Frequently Asked Question

No. The only documentation recognized for PCI DSS validation are the official form documents from the PCI SSC website.  Any other form of certificate or documentation issued for the purposes of documenting compliance to PCI DSS or any other PCI SSC standard are not authorized or validated by PCI SSC, and their use is not acceptable for evidencing compliance. The use of certificates or other non-authorized documentation to validate compliance with PCI DSS requirements according to PCI DSS Requirements 12.8 and/or Requirement 12.9 is also not acceptable.

The PCI SSC website is the official source for reporting templates and forms that are approved by PCI SSC for the purposes of documenting compliance to PCI DSS or any other PCI SSC standard. These include template versions of the Report on Compliance (ROC), Attestations of Compliance (AOC), Self-Assessment Questionnaires (SAQ), and Attestations of Scan Compliance for ASV scans.

Entities that receive certificates or documents that purport to indicate compliance to PCI DSS or other PCI SSC standards, which are not in the form of the above templates available from the PCI SSC website, should request that documentation be provided using the official PCI SSC templates. Any organization issuing, providing, or using certificates or other documents not provided by PCI SSC as an indication of compliance with PCI DSS or other PCI SSC standards must also be able to provide corresponding documentation using the official PCI SSC forms and templates.