Diff: FAQ #1065
How should a hosting provider demonstrate PCI DSS compliance (as part of their client's assessment or in their own separate assessment)?
Earlier Version
2015-07-29 00:00:00 UTC
2015-07-29 00:00:00 UTC
Later Version
2024-11-05 15:10:24 UTC
2024-11-05 15:10:24 UTC
Removed
Added
A There are tPSP is expected to provide evidence of compliance wo options for hostinith applicable PCI DSS requirements.
If the TPSP underg providers and other toes its own PCI DSS assessment, it is expected to provide sufficient evidence to its customers to verify that the scope of the TPSP’s PCI DSS assessment covered the services applicable to the customer, and that the relevant PCI DSS requirements were examined and determined to be in place. If the provider has an PCI DSS Attestation of Compliance (AOC), it is expected that the TPSP provides the AOC to customers upon request.
If the TPSP does not undergo its own PCI DSS assessment and therefore does not have an AOC, the TPSP is expected to provide specific evidence related to the applicable PCI DSS requirements, so that the customer (or its assessor) is able to confirm that the TPSP is meeting those PCI DSS requirements.
Note: A TPSP that only provides evidence that it meets a limited set of SAQ requirements applicable to a merchant (for example, SAQ A or an SAQ A Attestation of Compliance (AOC)) has not provided sufficient evidence of PCI DSS compliance for its merchant customers. For more information, refer to the PCI DSS section 4 Scope of PCI DSS Requirements, subsection Use of Third-pParty service providers to validate complianceService Providers.
Refer to the following FAQs:
FAQ 1) Annual assessment221: Service providers can undergo an annualTo which types of service providers does PCI DSS assessment(s) on their own and provide evidence to their customers to demonstrate their compliance; or
2) Multiple, on-demand assessments: If theAppendix A1 apply do not undergo their own annual PCI DSS assessments, service providers must undergo assessments upon request of their customers and/or participate in each of their customer?s PCI DSS reviews, with the results of each review provided to the respective customer(s).
For further details and AQ 1312: How is an entity's PCI DSS compliance impacted by usinguidance, refer to the Use of third-party service providers (Third-Party Service Providers / Outsourcing section of thPSPs)?
FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS. compliance?
If the TPSP underg
If the TPSP does not undergo its own PCI DSS assessment and therefore does not have an AOC, the TPSP is expected to provide specific evidence related to the applicable PCI DSS requirements, so that the customer (or its assessor) is able to confirm that the TPSP is meeting those PCI DSS requirements.
Note: A TPSP that only provides evidence that it meets a limited set of SAQ requirements applicable to a merchant (for example, SAQ A or an SAQ A Attestation of Compliance (AOC)) has not provided sufficient evidence of PCI DSS compliance for its merchant customers. For more information, refer to the PCI DSS section 4 Scope of PCI DSS Requirements, subsection Use of Third-
Refer to the following FAQs:
FAQ 1
2) Multiple, on-demand assessments: If the
F
FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS