EBRC completes an annual PCI DSS assessment using an approved Qualified Security Assessor (QSA). The auditor reviews the EBRC environment, which includes validating the infrastructure, development, operations, management, support, and in-scope services. EBRC is certified as compliant under PCI DSS version 3.2.1 at Service Provider Level 1.
The assessment results in an Attestation of Compliance (AoC) and Report on Compliance (RoC) issued by the QSA. The effective period for compliance begins upon passing the audit and receiving the AoC from the assessor, and ends one year from the date the AoC is signed. The AoC is available to customers to show the QSA has determined that EBRC is in compliance with PCI DSS v3.2.1.
Customers who want to develop a cardholder environment or card processing service can leverage the EBRC validation in many of the underlying portions, thereby reducing the associated effort and costs of getting their own PCI DSS certification.
It is, however, important to understand that EBRC PCI DSS compliance status does not automatically translate to PCI DSS certification for the services that customers build or host on the EBRC platform. Customers are responsible for ensuring that they achieve compliance with PCI DSS requirements. The EBRC Customer PCI Guide specifies areas of responsibility for each PCI DSS requirement, and whether it is assigned to EBRC or the customer, or if the responsibility is shared.