FAQ #1065 Diff

How should a hosting provider demonstrate PCI DSS compliance (as part of their client's assessment or in their own separate assessment)?

Earlier Version
2008-02-24T00:00:00+00:00

Later Version
2015-07-29T00:00:00+00:00

Removed

Added

~~Per the Scope of Assessment~~There are two options for hosting providers and other third-party service providers to validate compliance:

1) Annual assessment: Service providers can undergo an annual PCI DSS assessment(s) on their own and provide evidence to their customers to demonstrate their compliance; or

2) Multiple, on-demand assessments: If they do not undergo their own annual PCI DSS assessments, service providers must undergo assessments upon request of their customers and/or participate in each of their customer?s PCI DSS reviews, with the results of each review provided to the respective customer(s).

For further details and guidance, refer to the Use of Third-Party Service Providers / Outsourcing section of the PCI DSS Requirements and Security Assessment Procedures, there are two options for hosting providers and other third party providers to validate compliance:

They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate their compliance, or
If they do not undergo their own PCI DSS assessment, they can have their services reviewed during the course of each of their customer’s PCI DSS assessments.DSS.

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.