Yes. As organizations willentities transition between different versions of PCI DSS it may be transitioning betweennecessary for an organization, such as a merchant, to rely on a service provider who is validated to an earlier PCI DSS version. In this instance, the service provider?s validation must have been completed prior to the expiry of the version 2.0of the standard to which they were validated, and version 3.0 of PCI DSS during 2014, it maytheir validation must still be necessary for an organization validating to PCI DSS version 3.0 to include information from a service provider who is validated to PCI DSS version 2.0.

A service provider?s version 2.0 compliance validation is acceptable for use in a merchant?s version 3.0 assessment as long as the service provider?s version 2.0 validation was dated on or before December 31, 2014, and the validation is still current (i.e.(that is, 12 months have not passed since the service provider?s validation).

IfAs an example: A merchant validating to PCI DSS version 3 in 2015 relies on a service provider for delivery of one or more PCI DSS requirements, and the service provider validation to PCI DSS version 2 is dated October 2014. Prior to October 2015, the merchant validatingwould still validate to version 3.0 relies3 and note in their ROC or SAQ that the provider who is managing those requirements on a service provider thattheir behalf is compliant tomeeting the requirements in PCI DSS version 2.0 for delivery2. After October 2015, the service providers? validation is no longer current and cannot be used as evidence of one or more PCI DSS requirements, the merchant may still validate to version 3.0 and note in their ROC or SAQ that the provider who is managing those requirements on their behalf is meeting the requirements in PCI DSS version 2.0.their compliance.

Entities should alsoalways contact their acquirer or the payment brands directly to determine their compliance reporting requirements, including how to report any third party service providers.providers.. Contact details for the payment brands can be found in FAQ #1142How do I contact the payment card brands?