Frequently Asked Question
Are OEMs and/or hardware/software resellers subject to PCI DSS Requirements 12.8 and 12.9?
However, if the OEM or reseller also provides additional ongoing services—such as supporting the ongoing operation of the equipment or software—or has access to their customer’s CDE, then the agreements described in 12.8 and 12.9 would be applicable for the services being offered.
Refer to PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for definition of Service Providers.
Featured FAQ Articles
Most Recently Updated
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?