Frequently Asked Question

How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet customers? PCI DSS requirements or may impact the security of a cardholder data environment?

There are two options for multi-tenant service providers and other TPSPs to validate compliance when they provide services that are intended to meet customers? PCI DSS requirements and/or when they provide services that may impact the security of a customer's cardholder data environment, as follows:
 

1) Annual assessment: TPSPs undergo an annual PCI DSS assessment(s) and provide evidence to their customers to demonstrate that they meet the applicable PCI DSS requirements, or

2) Multiple, on-demand assessments: If they do not undergo an annual PCI DSS assessment, TPSPs undergo assessments upon request of their customers and/or participate in each of their customers? PCI DSS assessments, with the results of each review provided to the respective customer(s).
 

For more information, refer to the PCI DSS section 4 Scope of PCI DSS Requirements, subsection Use of Third-Party Service Providers.

Refer to the following FAQs:

FAQ 1221: To which types of service providers does PCI DSS Appendix A1 apply?

FAQ 1312: How is an entity's PCI DSS compliance impacted by using third-party service providers (TPSPs)?

FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?

Last updated: February 2024
Originally published: April 2012
Article Number: 1065

Featured FAQ Articles