Frequently Asked Questions

< Back to search page

Are merchants required to meet PCI DSS Requirement 12.9?

FAQ Response

PCI DSS Requirement 12.9 applies only if the entity being assessed is a service provider.  Merchants and other entities that use service providers should review PCI DSS Requirement 12.8 and its sub-requirements, as this is where the controls for managing service provider relationships are defined.  Requirement 12.9 provides a corresponding control for service providers to support their customers’ need to meet Requirement 12.8.2. 

Requirement 12.9 therefore does not apply to merchants, and should be marked “N/A” for a merchant’s PCI DSS assessment.

June 2014
Article Number 1277

Related Articles

Who has to comply with the PCI standards?

If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?

What are acceptable formats for truncation of primary account numbers?

How does encrypted cardholder data impact PCI DSS scope for third-party service providers?

How does PCI DSS apply to VoIP?