Frequently Asked Question
How is an entity's PCI DSS compliance impacted by using third-party service providers (TPSPs)?
When an entity (the TPSP customer) uses one or more TPSPs for functions within or related to the customer's cardholder data environment, it will impact the customer's PCI DSS compliance, specifically with PCI DSS Requirement 12.8 and with any PCI DSS requirements the TPSP is meeting on the customer's behalf.
In all scenarios where a TPSP is used, the customer must manage and oversee all their TPSP relationships and monitor the PCI DSS compliance status of their TPSPs in accordance with Requirement 12.8. This includes performing due diligence, having appropriate agreements in place, identifying which requirements apply to the customer and which apply to the TPSP, and monitoring the compliance status of TPSPs at least annually. Requirement 12.8 does not specify that the customer's TPSPs must be PCI DSS compliant, only that the customer monitors their compliance status as specified in the requirement. Therefore, TPSPs do not need to be validated as PCI DSS compliant for the customer to meet Requirement 12.8.
However, if a TPSP provides a service that meets a PCI DSS requirement(s) on behalf of the customer, then those requirements are in scope for the customer's assessment and the TPSP's compliance of that service will impact the customer's compliance. For example, if an customer engages a TPSP to manage their network security controls, and the TPSP does not provide evidence that it meets the applicable PCI DSS requirements in PCI DSS Requirement 1, then those requirements are not in place for the customer's assessment. As another example, TPSPs that store cardholder data on behalf of customers need to meet the applicable requirements related to access controls, physical security etc., for their customers to consider those requirements in place for their assessments.
Whether a TPSP is required to undergo a PCI DSS assessment is determined by organizations that manage compliance programs (for example, an acquirer, payment brand, or another entity). Entities should contact the organization that manages their compliance program directly to understand the requirements for TPSPs. Contact details for the payment brands can be found in FAQ #1142: How do I contact the payment card brands?
Refer to FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
In all scenarios where a TPSP is used, the customer must manage and oversee all their TPSP relationships and monitor the PCI DSS compliance status of their TPSPs in accordance with Requirement 12.8. This includes performing due diligence, having appropriate agreements in place, identifying which requirements apply to the customer and which apply to the TPSP, and monitoring the compliance status of TPSPs at least annually. Requirement 12.8 does not specify that the customer's TPSPs must be PCI DSS compliant, only that the customer monitors their compliance status as specified in the requirement. Therefore, TPSPs do not need to be validated as PCI DSS compliant for the customer to meet Requirement 12.8.
However, if a TPSP provides a service that meets a PCI DSS requirement(s) on behalf of the customer, then those requirements are in scope for the customer's assessment and the TPSP's compliance of that service will impact the customer's compliance. For example, if an customer engages a TPSP to manage their network security controls, and the TPSP does not provide evidence that it meets the applicable PCI DSS requirements in PCI DSS Requirement 1, then those requirements are not in place for the customer's assessment. As another example, TPSPs that store cardholder data on behalf of customers need to meet the applicable requirements related to access controls, physical security etc., for their customers to consider those requirements in place for their assessments.
Whether a TPSP is required to undergo a PCI DSS assessment is determined by organizations that manage compliance programs (for example, an acquirer, payment brand, or another entity). Entities should contact the organization that manages their compliance program directly to understand the requirements for TPSPs. Contact details for the payment brands can be found in FAQ #1142: How do I contact the payment card brands?
Refer to FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
February 2024
Article Number: 1312
Related
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
Most Recently Updated
-
Where can I find the current version of PCI DSS?
-
Why are there multiple PCI DSS Self-assessment Questionnaires (SAQs)?
-
What is a PCI DSS Self-Assessment Questionnaire?
-
Are Mobile Payments on COTS (MPoC) solutions, Software-based PIN Entry on COTS (SPoC)™ solutions, or Contactless Payments on COTS (CPoC™) solutions eligible for a P2PE Solution approval?
-
How can an entity meet PCI DSS requirements for PAN masking and truncation if it has migrated to 8-digit BINs?