FAQ #1290 - If an entity uses a third-party service provider (TPSP) that has been validated as PCI DSS compliant, is the entity's assessor required to go onsite to the TPSP's location and retest the PCI DSS requirements? - PCI Watch

ℹ️

Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.

View Original →

FAQ #1290 Published Version: 2025-11-05T09:00:46+00:00

If an entity uses a third-party service provider (TPSP) that has been validated as PCI DSS compliant, is the entity's assessor required to go onsite to the TPSP's location and retest the PCI DSS requirements?

No. PCI SSC does not require that an entity's assessor go onsite to the entity's TPSP and retest PCI DSS requirements that have already been covered in the TPSP's current PCI DSS assessment. Refer to the following FAQs: FAQ 1065: How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet customers' PCI DSS requirements or may impact the security of a cardholder data environment? FAQ 1312: How is an entity's PCI DSS compliance impacted by using third-party service providers (TPSPs)? FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.