Frequently Asked Question
Are merchants required to meet PCI DSS Requirement 12.9?
PCI DSS Requirement 12.9 applies only if the entity being assessed is a service provider. Merchants and other entities that use service providers should review PCI DSS Requirement 12.8 and its sub-requirements, as this is where the controls for managing service provider relationships are defined. Requirement 12.9 provides a corresponding control for service providers to support their customers’ need to meet Requirement 12.8.2.
Requirement 12.9 therefore does not apply to merchants, and should be marked “N/A” for a merchant’s PCI DSS assessment.
Requirement 12.9 therefore does not apply to merchants, and should be marked “N/A” for a merchant’s PCI DSS assessment.
June 2014
Article Number: 1277
Related
-
How does PCI DSS apply to payment terminals?
-
How can hashing be used to protect Primary Account Numbers (PAN) and in what circumstances can hashed PANs be considered out of scope for PCI DSS?
-
If an organization provides software or functionality that runs on a consumer’s device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?