Certificate of Attestation for PCI Compliance: I need help.
I need help understanding what requirements I would need to satisfy this "Certificate of Attestation for PCI Compliance".
What is the PCI DSS Attestation of Compliance?
Your company must attest that it is complying with the Data Security Standard annually, if it handles credit card data electronically. This involves delivering a package of two or three items:
1. Self Assessment Questionnaire
2. Regular network or web site scanning by an Approved Scanning Vendor (may not be required in some cases) and a Report on Compliance by a Qualified Security Assessor (only needed by the very largest companies)
3. Attestation of Compliance
There are versions of the Attestation of Compliance, just as there are 5 versions of the Self Assessment Questionnaire. If you qualify to use version A of the Questionnaire, use version A of the Attestation, etc.
I don't have a high number of transactions. The only way I plan on processing transactions is through a web portal that is completely managed by stripe and I don't touch any credit card data (not even to do customer sign ups manually). So based on that, what do I fill out? This process seems like bureaucratic hell and need to satisfy this certification for a data partner. There are multiple version of the forms mentioned for 1, and 3. I'm not sure if 2 is strictly necessary for my situation. Any input would be appreciated.
Good afternoon. This is an important question now because there are a lot of businesses online and people who are going to use any product, want to have a feeling of safeness when they pay for it. I recommend you to check clear information about PCI DSS payment solutions on https://www.verygoodsecurity.com/compliance-solutions/pci. You can ask any specific question there as well.
Nevermind, I believe I figured this out.
This comment was deleted 4 years ago.
Thanks! I understand your reasoning. I had to tick a box and submit paperwork to a data partner to further access to their API. Understandably stripe does handle pretty much everything, and I have been quite intentional about that. I don't want to handle credit card data if I don't have to. However, I didn't have the minimum 20 transactions or so through stripe where they could handle the form(s) automatically. I ended up filling out a SAQ A and AOC form from PCISS site and submitted that.