FAQ #1277 Diff

Are merchants required to meet PCI DSS Requirement 12.9?

Earlier Version
2014-06-10T00:00:00+00:00

Later Version
2014-06-11T01:15:00+00:00

Removed

Added

PCI DSS Requirement 12.9 applies only if the entity being assessed is a service provider. Merchants and other entities that use service providers should review PCI DSS Requirement 12.8 and its sub-requirements, as this is where the controls for managing service provider relationships are defined. Requirement 12.9 provides a corresponding control for service providers to support their ~~customers?~~customers' need to meet Requirement 12.8.2.

Requirement 12.9 therefore does not apply to merchants, and should be marked ~~?N/A?~~"N/A" for a ~~merchant?s~~merchant's PCI DSS assessment.

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.