Frequently Asked Questions

< Back to search page

Are OEMs and/or hardware/software resellers subject to PCI DSS Requirements 12.8 and 12.9?

FAQ Response

Original equipment manufacturers (OEMs) and equipment resellers may provision equipment initially for the CDE, but once the equipment has been provisioned, they may no longer be involved in the day-to-day operation of the product.  If the OEM simply provides a product and is not involved in its operation or maintenance, they would not be expected to implement agreements for the purposes of meeting Requirements 12.8 and 12.9.

However, if the OEM or reseller also provides additional ongoing services—such as supporting the ongoing operation of the equipment or software—or has access to their customer’s CDE, then the agreements described in 12.8 and 12.9 would be applicable for the services being offered.

Refer to PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms  for definition of Service Providers.
 
 

June 2016
Article Number 1427

Related Articles

Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?

If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?

What are acceptable formats for truncation of primary account numbers?

What is the role of acquirers and assessors in determining the applicability of PCI DSS requirements for a merchant’s PCI DSS assessment?

Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for onsite assessments?