12.9 Additional requirements for service providers only
Defined Approach Requirements
Additional requirements for service providers only.
Customized Approach Objective
Service providers support their customers' PCI DSS compliance.
Sub-requirements:
12.9. TPSPs provide customers with PCI DSS compliance information.
Ensure that TPSPs provide customers with their PCI DSS compliance status and a clear responsibility matrix.
Key Risks
Frequently Asked Questions
What compliance information must TPSPs provide?
Their PCI DSS compliance status and a matrix showing division of responsibility for each PCI DSS requirement.
How often must compliance information be provided?
At least annually or upon customer request.
What is a responsibility matrix?
A document detailing which PCI DSS requirements are the responsibility of the TPSP, the customer, or shared.
What happens if a TPSP does not provide compliance information?
Customers may need to seek alternative providers or escalate through management.
How is compliance information communicated?
Through formal reports, AOCs, and direct customer communications.
Common QSA Questions
Can you show evidence of compliance information provided to customers?
Yes, we maintain records of all compliance communications and responsibility matrices shared with customers.
How is the responsibility matrix developed and maintained?
It is reviewed and updated annually or after significant changes to services.
How are customers notified of changes in TPSP compliance status?
Through formal notifications, regular updates, and contract amendments as needed.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy