Can my business be PCI DSS compliant using the latest version if I use a Third-Party Service Provider (TPSP) that is validated to a previous version?

Only if your third party’s PCI DSS assessment was completed against a version of the PCI DSS that was still in effect at the time of that assessment and their assessment is still valid (i.e., it was completed within the last 12 months), then you may mark as “Not Applicable” those requirements for which you rely upon the TPSP but for which they have not yet been assessed.

The other scenario is where your TPSP assessment was completed before the effective date of the new requirements (April 1, 2025). Those future-dated new requirements – that the TPSP will be responsible for meeting on your behalf – were not included in their assessment. The TPSP may mark these as “Not Applicable,” in which case where they impact your assessment, you can also mark them as ”Not Applicable,” until the next time you and your TPSP need to complete your assessment.

There are a couple of FAQs that explain the scenarios here: FAQ 1282 and 1564.

carla@baldwinwebdesign.com2025-02-06T16:37:31+00:00February 6, 2025|