The PCI Security Standards Council (PCI SSC) is often asked whether compliance certificates are acceptable to demonstrate an organization’s validation to the PCI Data Security Standard (PCI DSS).
According to PCI SSC FAQ 1220, “Are compliance certificates recognized for PCI DSS validation?”:
The only documentation recognized for PCI DSS validation are the official form documents from the PCI SSC website. Any other form of certificate or documentation issued for the purposes of documenting compliance to PCI DSS, or any other PCI SSC standard, are not authorized or validated by PCI SSC, and their use is not acceptable for evidencing compliance. The use of certificates or other non-authorized documentation to validate compliance with PCI DSS requirements according to PCI DSS Requirements 12.8 and/or Requirement 12.9 is also not acceptable.
The PCI SSC website is the official source for reporting templates and forms that are approved by PCI SSC for the purposes of documenting compliance to PCI DSS or any other PCI SSC standard. These include template versions of the Report on Compliance (ROC), Attestations of Compliance (AOC), Self-Assessment Questionnaires (SAQ), and Attestations of Scan Compliance for ASV scans.
Entities that receive certificates or documents that purport to indicate compliance with PCI DSS, or other PCI SSC standards, which are not in the form of the above templates available from the PCI SSC website, should request that documentation be provided using the official PCI SSC templates. Any organization issuing, providing, or using certificates or other documents not provided by PCI SSC as an indication of compliance with PCI DSS, or other PCI SSC standards, must also be able to provide corresponding documentation using the official PCI SSC forms and templates.
PCI SSC does not endorse the use or issuance of compliance certificates for evidence of PCI DSS compliance. Note that organizations receiving such compliance certificates are under no obligation to accept them and are encouraged to request that the documentation be provided on the official PCI SSC form or template. Such organizations may wish to refer to FAQ 1220 as support.
Note that PCI SSC does not provide compliance certificates or compliance logos, and organizations do not have permission to use a PCI SSC or PCI DSS logo on a certificate or document purporting PCI DSS compliance. Except for the official forms or documents on the PCI SSC website, any certificate or document that indicates PCI DSS compliance is not from the Council nor is it an official verification of PCI DSS compliance.
