Frequently Asked Question
If a merchant uses a service provider to host part or all of their CDE, and the service provider has been validated as PCI DSS compliant, is the merchant's assessor required to go onsite to the third party location and retest the PCI DSS requirements?
As explained in the section "Third Parties/Outsourcing" of the PCI DSS, third parties can either have their services reviewed during the course of each of their client's PCI DSS assessments, or they can undergo their own PCI DSS assessment and provide evidence to their clients to demonstrate their compliance. If the service provider undergoes their own assessment, they would be expected to provide sufficient evidence to each client to verify that the scope of the service provider's PCI DSS assessment covered the system components and services used by the client, as well as clearly identify the PCI DSS requirements that were determined to be in place.
The specific evidence provided by the service provider to their clients will depend on the agreements/contracts in place between those parties. Relevant sections of the service provider's Report on Compliance (redacted as appropriate to protect any confidential information) could help provide all or some of the information; however, PCI DSS does not require that the ROC be provided, as service providers may be able to provide sufficient evidence via other means. The PCI DSS Attestation of Compliance (AOC) for Service Providers has been updated to include a Summary of Requirements Tested. The intent of this update is to provide a more meaningful summary of the service provider’s assessment within the AOC, which is a less sensitive document than the ROC and could potentially be provided to the service provider’s customers if requested.
Featured FAQ Articles
Most Recently Updated
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?