I'm filling out our PCI-DSS SAQ, and question 12.8.2 states:
"Is a written agreement maintained that includes an
acknowledgement that the service providers are
responsible for the security of cardholder data the
service providers possess or otherwise store, process,
or transmit on behalf of the customer, or to the extent
that they could impact the security of the customer’s
cardholder data environment?
Note: The exact wording of an acknowledgement will
depend on the agreement between the two parties, the
details of the service being provided, and the
responsibilities assigned to each party. The
acknowledgement does not have to include the exact
wording provided in this requirement."
I've not been able to find where it states in writing that Authorize.net assumes responsibility for the cardholder data they are handling on our behalf.
When I contact customer support, they refuse to acknowledge that Authorize.net assumes that responsibility, much less point me to where that assumption of responsbility is outlined in writing. Their stance is that Authorize.net is certified as PCI-DSS compliant, and by implication that means I can check the yes box to the above quoted question.
I don't understand how that is possible. The SAQ has a yes or no question about the existence of a written agreement. Can someone explain it to me or point me to where the written acknowledgement actually is?
10-13-2016 12:04 PM