Payment provider attestation on file
Demonstrate that current, valid third-party attestation reports are obtained and maintained for all payment service providers handling organizational payment data.
Description
What this control does
This control requires the organization to obtain and maintain current attestation reports (such as SOC 2 Type II, PCI DSS AOC, or ISO 27001 certificates) from third-party payment service providers that process, store, or transmit payment card data on behalf of the organization. These attestations demonstrate that the payment provider has undergone independent assessment of their security controls and compliance posture. Maintaining these attestations on file provides documented assurance that payment processing dependencies meet industry security standards and regulatory requirements.
Control objective
What auditing this proves
Demonstrate that current, valid third-party attestation reports are obtained and maintained for all payment service providers handling organizational payment data.
Associated risks
Risks this control addresses
- Payment provider suffers data breach exposing customer payment card information due to inadequate security controls not verified through independent assessment
- Organization inherits regulatory non-compliance penalties when payment provider fails PCI DSS or other payment security requirements without documented validation
- Fraudulent or unauthorized transactions processed through payment provider with insufficient fraud detection and prevention controls
- Customer payment data exfiltrated through compromised payment provider API or infrastructure lacking adequate encryption and access controls
- Organization unable to demonstrate due diligence in third-party risk management during regulatory examination or breach investigation
- Payment service disruption occurs due to provider security incident that could have been identified through attestation review
- Inadequate incident response capabilities at payment provider result in delayed breach notification and extended customer exposure
Testing procedure
How an auditor verifies this control
- Obtain complete inventory of all third-party payment service providers currently processing, storing, or transmitting organizational payment data
- Request current attestation reports from each payment provider, including SOC 2 Type II reports, PCI DSS Attestation of Compliance (AOC), or equivalent certifications
- Verify each attestation report is dated within the required validity period (typically 12 months for SOC 2 Type II, quarterly for PCI DSS AOC)
- Review attestation scope sections to confirm the services used by the organization are explicitly covered within the assessment boundaries
- Examine audit opinions and test results within attestation reports to identify any qualified opinions, exceptions, or control deficiencies
- Cross-reference payment provider names and service descriptions in attestation reports against contracts and data flow diagrams to ensure completeness
- Interview procurement and vendor management personnel to verify procedures for obtaining attestations during onboarding and renewal cycles
- Review evidence of management review and acceptance of attestation findings, including documented remediation tracking for any provider control gaps
Where this control is tested