Introduction

Cybersource maintains PCI DSS compliance through annual independent assessments. If you are asked to provide evidence of this compliance, you can request one of the following documents:

• Attestation of Compliance (AoC) – Confirms Cybersource’s PCI DSS certification status.
• SSAE 18 SOC 1 Report – Independent audit report on internal controls relevant to financial reporting. SSAE 18 replaced SSAE 16.

Responding to PCI Compliance Emails

You may receive emails from your bank, processor, or other parties regarding PCI DSS compliance. Follow these guidelines:

• If you use a different Merchant Services Provider – Contact your provider directly for assistance.
• If Cybersource is your Merchant Services Provider or Acquirer – Contact our Merchant Acquirer Support team using one of the methods below.

Questions About PCI Compliance

If you have general questions about PCI compliance, contact your merchant services provider. If Cybersource is your merchant acquirer, you may also contact Merchant Acquiring (mentioned above).

Requesting PCI Compliance Reports

If you require a copy of Cybersource’s PCI compliance documentation, submit a Support Center case requesting the SSAE 18 SOC 1 Report or the AoC. Include the following information in your request:

1. Name and Title – Must be Senior Manager level or above.
2. Email Address – For the person listed in Name and Title.
3. Physical Mailing Address – P.O. Boxes are not accepted.
4. Phone Number
5. Report Format Requested – Electronic (PDF) or printed copy.
6. For AoC Requests – Specify whether the request is for:
   • GDC (Global Data Center)
   • IDC (India Data Center)

Additional Notes

• PCI DSS compliance reports are confidential and may require a signed non-disclosure agreement (NDA) before release.
• Cybersource undergoes annual PCI DSS assessments by an independent QSA.
• SSAE 18 SOC 1 reports follow AICPA attestation standards and focus on internal controls relevant to financial transactions.