Can someone explain what a "Certificate of Compliance" represents. I just reviewed a certificate from a QSA that states the vendor "as of xxxxxx xx, 2008 has satisfactorily met the requirements of PCI DSS". Is this the type of documentation a QSA would bestow when they have done a review of a level one merchant? I thought it was amusing the certificate states it is only valid no more than 90 days from the date of the certificate.

The "certificate of compliance" applies only to service providers that have engaged a QSA to perform their validation of compliance. It does not apply to merchants. In the Mastercard program the certificate is referred to as "Certificate of Validation". Your reference to vendor must have been to a service provider and not a merchant.

With respect to the 90 day validity period, this again would be up to the QSA based on their audit of the service provider. As a rule, service providers are required to re-validate their compliance annually or immediately following a security incident where, for example, cardholder information may have been compromised.

I would assume the 90 day validity period was set as a result of a non-compliance issue discovered during the QSA compliance audit and the service provider was given 90 days of grace to perform the remediation and have the issue revisited to ensure compliance.

QSA's do not validate merchant compliance, nor do they issue any "Certificates" to merchants. Merchant validation is up to the acquirer or payment brand, and in those cases where a QSA was involved in performing the validation process, it would be based on the QSA's Report on Compliance (ROC).

Visa CORAs and MasterCard COVs are issued by QSAs to merchants as well as to Service Providers. Discover has their own version of these, but it slips my mind at the moment as to what they call their form (Attestation of Compliance). Merchant CORAs and COVs can also be required to be used for merchants filing Self Assessment Questionnaires (SAQ). As I recall, there are two different versions, one for merchants and one for service providers. The CORA/COV are used more as transmittal documents or cover letters by the acquirers and card brands so that they can focus on those organizations that are not compliant.

If the Report on Compliance (ROC) or SAQ are not accepted by the acquirer or the card brand for whatever reason, then the CORA/COV are moot.

All a CORA or COV indicate is that the recipient has complied with the compliance process and has either been judged compliant or not compliant. However, you would need to see their ROC or SAQ to determine how much of the compliance process actually applied to the organization and where, if any, they were judged not compliant.

For example, Iron Mountain is judged to be PCI compliant, however all they do is store cardholder data typically on tapes or other removable media. Their ROC covers physical security, environmental controls and how they manage backup media. It does not cover things like encryption of cardholder data, how they manage their firewalls and routers, etc. Because those are not applicable to what they do related to PCI compliance. If you didn't read their ROC, you would never know how much it actually covers and where your ROC/SAQ needs to pick up.

First, thank you OJ and Jeff for your assistance. I was not sure if the Certificate of Compliance validated a ROC. In our case a vendor who is contracted to do business on our campus presented the certificates as evidence of PCI DSS compliance. Since they operate with their own merchant number and not one of ours I deduce they are not considered a "Service Provider" to the contracting entity (us). If they are not deemed a SP, I would also assume we would be better served looking at their ROC or getting an official document attesting to their compliance vs. these certificates which are already past the 90 period of validation the QSA placed on them.


.

My mistake - arrgghhh the taste of crow!!

One of my U.S. colleagues kindly advised me that QSA's may issue a specially worded Certificate of Compliance to Level 1 merchants where the QSA has carried out all of the audit and remediation work and received positive confirmation of acceptance of their ROC from the acquirer.

I have no experience with a Level 1 merchant's requirement for an onsite audit by a QSA or the other situation where the QSA has carried out all of the audit and remediation work and completed the passing SAQ on behalf of the merchant - reportedly, the only other time a QSA will issue a COC to a merchant. Perfectly understandable.

As a result, I have never seen a merchant COC here in Canada.

In my current project, we are doing our own SAQ D and AOC and I guess that means we won't be receiving a COC from anyone.

Pity, after all this blood, sweat and tears, all we get is to continue to process student credit card transactions to settle their financial obligations to the U.

I was not sure if the Certificate of Compliance validated a ROC.

Just to be clear, a CORA/COV are just a summary of whether or not the organization in question has been judged PCI compliant. What you appear to have is some sort of document issued by the organization's QSA and not a CORA or COV.

In our case a vendor who is contracted to do business on our campus presented the certificates as evidence of PCI DSS compliance. Since they operate with their own merchant number and not one of ours I deduce they are not considered a "Service Provider" to the contracting entity (us).

They are only a service provider if you are routing your transactions through them. Based on your description, I'm not certain as to what their relationship is to your organization.

If they are not deemed a SP, I would also assume we would be better served looking at their ROC or getting an official document attesting to their compliance vs. these certificates which are already past the 90 period of validation the QSA placed on them.

It's up to your organization as to whether or not to accept the 'Certificate of Compliance' as documentation that this organization is PCI compliant. If you are not comfortable with that document, get a copy of their CORA/COV that they submitted to Visa/MasterCard.

If they really are a service provider and they are registered as a service provider with Visa, they will be listed on Visa's Web site as a PCI compliant service provider.

I went back and looked at the CORA and COV forms that I have from Visa, MasterCard and Discover for both merchants and service providers and cannot find any 90 day limitation reference. So, what you have in a 'Certificate of Compliance' is not an 'official' form from any card brand.