Frequently Asked Question
If an entity uses a third-party service provider (TPSP) that has been validated as PCI DSS compliant, is the entity's assessor required to go onsite to the TPSP's location and retest the PCI DSS requirements?
No. PCI SSC does not require that an entity's assessor go onsite to the entity's TPSP and retest PCI DSS requirements that have already been covered in the TPSP's current PCI DSS assessment.
Refer to the following FAQs:
FAQ 1065: How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet customers' PCI DSS requirements or may impact the security of a cardholder data environment?
FAQ 1312: How is an entity's PCI DSS compliance impacted by using third-party service providers (TPSPs)?
FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
Refer to the following FAQs:
FAQ 1065: How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet customers' PCI DSS requirements or may impact the security of a cardholder data environment?
FAQ 1312: How is an entity's PCI DSS compliance impacted by using third-party service providers (TPSPs)?
FAQ 1576: What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
February 2024
Article Number: 1290
