Frequently Asked Questions

< Back to search page

Are merchants required to meet PCI DSS Requirement 12.9?

FAQ Response

PCI DSS Requirement 12.9 applies only if the entity being assessed is a service provider.  Merchants and other entities that use service providers should review PCI DSS Requirement 12.8 and its sub-requirements, as this is where the controls for managing service provider relationships are defined.  Requirement 12.9 provides a corresponding control for service providers to support their customers’ need to meet Requirement 12.8.2. 

Requirement 12.9 therefore does not apply to merchants, and should be marked “N/A” for a merchant’s PCI DSS assessment.

June 2014
Article Number 1277

Related Articles

Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?

If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?

What are acceptable formats for truncation of primary account numbers?

What is the role of acquirers and assessors in determining the applicability of PCI DSS requirements for a merchant’s PCI DSS assessment?

Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for onsite assessments?