Frequently Asked Question

What type of assessor signatures are allowable for PCI SSC attestation documentation?
Attestation documents, including AOCs, AOVs, and program-related attestations, that are provided by the PCI SSC require an assessor's signature. The assessor's signature signifies the individual has knowledge, approval, and acceptance of the document's contents. The signature should guarantee non-repudiation. Acceptable forms of signature currently are wet signature (performed with ink) or PCI SSC-accepted electronic/digital signature (cryptographically protected, such as under the US Federal ESIGN Act, the Uniform Electronic Transactions Act (UETA), or European Union Regulation NO 910/2014 on Electronic Identification, Authentication and Trust Services (eIDAS)).
Please note the payment brands themselves manage their own associated compliance programs and may have their own mandates for what types of signatures they will accept. For information please contact the payment brands directly. Contact details for the payment brands can be found in FAQ #1142 How do I contact the payment card brands?
Related
-
What are the expectations for entities when assigning risk rankings to vulnerabilities and resolving or addressing those vulnerabilities?
-
Is phishing-resistant authentication alone acceptable as multi-factor authentication for PCI DSS Requirements 8.4.1 and 8.4.3?
-
Are passkeys synced across devices, implemented according to the FIDO2 requirements, acceptable for use as phishing-resistant authentication to meet PCI DSS Requirement 8.4.2?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used as a guide for determining applicability of PCI DSS requirements for merchant assessments documented in a Report on Compliance?
Most Popular
-
What are the expectations for entities when assigning risk rankings to vulnerabilities and resolving or addressing those vulnerabilities?
-
Is phishing-resistant authentication alone acceptable as multi-factor authentication for PCI DSS Requirements 8.4.1 and 8.4.3?
-
Are passkeys synced across devices, implemented according to the FIDO2 requirements, acceptable for use as phishing-resistant authentication to meet PCI DSS Requirement 8.4.2?
-
How should PCI DSS v4.x requirements noted as superseded by another requirement be reported after 31 March 2025?
-
Are providers of third-party scripts for e-commerce environments considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
Most Recently Updated
-
How often must service providers test penetration testing segmentation controls under PCI DSS?
-
Are merchants allowed to request card-verification codes/values from cardholders?
-
What is the maximum period of time that cardholder data can be stored?
-
How can an entity ensure that hashed and truncated versions cannot be correlated?
-
Are point-of-interaction devices required to be physically secured (for example, with a cable or tether) to prevent removal or substitution to meet PCI DSS Requirement 9.5?