nerdexam
(ISC)2

CISSP · Question #125

When dealing with compliance with the Payment Card Industry-Data Security Standard (PCI- DSS), an organization that shares card holder information with a service provider MUST do which of the followin

The correct answer is B. Validate the service provider's PCI-DSS compliance status on a regular basis.. PCI-DSS requires organizations that share cardholder data with service providers to maintain ongoing oversight of those providers' compliance status. This is a formal requirement under PCI-DSS to ensure third-party risk is continuously managed.

Submitted by daniela_cl· Mar 5, 2026Security and Risk Management

Question

When dealing with compliance with the Payment Card Industry-Data Security Standard (PCI- DSS), an organization that shares card holder information with a service provider MUST do which of the following?

Options

  • APerform a service provider PCI-DSS assessment on a yearly basis.
  • BValidate the service provider's PCI-DSS compliance status on a regular basis.
  • CValidate that the service providers security policies are in alignment with those of the
  • DEnsure that the service provider updates and tests its Disaster Recovery Plan (DRP) on a yearly

How the community answered

(18 responses)
  • A
    6% (1)
  • B
    72% (13)
  • C
    6% (1)
  • D
    17% (3)

Why each option

PCI-DSS requires organizations that share cardholder data with service providers to maintain ongoing oversight of those providers' compliance status. This is a formal requirement under PCI-DSS to ensure third-party risk is continuously managed.

APerform a service provider PCI-DSS assessment on a yearly basis.

PCI-DSS does not require the sharing organization to personally perform a PCI-DSS assessment on the service provider; rather, the organization must validate the provider's compliance status, which can be done via the provider's own attestation or listing on Visa/Mastercard's compliance registries.

BValidate the service provider's PCI-DSS compliance status on a regular basis.Correct

PCI-DSS Requirement 12.8 mandates that entities maintain and monitor their service providers' PCI-DSS compliance status on a regular basis. This includes maintaining a list of service providers, having written agreements acknowledging their responsibility for cardholder data security, and monitoring their compliance status at least annually - not necessarily conducting the assessment themselves, but validating that compliance is maintained.

CValidate that the service providers security policies are in alignment with those of the

PCI-DSS does not require that a service provider's security policies be in full alignment with the hiring organization's policies; the standard focuses on the service provider meeting PCI-DSS requirements independently, not mirroring another entity's internal policies.

DEnsure that the service provider updates and tests its Disaster Recovery Plan (DRP) on a yearly

While Disaster Recovery Plan testing is a component of PCI-DSS compliance, PCI-DSS does not specifically require the hiring organization to ensure the service provider updates and tests its DRP on a yearly basis as the primary obligation when sharing cardholder data.

Concept tested: PCI-DSS service provider compliance monitoring requirements

Source: https://www.pcisecuritystandards.org/document_library/

Topics

#PCI-DSS#compliance#third-party risk#service provider management

Community Discussion

No community discussion yet for this question.

Full CISSP Practice