We are planning on using Zoho to process payments via Authorize.net. We have everything set up and are attempting to complete the PCI DSS SAQ-A requirement for our merchant account. This requires us to prove Zoho has completed the SAQ-D for Service Providers. We need a way to verify compliance, or a copy of an attestation of compliance signed by the appropriate officer at Zoho.

I assume I'm not the first person to use Zoho to process payment, and therefore not the first to require this information as part of a PCI DSS SAQ. What have other people used? I've made a few requests to Zoho but haven't received any confirmation about the status of their PCI compliance.

One red flag came up when I called. The person I spoke to claimed that Zoho didn't need to be PCI compliant, "because we don't store credit card numbers". This is completely untrue. Even if you exchange the credit card data for a token, it is still a payment instrument, and subject to the same level of compliance as if it was the original credit card number. Perhaps this person didn't know, but if Zoho is PCI compliant then this person, who has access to a system making payments, should have been trained as part of that compliance, at least at some nominal level where they are aware Zoho has a PCI compliant security policy!