Skip to content

PCI DSS Level 1 Provider Vetting Guide

 

Audit-Friendly Vetting Checklist

  • Validate a current, signed Attestation of Compliance (AOC).
  • Confirm Service Scope matches your intended architecture.
  • Identify explicitly excluded services or infrastructure.
  • Execute a detailed Shared Responsibility (R&R) Matrix.
  • Verify real-time access to logs and incident response evidence.
  • Audit the data isolation and tenancy enforcement model.

 

I. The Significance of the AOC

A current Attestation of Compliance (AOC) is the primary artifact required by auditors. It confirms that a provider has been independently validated against PCI DSS requirements. Without this document, your organization assumes significantly higher risk and audit overhead.

 

II. The Shared Responsibility Model

Under PCI DSS 4.0.1, the division of labor between you and your provider must be perfectly documented. A “Shared Responsibility Matrix” prevents “last-mile” gaps where both parties assume the other is managing a specific control.

Control CategoryProvider ResponsibilityCustomer Responsibility
Physical SecurityData Center Access ControlN/A (Inherited)
Network SecurityHypervisor/Backbone IsolationVirtual Firewall Configuration
Data EncryptionEncryption of Data-at-RestKey Management & Access Policies

 

III. Assessing Providers in Transition

If a provider lacks a current AOC, they must provide a roadmap and alternative proof of technical controls, such as SOC 2 reports or third-party penetration testing summaries. Failure to provide transparency during this phase is a major indicator of non-compliance risk.

About Scale Computing
Scale Computing is a leader in edge computing, virtualization, and hyperconverged solutions. Scale Computing HC3 software eliminates the need for traditional virtualization software, disaster recovery software, servers, and shared storage, replacing these with a fully integrated, highly available system for running applications. Using patented HyperCore™ technology, the HC3 self-healing platform automatically identifies, mitigates, and corrects infrastructure problems in real-time, enabling applications to achieve maximum uptime. When ease-of-use, high availability, and TCO matter, Scale Computing HC3 is the ideal infrastructure platform. Read what our customers have to say on Gartner Peer Insights, Spiceworks, TechValidate and TrustRadius.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Discover more from Version 2 Limited

Subscribe now to keep reading and get access to the full archive.

Continue reading