GRCWatch
Sign inStart free trial

PCI DSS 12.9.1: Obtaining Written TPSP Acknowledgment of CHD Responsibility

Service providers handling cardholder data must document their security accountability. PCI DSS 12.9.1 requires third-party service providers to provide written acknowledgment that they understand and accept responsibility for protecting shared account data. This foundational requirement establishes clear contractual security expectations between your organization and vendors.

What this means

This control mandates that any third-party service provider (TPSP) with access to your shared account data or cardholder data environment (CDE) must formally acknowledge in writing their responsibility for maintaining the security of that data. The written acknowledgment serves as documented proof that the service provider understands security obligations, accepts accountability, and commits to protecting CHD. This requirement applies specifically to service providers and must be obtained before or during the vendor engagement period.

How to comply

  1. 1.Identify all third-party service providers with access to shared account data or the cardholder data environment
  2. 2.Develop a written acknowledgment template that clearly states the TPSP's responsibility for CHD security and data protection
  3. 3.Include specific language referencing PCI DSS compliance obligations and security requirements applicable to the vendor's scope
  4. 4.Obtain signed acknowledgment from each TPSP before granting access to CHD or shared account data
  5. 5.Document and maintain all executed acknowledgments as evidence of compliance
  6. 6.Review and update acknowledgments periodically or when service provider relationships change
  7. 7.Ensure acknowledgments are incorporated into vendor agreements or signed as standalone documents

Evidence auditors look for

  • Signed written acknowledgment letter from each TPSP stating responsibility for CHD security
  • Vendor contracts with explicit security responsibility clauses referencing PCI DSS 12.9.1
  • Email confirmation from TPSP acknowledging CHD protection responsibilities
  • Completed vendor security assessment forms with acknowledgment of data protection duties
  • Master service agreements (MSAs) containing service provider security responsibility language
  • Dated acknowledgment documents retained in vendor management files
  • List of all TPSPs with documented acknowledgment dates and signatures

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch streamlines TPSP management by centralizing acknowledgment tracking, automating renewal reminders, and maintaining audit-ready documentation of all vendor security commitments in one compliance platform.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 12.8 - Maintain and Implement Policies and Procedures to Manage Service ProvidersPCI DSS 12.9 - Service ProvidersPCI DSS 12.9.2 - Maintain a List of Service ProvidersPCI DSS 1.4.6 - Evaluate Service Provider Responsibilities