PCI DSS requirement 2.6All service providers are responsible for meeting PCI DSS requirements for their environments as applicable to the services offered to their customers. In addition, PCI DSS Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers applies to multi-tenant service providers, which is a type of third-party service provider (TPSP) that offers various shared services to merchants and other service providers.
In PCI DSS v4.0, the title of Appendix A1: ?AdditionalA1 was updated to “Additional PCI DSS Requirements for Multi-Tenant Hosting Providers” to support the broader range of technologies used to provide shared services. In PCI DSS v3.2.1, Appendix A1 was entitled ‘Additional PCI DSS Requirements for Shared Hosting Providers? is applicable to allProviders’.
Service providers that offer only shared hostingdata center services (often called co-location or “co-lo” providers), where equipment, space, and bandwidth are available on a rental basis, are not considered service providers whose customers store, process,for purposes of Appendix A1 in either PCI DSS v3.2.1 or transmit cardholder data. A shared hosting provider is one that houses multiple customers on the same server. ThesePCI DSS v4.0. In addition, these requirements for shared hostingmulti-tenant service providers are not applicable when servers are dedicated to a single customer (but all other applicable PCI DSS requirements do apply).
To determine theFor additional information and applicable PCI DSS requirements for a given shared hosting provider, please contact a Qualified Security Assessor (QSA). The list of QSAs can be found athttps://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessorsthese TPSPs, refer to PCI DSS Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers.
Whether a service provider is required to validate PCI DSS compliance is determined by the individualorganizations that manage compliance programs (for example, an acquirer, payment brands.brand, or other entity). Entities should always contact the entity that manages their acquirer orcompliance program directly to determine their compliance requirements. Contact details for the payment brands directly to determine their compliance reporting requirements. Contact details forcan be found in FAQ #1142: How do I contact the payment brands can be found in FAQ #1142 How do I contact the payment card brands?
