Diff: FAQ #1290
If a merchant uses a service provider to host part or all of their CDE, and the service provider has been validated as PCI DSS compliant, is the merchant's assessor required to go onsite to the third party location and retest the PCI DSS requirements?
Earlier Version
2015-05-28 00:00:00 UTC
2015-05-28 00:00:00 UTC
Later Version
2024-02-27 21:31:00 UTC
2024-02-27 21:31:00 UTC
Removed
Added
No. PCI SSC does not require that an entity?’s assessor go onsite to the entity?s service providers’s TPSP and retest PCI DSS requirements that have already been validated and are covered under the service provider?s current validationcovered in the TPSP’s current PCI DSS assessment.
As explained in the section “Third Parties/Outsourcing” oRef the PCI DSS, third parties can either have their services reviewed during the course oer to the f each of their client’s PCI DSS assessments, or they can undergo their own PCI DSS assessment and provide evidence to their clients to demonstrate their compliance. If the service provider undergoes their own assessment, they would be expected to provide sufficient evidence to each client to verify that the scope of the service provider’s PCI DSS assessment covered the system components and services used by the client, as weoll as cowing FAQs:
FAQ 1065: How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compleariance for TPSP services that meet customers’ PCI DSS requirements or may impact the security of a cardholy identify theder data environment?
FAQ 1312: How is an entity’s PCI DSSrequirements that were determined tocompliance impacted be in y using third-party service providers (TPSPs)?
FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS complace.
The specific evidence provided by the service provider to their clients will depend on the agreements/contracts in place between those parties. Relevant sections of the service provider’s Report on Compliance (redacted as appropriate to protect any confidential information) could help provide all or some of the information; however, PCI DSS does not require that the ROC be provided, as service providers may be able to provide sufficient evidence via other means. The PCI DSS Attestation of Compliance (AOC) for Service Providers has been updated to include a Summary of Requirements Tested. The intent of this update is to provide a more meaningful summary of the service provideriance?s assessment within the AOC, which is a less sensitive document than the ROC and could potentially be provided to the service provider?s customers if requested.
FAQ 1065: How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compl
FAQ 1312: How is an entity’s PCI DSS
FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compl
The specific evidence provided by the service provider to their clients will depend on the agreements/contracts in place between those parties. Relevant sections of the service provider’s Report on Compliance (redacted as appropriate to protect any confidential information) could help provide all or some of the information; however, PCI DSS does not require that the ROC be provided, as service providers may be able to provide sufficient evidence via other means. The PCI DSS Attestation of Compliance (AOC) for Service Providers has been updated to include a Summary of Requirements Tested. The intent of this update is to provide a more meaningful summary of the service provider