Service Provider AOC's and Responsibility Summaries

It can be tough to know where to go to find an AOC or Responsibility Summary. Here are some links and information to download a service provider AOC and responsibility summary or to request them. Some service providers don't have an obvious place to request or download an AOC and some don't show that they have a responsibility summary. However a QSA helping PCI365.org has viewed the AOC document for several service providers and can attest to what has been published on this page.

Akamai

Here's a link to download the AOC (good through June 30, 2024):

https://www.akamai.com/site/ja/documents/akamai/pci-dss-3.2-attestation-of-compliance.pdf

Her's a link to download the PCI responsibility matix:

https://www.akamai.com/site/en/documents/akamai/pci-dss-3.2-responsibility-matrix.pdf

Amazon AWS

AWS does a PCI audit every 6 months and a current PCI AOC and Responsibility Summary can be found in the AWS Management Console artifact repository. Make sure to get the correct PCI DSS AOC and not the PCI 3DS one.

https://console.aws.amazon.com/artifact

Cvent

You can download the Cvent Inc. AOC by navigating to this page and clicking on the "You can even download our certificate." link found in the middle of the last paragraph:

https://support.cvent.com/s/communityarticle/How-secure-is-Cvent

Cvent does not specify where or how to download their responsibility summary (if they have one at all).

Google Cloud

Go to the Compliance Reports Manager page and browse (or filter) until you see the PCI DSS report to download.

https://cloud.google.com/security/compliance/compliance-reports-manager#/ReportType=Audit_Report

You can get the Google Cloud responsibility matrix here:

https://services.google.com/fh/files/misc/gcp_pci_dss_v4_responsibility_matrix.pdf

Microsoft Azure and Office 365

Go to the Microsoft Service Trust portal and download the PCI DSS AOC you're looking for. Make sure to get the correct PCI DSS AOC and not the PCI 3DS one.

https://servicetrust.microsoft.com/viewpage/PCI

Okta

To access the Okta AOC your Okta administrator will need to login to the Okta Help Center.

https://support.okta.com/help/s/securitydocs

It's not clear whether Okta has a responsibility matrix available to download, but guidance on Okta's compliance burden can be found here:

https://www.okta.com/resources/whitepaper/okta-security-technical-white-paper/

PayPal

While there is no direct link to download the PayPal, Inc. AOC or responsibility summary, a QSA helping with PCI365.org has viewed the AOC document and can attest to have viewed the following in that document:

• Third-party validated by QSA (Certificate #046-010)

• Name and Type of services included in scope: All Services Assessed (POS / card present, Internet / e-commerce, MOTO / Call Center, Account Management, Back-Office Services, Billing Management, Clearing and Settlement, Network Provider, Fraud and Chargeback, Issuer Processing, Merchant Services, Payment Gateway/Switch, Prepaid Services, Tax/Government Payments, Other: Account Linking, Pay with Rewards & UPI QRC and Card issuing).

• Name of services not assessed: Not Applicable

• ROC report date: 15 October 2023

• Compliant box checked and both Service Provider and QSA signatures on the AOC report.

• URL of Service Provider: www.paypal.com

Technolutions

While there is no direct link to download the Technolutions, Inc. AOC or responsibility summary, a QSA helping with PCI365.org has viewed the AOC document and can attest to have viewed the following in that document:

• Third-party validated by QSA (Certificate #203-027)

• Name and Type of services included in scope: Slate (Applications / software, Internet / e-commerce, Payment Gateway/Switch).

• Name of services not assessed: Not Applicable

• ROC report date: May 31, 2023

• Compliant box checked and both signatures on the AOC report.

• URL of Service Provider: technolutions.com

TokenEx

Here is a link to the TokenEX AOC (Good through July 2024): 

https://www.tokenex.com/wp-content/uploads/2023/07/TokenEx-2023-PCI-DSS-AOC-Final-Report_Marc-Phillips.pdf

TouchNet (Global Payments)

While there is no direct link to download the TouchNet Information Systems, Inc. AOC or responsibility summary, a QSA helping with PCI365.org has viewed the AOC document and can attest to have viewed the following in that document:

• Third-party validated by QSA (Certificate #200-024)

• Name and Type of services included in scope: TouchNet Information Systems, Inc. (Merchant Services, POS / card-present, Internet / e-commerce, Payment Gateway/Switch).

• Name of services not assessed: None.

• ROC report date: 14 APR 2023

• Compliant box checked and both signatures on the AOC report.

• URL of Service Provider: www.touchnet.com

Transact (Cashnet)

Go to this contact form to request a copy of their AOC.

https://www.transactcampus.com/company/trust-center/request-information