PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1602 Published

Should entities with enterprise or internal service providers, used to provide internal services to other corporate entities, conduct separate PCI DSS assessments of these service providers or include them as part of each corporate entity’s PCI DSS assessment?

Assessed entities have the discretion to either have enterprise functions assessed separately as an internal service provider or include those functions in each individual corporate entity’s PCI DSS assessment. Regardless of the entity’s decision, the appropriate validation tool for a service provider is either Self-Assessment Questionnaire (SAQ) D for Service Providers or a PCI DSS Report on Compliance (ROC), as directed by their compliance accepting entity (typically a merchant acquirer or a payment brand).

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.