How should a hosting provider demonstrate PCI DSS compliance (as part of their client's assessment or in their own separate assessment)?
Per the Scope of Assessment section of the PCI DSS Requirements and Security Assessment Procedures, there are two options for hosting providers and other third party providers to validate compliance:
- They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate their compliance, or
- If they do not undergo their own PCI DSS assessment, they can have their services reviewed during the course of each of their customer’s PCI DSS assessments.