FAQ #1290 Diff
If a merchant uses a service provider to host part or all of their CDE, and the service provider has been validated as PCI DSS compliant, is the merchant's assessor required to go onsite to the third party location and retest the PCI DSS requirements?
Earlier Version
Later Version
Removed
Added
No. PCI SSC does not require that an entity?sentity’s assessor go onsite to the entity?sentity’s TPSP and retest PCI DSS requirements that have already been covered in the TPSP’s current PCI DSS assessment.
Refer to the following FAQs:
FAQ 1065: How are third-party service providersand retest(TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet customers’ PCI DSS requirements that have already been validated and are covered under theor may impact the security of a cardholder data environment?
FAQ 1312: How is an entity’s PCI DSS compliance impacted by using third-party serviceprovider?s current validation.
As explained in the section “Third Parties/Outsourcing” of the PCI DSS, third parties can either have their services reviewed during the course of each of their client’s PCI DSS assessments, or they can undergo their own PCI DSS assessment andproviders (TPSPs)?
FAQ 1576: What evidence is a TPSP expected to provideevidence to their clientsto customers to demonstrate their compliance. If the service provider undergoes their own assessment, they would be expected to provide sufficient evidence to each client to verify that the scope of the service provider’s PCI DSS assessment covered the system components and services used by the client, as well as clearly identify the PCI DSS requirements that were determined to be in place.
The specific evidence provided by the service provider to their clients will depend on the agreements/contracts in place between those parties. Relevant sections of the service provider’s Report on Compliance (redacted as appropriate to protect any confidential information) could help provide all or some of the information; however, PCI DSS does not require that the ROC be provided, as service providers may be able to provide sufficient evidence via other means. The PCI DSS Attestation of Compliance (AOC) for Service Providers has been updated to include a Summary of Requirements Tested. The intent of this update is to provide a more meaningful summary of the service provider?s assessment within the AOC, which is a less sensitive document than the ROC and could potentially be provided to the service provider?s customers if requested.PCI DSS compliance?
Refer to the following FAQs:
FAQ 1065: How are third-party service providers
FAQ 1312: How is an entity’s PCI DSS compliance impacted by using third-party service
As explained in the section “Third Parties/Outsourcing” of the PCI DSS, third parties can either have their services reviewed during the course of each of their client’s PCI DSS assessments, or they can undergo their own PCI DSS assessment and
FAQ 1576: What evidence is a TPSP expected to provide
The specific evidence provided by the service provider to their clients will depend on the agreements/contracts in place between those parties. Relevant sections of the service provider’s Report on Compliance (redacted as appropriate to protect any confidential information) could help provide all or some of the information; however, PCI DSS does not require that the ROC be provided, as service providers may be able to provide sufficient evidence via other means. The PCI DSS Attestation of Compliance (AOC) for Service Providers has been updated to include a Summary of Requirements Tested. The intent of this update is to provide a more meaningful summary of the service provider?s assessment within the AOC, which is a less sensitive document than the ROC and could potentially be provided to the service provider?s customers if requested.
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.