PCI DSS 12.9.2: Supporting Customer Requests for Third-Party Service Provider Compliance
Third-Party Service Providers (TPSPs) must actively support their customers' compliance documentation needs under PCI DSS Requirement 12.8.4. This control ensures transparency across your payment ecosystem and prevents compliance gaps that could expose customer cardholder data.
What this means
PCI DSS 12.9.2 requires TPSPs to respond to customer requests for compliance evidence and attestations. Rather than forcing customers to chase you for proof of your security controls, you must proactively provide documentation, assessment results, and compliance certifications that demonstrate your adherence to PCI DSS. This creates a chain of accountability from your organization through to your customers' compliance programs.
How to comply
- 1.Establish a formal process for receiving and responding to customer TPSP compliance documentation requests
- 2.Maintain current and accessible evidence of your PCI DSS compliance status (attestations, assessments, certifications)
- 3.Document your security controls, testing results, and vulnerability management practices in customer-ready formats
- 4.Respond to customer requests within a defined timeframe (typically 5-10 business days)
- 5.Create templated response documents that demonstrate compliance without unnecessary proprietary disclosure
- 6.Track all customer requests and your compliance evidence responses for audit purposes
- 7.Update your compliance documentation annually or after any material changes to security controls
Evidence auditors look for
- SOC 2 Type II report or PCI DSS Attestation of Compliance (AOC) from your assessor
- Current vulnerability assessment reports and remediation records
- Documented incident response procedures and testing results
- Encryption and data protection policy documentation
- Access control policies and role-based access matrices
- Customer-facing compliance questionnaire responses (SAQs or similar)
- Logs of customer information requests and response dates
- Third-party security certifications (ISO 27001, ISO 27018, etc.)
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates compliance evidence collection and generates customer-ready compliance documentation from your control inventory, eliminating manual requests and response delays while maintaining an audit trail of all customer interactions.
See how GRCWatch handles this control automatically
Start free trial