Frequently Asked Question

In the context of PCI SSC-related validation and compliance reports, the intent of requiring a signature from a "duly authorized officer" is to ensure the Company is aware of and has formally signed off on the work being done together with all associated Company liability for that work. A "duly authorized officer" must have authority to legally bind the company for purposes of the report. Although the signatory's job title need not include the term "officer," the signatory must be formally authorized by the Company to sign such documents on the Company's behalf and should be competent and knowledgeable regarding the applicable PCI SSC program and related requirements and duties.  Each organization is different and is ultimately responsible for defining its own policies and job functions based on the Company's needs and culture.

Examples of signatories that are not "duly authorized officers" include non-employees, attestants or notaries, and any other individual (whether employed by the Company or not) who either is not authorized to make binding commitments on the Company's behalf and/or are merely attesting to the genuineness of the document or signature by adding their own signature. Signature authority for materials submitted to PCI SSC may not be outsourced to any third party.

This FAQ applies to all PCI SSC programs. Refer to each applicable PCI SSC program guide, available on the PCI SSC website, for any additional context for a duly authorized officer.