FAQ #1427 Diff
Are OEMs and/or hardware/software resellers subject to PCI DSS Requirements 12.8 and 12.9?
Earlier Version
Later Version
Removed
Added
Original equipment manufacturers (OEMs) and equipment resellers may provision equipment initially for the CDE,cardholder data environment (CDE), but once the equipment has been provisioned, they may no longer be involved in the day-to-day operation of the product. If the OEM simply provides a product and is not involved in its operation or maintenance, they wouldare not be expected to implement agreementsconsidered third-party service providers (TPSPs) for the purposes of meeting Requirements 12.8 and 12.9.
However, if the OEM or reseller also provides additional ongoing services—such as supporting the ongoing operation of the equipment or software—or has access to theircustomer’scustomer's CDE, then they would be TPSPs for their customers and the agreements described in 12.8 and 12.9 would be applicable for the TPSP services being offered.
Refer to the PCI DSSand PA-DSS Glossary of Terms, Abbreviations, and Acronyms forin Appendix G for the full definition of Service Providers.
However, if the OEM or reseller also provides additional ongoing services—such as supporting the ongoing operation of the equipment or software—or has access to their
Refer to the PCI DSS
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.