https://community.developer.cybersource.com/t5/Integration-and-Testing/PCI-DSS-SAQ-question-12-8-2-Where-does-Authorize-supply-the/m-p/55956#M30778 <P>I'm filling out our PCI-DSS SAQ, and question 12.8.2 states:</P><P>&nbsp;</P><P>"Is a written agreement maintained that includes an<BR />acknowledgement that the service providers are<BR />responsible for the security of cardholder data the<BR />service providers possess or otherwise store, process,<BR />or transmit on behalf of the customer, or to the extent<BR />that they could impact the security of the customer’s<BR />cardholder data environment?<BR />Note: The exact wording of an acknowledgement will<BR />depend on the agreement between the two parties, the<BR />details of the service being provided, and the<BR />responsibilities assigned to each party. The<BR />acknowledgement does not have to include the exact<BR />wording provided in this requirement."</P><P>&nbsp;</P><P>I've not been able to find where it states in writing that Authorize.net assumes responsibility for the cardholder data they are handling on our behalf.</P><P>&nbsp;</P><P>When I contact customer support, they refuse to acknowledge that Authorize.net assumes that responsibility, much less point me to where that assumption of responsbility is outlined in writing. &nbsp;Their stance is that Authorize.net is certified as PCI-DSS compliant, and by implication that means I can check the yes box to the above quoted question.</P><P>&nbsp;</P><P>I don't understand how that is possible. &nbsp;The SAQ has a yes or no question about the existence of a written agreement. &nbsp;Can someone explain it to me or point me to where the written acknowledgement actually is?</P> Thu, 13 Oct 2016 19:04:46 GMT noahs 2016-10-13T19:04:46Z https://community.developer.cybersource.com/t5/Integration-and-Testing/PCI-DSS-SAQ-question-12-8-2-Where-does-Authorize-supply-the/m-p/55956#M30778 <P>I'm filling out our PCI-DSS SAQ, and question 12.8.2 states:</P><P>&nbsp;</P><P>"Is a written agreement maintained that includes an<BR />acknowledgement that the service providers are<BR />responsible for the security of cardholder data the<BR />service providers possess or otherwise store, process,<BR />or transmit on behalf of the customer, or to the extent<BR />that they could impact the security of the customer’s<BR />cardholder data environment?<BR />Note: The exact wording of an acknowledgement will<BR />depend on the agreement between the two parties, the<BR />details of the service being provided, and the<BR />responsibilities assigned to each party. The<BR />acknowledgement does not have to include the exact<BR />wording provided in this requirement."</P><P>&nbsp;</P><P>I've not been able to find where it states in writing that Authorize.net assumes responsibility for the cardholder data they are handling on our behalf.</P><P>&nbsp;</P><P>When I contact customer support, they refuse to acknowledge that Authorize.net assumes that responsibility, much less point me to where that assumption of responsbility is outlined in writing. &nbsp;Their stance is that Authorize.net is certified as PCI-DSS compliant, and by implication that means I can check the yes box to the above quoted question.</P><P>&nbsp;</P><P>I don't understand how that is possible. &nbsp;The SAQ has a yes or no question about the existence of a written agreement. &nbsp;Can someone explain it to me or point me to where the written acknowledgement actually is?</P> Thu, 13 Oct 2016 19:04:46 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/PCI-DSS-SAQ-question-12-8-2-Where-does-Authorize-supply-the/m-p/55956#M30778 noahs 2016-10-13T19:04:46Z