Frequently Asked Question

There are two options for multi-tenant service providers and other TPSPs to validate compliance when they provide services that are intended to meet customers' PCI DSS requirements and/or when they provide services that may impact the security of a customer's cardholder data environment, as follows: 

1) Annual assessment: TPSPs undergo an annual PCI DSS assessment(s) and provide evidence to their customers to demonstrate that they meet the applicable PCI DSS requirements, or

2) Multiple, on-demand assessments: If they do not undergo an annual PCI DSS assessment, TPSPs undergo assessments upon request of their customers and/or participate in each of their customers' PCI DSS assessments, with the results of each review provided to the respective customer(s).

If a TPSP undergoes a PCI DSS assessment as part of its customers’ assessment(s), it is expected to provide evidence that PCI DSS requirements applicable to the services provided to the customer were examined and determined to be in place, for example via a Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) D for Service Providers. A TPSP that only provides evidence that it meets a limited set of SAQ requirements applicable to a merchant (for example, SAQ A or an SAQ A Attestation of Compliance (AOC)) has not provided sufficient evidence of PCI DSS compliance for its merchant customers.

For more information, refer to the PCI DSS section 4 Scope of PCI DSS Requirements, subsection Use of Third-Party Service Providers.

Refer to the following FAQs:

FAQ 1221: To which types of service providers does PCI DSS Appendix A1 apply?

FAQ 1312: How is an entity's PCI DSS compliance impacted by using third-party service providers (TPSPs)?

FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?