Frequently Asked Question

Can an entity be PCI DSS compliant if they use a third-party service provider (TPSP) that is validated to a previous version of PCI DSS?
Yes. When a new version of PCI DSS is available and as entities transition to the newer version of PCI DSS there may be situations where an entity relies on a TPSP that is validated to the older PCI DSS version. In this situation, the TPSP's validation must have been completed prior to the retirement of the version of the standard to which they were validated, and their validation must still be current (that is,12 months have not passed since the service provider's validation).
Entities should always contact their acquirer or the payment brands directly to determine their compliance reporting requirements, including how to report any TPSPs. Contact details for the payment brands can be found in FAQ #1142 How do I contact the payment card brands?
Related
-
Are Approved Scanning Vendors and Qualified Security Assessors considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
-
What are the expectations for entities when assigning risk rankings to vulnerabilities and resolving or addressing those vulnerabilities?
-
Is phishing-resistant authentication alone acceptable as multi-factor authentication for PCI DSS Requirements 8.4.1 and 8.4.3?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used as a guide for determining applicability of PCI DSS requirements for merchant assessments documented in a Report on Compliance?
Most Popular
-
Are Approved Scanning Vendors and Qualified Security Assessors considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
-
What are the expectations for entities when assigning risk rankings to vulnerabilities and resolving or addressing those vulnerabilities?
-
Is phishing-resistant authentication alone acceptable as multi-factor authentication for PCI DSS Requirements 8.4.1 and 8.4.3?
-
Are passkeys synced across devices, implemented according to the FIDO2 requirements, acceptable for use as phishing-resistant authentication to meet PCI DSS Requirement 8.4.2?
-
How should PCI DSS v4.x requirements noted as superseded by another requirement be reported after 31 March 2025?
Most Recently Updated
-
Can unencrypted PANs be sent over e-mail, instant messaging, SMS, or chat?
-
Are entities allowed to request that cardholder data be provided over end-user messaging technologies?
-
Does PCI DSS allow faxing of payment card numbers?
-
What is the maximum period of time that cardholder data can be stored?
-
To which devices does PCI DSS Requirement 10.4.2 apply?