How to meet PCI DSS requirement 12.9.2

How to meet PCI DSS requirement 12.9.2

One of the major hurdles my clients face is obtaining accurate, actionable information from their Third-Party Service Providers (TPSPs) during their PCI DSS assessments. Fortunately, PCI DSS Version 4 introduces changes that directly address this issue.

In the past, customers had to bear the full responsibility of gathering all the necessary compliance details from their TPSPs to meet Requirement 12.8 and its sub-requirements. However, Version 4 introduced Requirement 12.9.2, which shifts some of that responsibility back to the TPSPs themselves. This is a welcome change for many organizations. Let’s break down what this means:

Breaking Down Requirement 12.9.2

12.9.2 TPSPs support their customers’ requests for information to meet Requirements 12.8.4 and 12.8.5 by providing the following upon customer request:

Essentially, this means that when a customer requests specific compliance-related information, TPSPs are now required to provide it. The testing procedures under this requirement mandate that TPSPs have documented policies or procedures detailing how they will respond to such requests.

  •  PCI DSS compliance status information (Requirement 12.8.4).

If you have an AOC, you must share it with your customer. Do not give your customer a “Compliance Certificate”. They are not a valid document proving your compliance. Please see FAQ 1220. And if you’re a QSA still issuing compliance certificates, it’s time to stop. They add delay and confusion to the whole process.

  • Information about which PCI DSS requirements are the responsibility of the TPSP and which are the responsibility of the customer, including any shared responsibilities (Requirement 12.8.5), for any service the TPSP provides that meets a PCI DSS requirement(s) on behalf of customers or that can impact security of customers’ cardholder data or sensitive authentication data.

You must provide information about the responsibility of in scope PCI DSS requirements from your customers perspective.  

 The gold standard here is to supply your customer with a PCI DSS Responsibility Matrix. This document should be created with a view of what requirements would you customers need to implement to be compliant using your solution(s).

Free Responsibility Matrix Template

Many TPSPs often struggle with this, which is why we include a template in Service Provider pack and our free sample pack. If you're not a QSA, I highly recommend consulting with one when drafting this document. Too often, responsibility matrix documents overlook the customer’s compliance perspective, and the TPSP ends up taking responsibility for requirements they should not have. If you're in need of a QSA, we might be able to assist or recommend someone in your local area. Feel free to contact us for more information.

Final Thoughts

The introduction of Requirement 12.9.2 in PCI DSS Version 4 is a significant step forward in ensuring TPSPs support their customers more effectively. By providing clear and accurate compliance information, TPSPs can help their customers meet their own PCI DSS obligations without unnecessary friction. If you're struggling to meet these requirements or need a PCI DSS Responsibility Matrix, feel free to explore our Service Provider pack or our free sample pack.

Back to blog

Leave a comment

Please note, comments need to be approved before they are published.