What Are My Reporting Requirements?
As a service provider there’s a much more limited set of reports that can be used to attest to PCI compliance. Service providers must use either:
- SAQ D (Service Provider)
- Report on Compliance with Service Provider AoC
While there may be some controls that do not apply if you do not store cardholder data, you cannot leverage the same scope reduction controls that merchants use.
One new approach in PCI DSS v4.0 is the concept of “partial assessment” which may be used by service providers who test a sub-set of controls and have the remainder as “Not Tested”. The ROC Template suggests that this could be appropriate where:
“A service provider organisation might offer a service that covers only a limited number of PCI DSS requirements – for example, a physical storage provide may want only to validate the physical security controls per PCI DSS Requirement 9 for their storage facility.” – p. xii, PCI DSS v4.0 ROC Template Instructions
While a partial assessment can demonstrate compliance, it’s important to ensure that you’ve clearly defined which requirements are:
- Your responsibility
- Your customers’ responsibility
- A shared responsibility between yourselves and your customers
If you aren’t clear on these responsibilities, there’s a risk that your customers may expect you to be responsible for something you are not.
You can read more about reporting requirements here.