CISSP · Question #125
When dealing with compliance with the Payment Card Industry-Data Security Standard (PCI- DSS), an organization that shares card holder information with a service provider MUST do which of the followin
The correct answer is B. Validate the service provider's PCI-DSS compliance status on a regular basis.. PCI-DSS requires organizations that share cardholder data with service providers to maintain ongoing oversight of those providers' compliance status. This is a formal requirement under PCI-DSS to ensure third-party risk is continuously managed.
Question
Options
- APerform a service provider PCI-DSS assessment on a yearly basis.
- BValidate the service provider's PCI-DSS compliance status on a regular basis.
- CValidate that the service providers security policies are in alignment with those of the
- DEnsure that the service provider updates and tests its Disaster Recovery Plan (DRP) on a yearly
How the community answered
(18 responses)- A6% (1)
- B72% (13)
- C6% (1)
- D17% (3)
Why each option
PCI-DSS requires organizations that share cardholder data with service providers to maintain ongoing oversight of those providers' compliance status. This is a formal requirement under PCI-DSS to ensure third-party risk is continuously managed.
PCI-DSS does not require the sharing organization to personally perform a PCI-DSS assessment on the service provider; rather, the organization must validate the provider's compliance status, which can be done via the provider's own attestation or listing on Visa/Mastercard's compliance registries.
PCI-DSS Requirement 12.8 mandates that entities maintain and monitor their service providers' PCI-DSS compliance status on a regular basis. This includes maintaining a list of service providers, having written agreements acknowledging their responsibility for cardholder data security, and monitoring their compliance status at least annually - not necessarily conducting the assessment themselves, but validating that compliance is maintained.
PCI-DSS does not require that a service provider's security policies be in full alignment with the hiring organization's policies; the standard focuses on the service provider meeting PCI-DSS requirements independently, not mirroring another entity's internal policies.
While Disaster Recovery Plan testing is a component of PCI-DSS compliance, PCI-DSS does not specifically require the hiring organization to ensure the service provider updates and tests its DRP on a yearly basis as the primary obligation when sharing cardholder data.
Concept tested: PCI-DSS service provider compliance monitoring requirements
Source: https://www.pcisecuritystandards.org/document_library/
Topics
Community Discussion
No community discussion yet for this question.