Frequently Asked Question
How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet customers? PCI DSS requirements or may impact the security of a cardholder data environment?
There are two options for multi-tenant service providers and other TPSPs to validate compliance when they provide services that are intended to meet customers' PCI DSS requirements and/or when they provide services that may impact the security of a customer's cardholder data environment, as follows:
1) Annual assessment: TPSPs undergo an annual PCI DSS assessment(s) and provide evidence to their customers to demonstrate that they meet the applicable PCI DSS requirements, or
2) Multiple, on-demand assessments: If they do not undergo an annual PCI DSS assessment, TPSPs undergo assessments upon request of their customers and/or participate in each of their customers' PCI DSS assessments, with the results of each review provided to the respective customer(s).
For more information, refer to the PCI DSS section 4 Scope of PCI DSS Requirements, subsection Use of Third-Party Service Providers.
Refer to the following FAQs:
FAQ 1221: To which types of service providers does PCI DSS Appendix A1 apply?
FAQ 1312: How is an entity's PCI DSS compliance impacted by using third-party service providers (TPSPs)?
FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
