Frequently Asked Question
If a merchant uses a service provider to host part or all of their CDE, and the service provider has been validated as PCI DSS compliant, is the merchant's assessor required to go onsite to the third party location and retest the PCI DSS requirements?
PCI SSC does not require that an entity’s assessor go onsite to the entity’s service providers and retest PCI DSS requirements that have already been validated and are covered under the service provider’s current validation.
As explained in the section "Third Parties/Outsourcing" of the PCI DSS, third parties can either have their services reviewed during the course of each of their client's PCI DSS assessments, or they can undergo their own PCI DSS assessment and provide evidence to their clients to demonstrate their compliance. If the service provider undergoes their own assessment, they would be expected to provide sufficient evidence to each client to verify that the scope of the service provider's PCI DSS assessment covered the system components and services used by the client, as well as clearly identify the PCI DSS requirements that were determined to be in place.
The specific evidence provided by the service provider to their clients will depend on the agreements/contracts in place between those parties. Relevant sections of the service provider's Report on Compliance (redacted as appropriate to protect any confidential information) could help provide all or some of the information; however, PCI DSS does not require that the ROC be provided, as service providers may be able to provide sufficient evidence via other means. The PCI DSS Attestation of Compliance (AOC) for Service Providers has been updated to include a Summary of Requirements Tested. The intent of this update is to provide a more meaningful summary of the service provider’s assessment within the AOC, which is a less sensitive document than the ROC and could potentially be provided to the service provider’s customers if requested.
As explained in the section "Third Parties/Outsourcing" of the PCI DSS, third parties can either have their services reviewed during the course of each of their client's PCI DSS assessments, or they can undergo their own PCI DSS assessment and provide evidence to their clients to demonstrate their compliance. If the service provider undergoes their own assessment, they would be expected to provide sufficient evidence to each client to verify that the scope of the service provider's PCI DSS assessment covered the system components and services used by the client, as well as clearly identify the PCI DSS requirements that were determined to be in place.
The specific evidence provided by the service provider to their clients will depend on the agreements/contracts in place between those parties. Relevant sections of the service provider's Report on Compliance (redacted as appropriate to protect any confidential information) could help provide all or some of the information; however, PCI DSS does not require that the ROC be provided, as service providers may be able to provide sufficient evidence via other means. The PCI DSS Attestation of Compliance (AOC) for Service Providers has been updated to include a Summary of Requirements Tested. The intent of this update is to provide a more meaningful summary of the service provider’s assessment within the AOC, which is a less sensitive document than the ROC and could potentially be provided to the service provider’s customers if requested.
May 2015
Article Number: 1290
