Recently, a merchant reached out regarding an unexpected ask from its acquiring institution. It is a Level 2 merchant (as defined below) that traditionally completed its own Self-Assessment Questionnaires for Payment Card Industry (PCI) compliance reporting. According to this merchant, the acquirer asked for an Attestation of Compliance (AOC) signed by a Qualified Security Assessor (QSA), not by a company officer.
The request stemmed from a specific rule implemented by MasterCard in 2012, but has been largely remained unknown by the merchant community since. With the maturity of PCI standards and their requirements, we have noticed how acquirers are focusing beyond the big merchants (Level 1) and paying more attention on Level 2, 3 and 4 merchants, and may increase focus on requiring AOCs signed by a QSAs or an Internal Security Assessor (ISA).