FAQ #1290 Diff
If a merchant uses a service provider to host part or all of their CDE, and the service provider has been validated as PCI DSS compliant, is the merchant's assessor required to go onsite to the third party location and retest the PCI DSS requirements?
Earlier Version
Later Version
Removed
Added
No. PCI SSC does not require that an entity’sentity's assessor go onsite to the entity’sentity's TPSP and retest PCI DSS requirements that have already been covered in the TPSP’sTPSP's current PCI DSS assessment.
Refer to the following FAQs:
FAQ 1065: How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meetcustomers’customers' PCI DSS requirements or may impact the security of a cardholder data environment?
FAQ 1312: How is anentity’sentity's PCI DSS compliance impacted by using third-party service providers (TPSPs)?
FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
Refer to the following FAQs:
FAQ 1065: How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet
FAQ 1312: How is an
FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.