Frequently Asked Question
How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet customers’ PCI DSS requirements or may impact the security of a cardholder data environment?
There are two options for multi-tenant service providers and other TPSPs to validate compliance when they provide services that are intended to meet customers' PCI DSS requirements and/or when they provide services that may impact the security of a customer's cardholder data environment, as follows:
1) Annual assessment: TPSPs undergo an annual PCI DSS assessment(s) and provide evidence to their customers to demonstrate that they meet the applicable PCI DSS requirements, or
2) Multiple, on-demand assessments: If they do not undergo an annual PCI DSS assessment, TPSPs undergo assessments upon request of their customers and/or participate in each of their customers' PCI DSS assessments, with the results of each review provided to the respective customer(s).
If a TPSP undergoes a PCI DSS assessment as part of its customers’ assessment(s), it is expected to provide evidence that PCI DSS requirements applicable to the services provided to the customer were examined and determined to be in place, for example via a Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) D for Service Providers. A TPSP that only provides evidence that it meets a limited set of SAQ requirements applicable to a merchant (for example, SAQ A or an SAQ A Attestation of Compliance (AOC)) has not provided sufficient evidence of PCI DSS compliance for its merchant customers.
For more information, refer to the PCI DSS section 4 Scope of PCI DSS Requirements, subsection Use of Third-Party Service Providers.
Refer to the following FAQs:
FAQ 1221: To which types of service providers does PCI DSS Appendix A1 apply?
FAQ 1312: How is an entity's PCI DSS compliance impacted by using third-party service providers (TPSPs)?
FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
What does “console access” mean for PCI DSS Requirements 8.4.1 and 8.4.2?
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
Most Recently Updated
-
How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet customers’ PCI DSS requirements or may impact the security of a cardholder data environment?
-
What does “console access” mean for PCI DSS Requirements 8.4.1 and 8.4.2?
-
Where can I find the current version of PCI DSS?
-
Why are there multiple PCI DSS Self-assessment Questionnaires (SAQs)?
-
What is a PCI DSS Self-Assessment Questionnaire?