Frequently Asked Question
What is the impact if an entity uses a third-party service provider (TPSP) to meet a PCI DSS requirement(s), when that TPSP’s PCI DSS assessment completion date is close to a year ago, as documented in the TPSP’s Attestation of Compliance (AOC)?
Any evidence reviewed as part of a PCI DSS assessment, where the assessor deems it to be valid when it is reviewed, remains valid for that assessment and does not need additional review before finalization of the ROC. As part of the PCI DSS assessment, the assessor is expected to additionally confirm that the assessed entity has defined and implemented processes that result in timely updates to documentation that supports PCI DSS controls.
Any questions about whether a TPSP’s AOC can be accepted as evidence to support an entity’s assessment should be directed to the organizations that manage compliance programs (for example, acquirers, payment brands, or other entities). Contact details for the payment brands can be found in FAQ #1142: How do I contact the payment card brands?
Please refer to the following FAQs:
FAQ 1312: How is an entity's PCI DSS compliance impacted by using third-party service providers (TPSPs)?
FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?