Frequently Asked Question

Can an entity be PCI DSS compliant if they use a third-party service provider (TPSP) that is validated to a previous version of PCI DSS?

Yes. When a new version of PCI DSS is available and as entities transition to the newer version of PCI DSS there may be situations where an entity relies on a TPSP that is validated to the older PCI DSS version. In this situation, the TPSP's validation must have been completed prior to the retirement of the version of the standard to which they were validated, and their validation must still be current (that is,12 months have not passed since the service provider's validation).

Entities should always contact their acquirer or the payment brands directly to determine their compliance reporting requirements, including how to report any TPSPs. Contact details for the payment brands can be found in FAQ #1142 How do I contact the payment card brands?

Last updated: November 2022
Originally published: June 2014
Article Number: 1282

Featured FAQ Articles