WithPCI Logo
WithPCI.com

12.8.4 A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

12.8.4 A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months.

Customized Approach Objective

The PCI DSS compliance status of TPSPs is verified periodically.

Applicability Notes

Where an entity has an agreement with a TPSP for meeting PCI DSS requirements on behalf of the entity (for example, via a firewall service), the entity must work with the TPSP to make sure the applicable PCI DSS requirements are met. If the TPSP does not meet those applicable PCI DSS requirements, then those requirements are also "not in place" for the entity.

Defined Approach Testing Procedures

12.8.4.a Examine policies and procedures to verify that processes are defined to monitor TPSPs' PCI DSS compliance status at least once every 12 months.

12.8.4.b Examine documentation and interview responsible personnel to verify that the PCI DSS compliance status of each TPSP is monitored at least once every 12 months.

Purpose

Knowing the PCI DSS compliance status of all engaged TPSPs provides assurance and awareness about whether they comply with the requirements applicable to the services they offer to the organization.

Good Practice

If the TPSP offers a variety of services, the compliance status the entity monitors should be specific to those services delivered to the entity and those services in scope for the entity's PCI DSS assessment.

If a TPSP has a PCI DSS Attestation of Compliance (AOC), the expectation is that the TPSP should provide that to customers upon request to demonstrate their PCI DSS compliance status.

If the TPSP did not undergo a PCI DSS assessment, it may be able to provide other sufficient evidence to demonstrate that it has met the applicable requirements without undergoing a formal compliance validation. For example, the TPSP can provide specific evidence to the entity's assessor so the assessor can confirm applicable requirements are met. Alternatively, the TPSP can elect to undergo multiple on-demand assessments by each of its customers' assessors, with each assessment targeted to confirm that applicable requirements are met.

Further Information

For more information about third-party service providers, refer to:

  • PCI DSS section: Use of Third-Party Service Providers.
  • Information Supplement: Third-Party Security Assurance.

purpose

Monitor TPSP compliance status at least annually.

compliance strategies

  • Annual compliance status review
  • Vendor risk assessments

typical policies

  • TPSP Compliance Monitoring Policy

common pitfalls

  • Missed annual reviews
  • No risk assessment

type

Process Control

difficulty

Moderate

key risks

  • TPSP compliance lapses

recommendations

  • Integrate with vendor management program

Eligible SAQ

  • SAQ-A
  • SAQ-A-EP
  • SAQ-B
  • SAQ-B-IP
  • SAQ-C
  • SAQ-C-VT
  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy