Frequently Asked Questions

< Back to search page

Can an entity be PCI DSS compliant if they use a service provider that is validated to a previous version of PCI DSS?

FAQ Response

Yes. As entities transition between different versions of PCI DSS it may be necessary for an organization, such as a merchant, to rely on a service provider who is validated to an earlier PCI DSS version. In this instance, the service provider’s validation must have been completed prior to the expiry of the version of the standard to which they were validated, and their validation must still be current (that is, 12 months have not passed since the service provider’s validation).

As an example:  A merchant validating to PCI DSS version 3 in 2015 relies on a service provider for delivery of one or more PCI DSS requirements, and the service provider validation to PCI DSS version 2 is dated October 2014. Prior to October 2015, the merchant would still validate to version 3 and note in their ROC or SAQ that the provider who is managing those requirements on their behalf is meeting the requirements in PCI DSS version 2. After October 2015, the service providers’ validation is no longer current and cannot be used as evidence of their compliance.

Entities should always contact their acquirer or the payment brands directly to determine their compliance reporting requirements, including how to report any third party service providers. . Contact details for the payment brands can be found in FAQ #1142 How do I contact the payment card brands?

May 2015
Article Number 1282