FAQ #1065 Diff

How should a hosting provider demonstrate PCI DSS compliance (as part of their client's assessment or in their own separate assessment)?

Earlier Version
2008-02-24T00:00:00+00:00

Later Version
2015-07-29T00:00:00+00:00

Removed

Added

~~Per the Scope of Assessment section of the PCI DSS Requirements~~There are two options for hosting providers and ~~Security Assessment Procedures, there are two options for hosting providers and~~ other ~~third party~~third-party service providers to validate compliance:

~~They~~1) Annual assessment: Service providers can undergo aan annual PCI DSS ~~assessment~~assessment(s) on their own and provide evidence to their customers to demonstrate their ~~compliance,~~compliance; or

2) Multiple, on-demand assessments: If they do not undergo their own annual PCI DSS ~~assessment, they can have their services reviewed during the course of~~assessments, service providers must undergo assessments upon request of their customers and/or participate in each of their ~~customer’s~~customer?s PCI DSS ~~assessments.~~reviews, with the results of each review provided to the respective customer(s).

For further details and guidance, refer to the Use of Third-Party Service Providers / Outsourcing section of the PCI DSS.

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.