Information Security

As part of the security review, can a PCI AoC be utilized to substitute for a penetration test report? I was thinking no because the scope of the pentest for the PCI AoC may be different from the actual penetration test report that is needed to be reviewed. For example, what if the third party in question is not being used for payment card services. Maybe this third party has product A that can be used for payment card data, but only product B is in scope of the review and will not be used for payment card data. Is it ok to accept the AoC because it covers everything or should the penetration test report for product B be requested?

Risk management should always align with your organization's risk appetite and tolerance. As a vendor risk manager, I would consistently request a penetration test report or an executive summary report as part of due diligence. This helps validate whether the vendor has a security program and if their controls meet our organization's requirements.  Often, vendors may discuss their controls but hesitate to share the full report due to identified issues on the report. In such cases, you can rely on secondary information, such as controls mentioned in their SOC 2 report or the results of SOC 2 testing. Based on your risk acceptance criteria, you can also conduct a virtual session with the vendor to discuss their program and have them demonstrate the results, rather than sharing the report directly.

To answer your question, yes, a PCI AOC may suffice. A PCI AOC is a formal declaration that an organization complies with the Payment Card Industry Data Security Standard.  This document is important for businesses handling card payments, as it demonstrates that they have implemented the necessary security measures to protect cardholder data.
The PCI AOC includes details about the vendor's security posture, systems, and the effectiveness of their controls in safeguarding cardholder data. It also encompasses the review of penetration testing as part of the overall assessment. PCI DSS Requirement 11.3 mandates that organizations perform penetration testing annually or whenever there are significant changes to the network. This ensures that the organization has effectively identified and mitigated security risks. Therefore, in the absence of a penetration test report, you can rely on the PCI AOC to verify that the necessary controls are in place, provided the AOC is current.

Using your scenario, even if the product you consume from this third party does not require PCI compliance, you can still validate the organization meets the security standards and has adequate controls to mitigate security risks.  

The use of an AOC may be a good indicator of network security. However, the network most organisations, in an effort to reduce PCI audit costs, segment their cardholder data environment(s) so that it is as small as possible. While the PCI network segment(s) may be tightly controlled that does not provide sufficient evidence that the remainder of the environment is as secure.

I have encountered numerous companies where their CHD was adequately secured but pen testing of other network segments showed a significant difference in the level of security being applied.