Page 13 v.9
2. Assessors must be affiliated with the International Federation of Accountants (IFAC) or the
American Institute of Certified Public Accountants (AICPA), or must possess certifications from
other relevant privacy and security organizations, such as the International Association of
Privacy Professionals (IAPP) or the Information Systems Audit and Control Association (ISACA).
3. The assessor must use the most current DPR which includes the evidence required to support
each requirement. Suppliers will need to provide their most recently approved DPR
attestation responses to the assessor.
4. In the case of a newly enrolled supplier, the assessor will test the design of the process controls.
In all other cases, the assessor will test the effectiveness of the controls.
5. The scope of the assessment engagement is limited to Personal Data and/or Microsoft
Confidential Data in connection with that supplier’s Performance.
6. The scope of the engagement is limited to all in-scope data processing activity executed against
the supplier account number which received the request. If the supplier elects to more than one
supplier account at one time, the letter of attestation must include the list of supplier
accounts included in the assessment and associated addresses.
7. The letter submitted to SSPA must not include any statements where the supplier cannot meet
the Data Protection Requirements as written. These issues must be corrected before the letter is
submitted.
SSPA has made a list of preferred assessors available. These companies are familiar with conducting
SSPA assessments. Suppliers are expected to pay for this assessment; the costs will vary depending on
the scale and scope of the data processing.
PCI DSS Certification Requirement
The Payment Card Industry Data Security Standard (PCI DSS) is a framework for developing robust
payment card data security that includes prevention, detection, and appropriate reaction to security
incidents. The framework was developed by the PCI Security Standards Council, a self-regulatory
industry organization. The purpose of the PCI DSS requirements is to identify technology and process
vulnerabilities that pose risks to the security of cardholder data that is processed.
Microsoft is required to comply with these standards. If a supplier handles payment card information
on Microsoft’s behalf, we require evidence of adherence to these standards. Consult the PCI Security
standards council to understand the requirements set by the PCI organization.
Depending on the volume of transactions processed, a supplier will either be required to have a
Qualified Security Assessor certify compliance or can complete a self-assessment questionnaire form.
Payment card brands set the thresholds for assessment type, typically:
• Level 1: Provide a 3
rd
Party Assessor PCI AOC certificate
• Level 2 or 3: Provide a PCI DSS Self-Assessment Questionnaire (SAQ) signed by the supplier’s
officer.
Submit the certification that applies and meets PCI requirements. Suppliers who process or store
Microsoft customer payment data must possess a current PCI Tier 1 certification as a service provider.