PCI Watch

Tracking changes across the Payment Card Industry
FAQs » FAQ #1065 » Versions » Diff

FAQ #1065 Diff

How should a hosting provider demonstrate PCI DSS compliance (as part of their client's assessment or in their own separate assessment)?

Earlier Version
Later Version
Removed
Added
There are two optionsA TPSP is expected to provide evidence of compliance with applicable PCI DSS requirements.

If the TPSP undergoes its own PCI DSS assessment, it is expected to provide sufficient evidence to its customers to verify that the scope of the TPSP’s PCI DSS assessment covered the services applicable to the customer, and that the relevant PCI DSS requirements were examined and determined to be in place. If the provider has an PCI DSS Attestation of Compliance (AOC), it is expected that the TPSP provides the AOC to customers upon request.

If the TPSP does not undergo its own PCI DSS assessment and therefore does not have an AOC, the TPSP is expected to provide specific evidence related to the applicable PCI DSS requirements, so that the customer (or its assessor) is able to confirm that the TPSP is meeting those PCI DSS requirements.

Note: A TPSP that only provides evidence that it meets a limited set of SAQ requirements applicable to a merchant (for example, SAQ A or an SAQ A Attestation of Compliance (AOC)) has not provided sufficient evidence of PCI DSS compliance for hostingits merchant customers. For more information, refer to the PCI DSS section 4 Scope of PCI DSS Requirements, subsection Use of Third-Party Service Providers.
Refer to the following FAQs:

FAQ 1221: To which types of service providers and otherdoes PCI DSS Appendix A1 apply?
FAQ 1312: How is an entity's PCI DSS compliance impacted by using third-party service providers to validate compliance:

1) Annual assessment: Service providers can undergo an annual PCI DSS assessment(s) on their own and(TPSPs)?
FAQ 1576: What evidence is a TPSP expected to provide evidence to theirto customers to demonstrate their compliance; or

2) Multiple, on-demand assessments: If they do not undergo their own annual PCI DSS assessments, service providers must undergo assessments upon request of their customers and/or participate in each of their customer?s PCI DSS reviews, with the results of each review provided to the respective customer(s).

For further details and guidance, refer to the Use of Third-Party Service Providers / Outsourcing section of the PCI DSS.PCI DSS compliance?

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.