Service Provider Compliance
PCI Requirement 12.8.4 requires that your organization maintain a program to monitor service providers’ PCI DSS compliance status at least annually. Your service providers don’t necessarily need to be compliant, but they need to perform the services that they’re providing to you in a compliant way. Implementing this monitoring program and knowing your service providers’ compliance status provides assurance about whether they comply with the same requirements that your organization is subject to.
PCI Requirement 12.8.5 further details vendor management practices and requires that your organization maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
At least annually, you’re required to maintain a program where you’re monitoring your service providers’ compliance status. Understand that your service providers don’t necessarily need to be validated or compliant, but they need to be performing the services that they’re providing to you in a compliant way. This might be hard to understand, so I would recommend getting a hold of your assessor about this if you have any questions.
What we see in most cases is organizations that reach out to their service provider and ask them for a copy of their AOC. If your service provider can provide you with a copy of their AOC, you’re good for the next year. If they cannot provide you with an AOC, there might be a need for you to actually assess them or include them as part of your assessment that we perform on your behalf. In any event, your assessor is going to be looking for the evidence that you have to validate or to maintain this program around monitoring your service provider compliance.