Diff: FAQ #1290
If a merchant uses a service provider to host part or all of their CDE, and the service provider has been validated as PCI DSS compliant, is the merchant's assessor required to go onsite to the third party location and retest the PCI DSS requirements?
Earlier Version
2024-02-27 21:31:00 UTC
2024-02-27 21:31:00 UTC
Later Version
2025-11-05 09:00:46 UTC
2025-11-05 09:00:46 UTC
Removed
Added
No. PCI SSC does not require that an entity’'s assessor go onsite to the entity’'s TPSP and retest PCI DSS requirements that have already been covered in the TPSP’'s current PCI DSS assessment.
Refer to the following FAQs:
FAQ 1065: How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet customers’' PCI DSS requirements or may impact the security of a cardholder data environment?
FAQ 1312: How is an entity’'s PCI DSS compliance impacted by using third-party service providers (TPSPs)?
FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
Refer to the following FAQs:
FAQ 1065: How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet customers
FAQ 1312: How is an entity
FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?