks much...

I would like to know what level the 3rd party would have to be if the merchant is suppose to ne PCI DSS L1?

In regards to the question about what merchant level a third party would be, it depends on the merchant and has nothing to do with the third party. If the merchant in question is level 1, then any third party that processes and/or stores cardholder data for the merchant in question is also at level 1 for only that merchant. You have to apply this assessment individually to each merchant that is processed by the third party.

Now, back to the original question regarding documentation for application hosting service providers. Under the PCI Security Audit Procedures (PCI SAP) v1.1, you are required to fill out Appendix A which is comprised of 8 tests that you must gather supporting documentation from the ASP to show their compliance. Do that and you should be okay.

However, where this gets tricky is that some ASPs are also acting as a merchant's managed security provider or providing other services that are covered under the PCI DSS. In those cases, the lines blur as you will have to audit the ASP for those areas where they are providing services covered by the PCI DSS.