As someone who’s worked with PCI compliance across multiple organizations, I know how overwhelming it can be to evaluate service providers—especially when your audit deadlines are looming. One of the best ways I’ve found to reduce internal compliance burden is by partnering with the right PCI DSS Level 1 service provider. But not all providers are created equal, and navigating the process takes a sharp eye for detail.
Here’s how I evaluate a PCI Level 1 service provider to ensure compliance, reduce risk, and streamline audits.
Why a Current AOC Matters
The first thing I check is whether the provider has a current PCI DSS Attestation of Compliance (AOC). This third-party validation is a baseline requirement and shows that the provider understands the complexity of PCI compliance.
If they can’t provide one—or won’t—that’s a red flag. When they do have a current AOC, I ask:
- Will they share it? Most reputable providers will provide their AOC after an NDA is signed. If they dodge the request, I move on.
- Is it current? AOCs are renewed annually. I always check the expiration date and ask about their next assessment.
- What’s in scope (Section 1, Part 2)? I look for specific services covered—are the tools or infrastructure I plan to use listed?
- Do they offer a Roles & Responsibilities (R&R) matrix? Good providers do. It breaks down which parts of the PCI DSS they cover vs. what remains my responsibility. This makes audits significantly easier.
Evaluating Providers Without a Current AOC
If a provider doesn’t have an AOC, I don’t automatically rule them out—but the evaluation gets deeper:
- Are they actively working toward compliance?
- Do they have certifications like SOC 2 or ISO 27001?
- Can they clearly explain PCI DSS requirements and support my QSA during the audit?
- Do they protect and segregate sensitive data?
- Do they conduct third-party vulnerability scans and pen tests?
- Is their incident response plan documented and tested?
- Are support procedures secure and well-documented?
- Is technical documentation clear and accessible?
- Are they using a multi-tenant or single-tenant environment—and how is data isolation handled?
That last point matters more than people think. While neither setup is inherently better, a single-tenant environment might reduce your audit scope if the provider isn’t fully compliant.
I also ask:
- Have they had a data breach? How did they handle it?
- Do they have any complaints (e.g., BBB)?
- Can they provide client references who’ve achieved PCI compliance?
Why the Roles & Responsibilities Matrix Is Critical
One of the most helpful tools a PCI service provider can offer is a clear Roles & Responsibilities matrix. It outlines exactly what they cover under PCI—and what you still need to handle internally. This clarity makes working with your QSA faster, cleaner, and more effective.
Bottom Line
Partnering with a PCI DSS Level 1 service provider can absolutely streamline your compliance process—but only if they’re truly up to the task. For me, a current, relevant AOC and a clear R&R matrix are non-negotiables. Everything else helps paint the full picture.
In 2025, with evolving PCI DSS 4.0 requirements, vetting your service providers is more important than ever. Take the time up front—it will save you a world of stress at audit time.
Looking for a PCI-compliant provider with full transparency and real-time visibility?
Check out how Acumera provides managed network services and how AcuVigil™ supports PCI DSS compliance for multi-site operators. Need to see our AOC or Roles & Responsibilities matrix? Contact us today at sales@acumera.com or call 512.687.7410.
