PCI DSS Requirement 12.9 applies only if the entity being assessed is a service provider. Merchants and other entities that use service providers should review PCI DSS Requirement 12.8 and its sub-requirements, as this is where the controls for managing service provider relationships are defined. Requirement 12.9 provides a corresponding control for service providers to support their customers? need to meet Requirement 12.8.2.

Requirement 12.9 therefore does not apply to merchants, and should be marked ?N/A? for a merchant?s PCI DSS assessment.