Appendix A3: Designated Entities Supplemental Validation (DESV)

Overview

This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. An entity is required to undergo an assessment according to this Appendix ONLY if instructed to do so by an acquirer or a payment brand. Examples of entities that this Appendix could apply to include:

• Those storing, processing, and/or transmitting large volumes of account data,
• Those providing aggregation points for account data, or
• Those that have suffered significant or repeated breaches of account data.

Additionally, other PCI standards may reference completion of this Appendix.

These supplemental validation steps are intended to provide greater assurance that PCI DSS controls are maintained effectively and on a continuous basis through validation of business-as-usual (BAU) processes and increased validation and scoping consideration.

Note: Some PCI DSS requirements in this Appendix have defined timeframes (for example, an activity that is to be performed at least once every three months or six months). For an initial assessment to such requirements, it is not required that an activity has been performed for every such timeframe during the previous year, if the assessor verifies:

• The activity was performed in accordance with the applicable requirement within the most recent timeframe (for example, the most recent three-month or six-month period), and
• The entity has documented policies and procedures for continuing to perform the activity within the defined timeframe.

For subsequent years after the initial assessment, an activity must have been performed within each required timeframe. For example, an activity required at least every three months must have been performed at least four times during the previous year at an interval that does not exceed 90-92 days. Refer to section 7 Descriptions of Timeframes Used in PCI DSS Requirements for additional guidance about initial assessments.

Not all requirements in PCI DSS apply to all entities that may undergo a PCI DSS assessment. It is for this reason that some PCI DSS Requirements are duplicated in this appendix. Any questions about this appendix should be addressed to acquirers or payment brands.

Sections

• A3.1 A PCI DSS compliance program is implemented.
• A3.2 PCI DSS scope is documented and validated.
• A3.3 PCI DSS is incorporated into business-as-usual (BAU) activities.
• A3.4 Logical access to the cardholder data environment is controlled and managed.
• A3.5 Suspicious events are identified and responded to.