Frequently Asked Question

What is the role of acquirers and assessors in determining the applicability of PCI DSS requirements for a merchant’s PCI DSS assessment?

Acquirers, on behalf of the payment brands, are responsible for determining the PCI DSS validation and reporting method of their merchant customers, including how compliance is to be evidenced—for example, whether to complete an onsite assessment and ROC or self-assessment and SAQ.  Acquirers may also provide direction about which PCI DSS requirements are to be included in the assessment—for example, an Acquirer may require that a specific subset of PCI DSS controls, such as the controls contained in an SAQ, be tested and the results documented in a ROC.

Assessors are responsible for validating that the scope of the assessment and applicability of PCI DSS requirements is accurately defined and documented. This includes performing testing to confirm that any direction given by the acquirer (or the assessed entity) to exclude any PCI DSS requirements from testing is validated and reported consistently with the assessed entity’s environment.  To report a PCI DSS requirement as “Not Applicable”, the assessor must first confirm through testing that the requirement is truly not applicable to that environment.  This confirmation must be performed and documented for all “Not Applicable” responses before a compliant result can be considered for the assessment.

Alternatively, a “Not Tested” response is appropriate for assessments that do not require a fully compliant result—for example, where a partial assessment is being performed to validate only a subset of PCI DSS requirements. Assessors cannot indicate full PCI DSS compliance in a ROC or AOC if any requirements were excluded from testing without the assessor first verifying that those requirements are truly not applicable to the environment.

The PCI DSS ROC Reporting Template provides detailed instruction on how to properly document the findings from the testing performed, including the difference between “Not Tested” and “Not Applicable” findings.
See also:

FAQ 1382: Can a partial PCI DSS assessment be documented in a Report on Compliance (ROC)? 

FAQ 1331: Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for onsite assessments?

March 2020
Article Number: 1473