Frequently Asked Question

Should service providers demonstrate PCI DSS compliance as part of their client's assessment or in their own separate assessment?
There are two options for hosting providers and other third-party service providers to validate compliance:
1) Annual assessment: Service providers can undergo an annual PCI DSS assessment(s) on their own and provide evidence to their customers to demonstrate their compliance; or
2) Multiple, on-demand assessments: If they do not undergo their own annual PCI DSS assessments, service providers must undergo assessments upon request of their customers and/or participate in each of their customer’s PCI DSS reviews, with the results of each review provided to the respective customer(s).
For further details and guidance, refer to the Use of Third-Party Service Providers / Outsourcing section of the PCI DSS.
July 2015
Article Number: 1065
Related
Featured FAQ Articles
Most Recently Updated
-
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?