Entries by Randy Bartels

PCI Requirement 12.9 – Additional Requirement for Service Providers Only: Service Providers Acknowledge in Writing to Customers That They are Responsible for the Security of Cardholder Data

If you are a service provider, you must comply with PCI Requirement 12.9, which states, “Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.”

PCI Requirement 12.8.2 – Maintain a Written Agreement that Includes an Acknowledgement that the Service Providers are Responsible for the Security of Cardholder Data

PCI Requirement 12.8.2 focuses on relationships with service providers and asks organizations to maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.