Frequently Asked Question

Can an entity be PCI DSS compliant if they use a service provider that is validated to a previous version of PCI DSS?

Yes. As entities transition between different versions of PCI DSS it may be necessary for an organization, such as a merchant, to rely on a service provider who is validated to an earlier PCI DSS version. In this instance, the service provider’s validation must have been completed prior to the expiry of the version of the standard to which they were validated, and their validation must still be current (that is, 12 months have not passed since the service provider’s validation).

Entities should always contact their acquirer or the payment brands directly to determine their compliance reporting requirements, including how to report any third party service providers. Contact details for the payment brands can be found in FAQ #1142 How do I contact the payment card brands?

August 2018
Article Number: 1282