All Service Providers, which encompass Acquirers, Processors, and Gateway Providers, entrusted with storing, processing, or transmitting Sanquest Cardholder data, are obligated to adhere to the PCI DSS. They might need to declare their compliance status if requested by Sanquest Card.

Please be aware that Sanquest retains the authority to demand a comprehensive copy of a Service Provider's Report on Compliance or Self-Assessment Questionnaire (SAQ) as deemed suitable. The Service Provider is obligated to respond promptly to such a request.

Service Provider compliance assessments

All Service Providers, which encompasses Acquirers and Acquirer Processors involved in storing, processing, or transmitting Sanquest Cardholder data on the Sanquest card, could be obligated to annually report their compliance upon a request from Sanquest. To confirm and communicate their compliance status to Sanquest Card, Service Providers are to submit one of the following:

On-site assessment

Service Providers that have undergone an on-site assessment must provide their Attestation of Compliance (AOC).

Important Reminder: Please ensure that all assessments utilize the latest version of PCI DSS applicable to the reporting period.

Self-assessment

Service Providers conducting a self-assessment must finalize PCI DSS Self-Assessment Questionnaire D and provide the Service Provider Version of the Attestation of Compliance.

Non-compliant service provider

Sanquest mandates that Service Providers not in complete compliance with PCI DSS must accomplish the Prioritized Approach for PCI DSS worksheet or the "Action Plan for Non-Compliant Status" section within the Attestation of Compliance. This, along with a signed copy of the request letter, should be forwarded.

Presenting an action plan to Sanquest Card should not be construed as Sanquest Card waiving any rights under relevant agreements or operational regulations.

Report submitted annually

All Service Providers are required to submit a compliance report every year.