Diff: FAQ #1282
Can merchants assess against PCI DSS version 3.0 if they use a service provider that is validated to PCI DSS version 2?
Earlier Version
Later Version
Removed
Added
Yes. AsWhen a new version of PCI DSS is available and as entities transition between different versionsto the newer version of PCI DSS itthere may be necessarysituations where an entity relies on a TPSP that is validated to the older PCI DSS version. In this situation, the TPSP's validation must have been completed prior to the retirement of the version of the standard to which they were validated, and their validation must still be current (that is,12 months have not passed since the service provider's validation).Entities should always contact their acquirer or the payment brands directly to determine their compliance reporting requirements, including how to report any TPSPs. Contact details for an organization, such as a merchant, to rely on a service provider who is validated to an earlier PCI DSS version. In this instance, the service provider?s validation must have been completed prior to the expiry of the version of the standard to which they were validated, and their validation must stillthe payment brands can be current (that is, 12 months have not passed since the service provider?s validation).
Entities should alwaysfound in FAQ #1142 How do I contact their acquirer or the payment brands directly to determine their compliance reporting requirements, including how to report any third party service providers. Contact details for the payment brands can be found in FAQ #1142 How do I contact the payment card brands?
Entities should always
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.