Can my business be PCI DSS compliant using version 4.0, if I use a third party service provider (TPSP) that is validated to PCI DSS v3.2.1?

Yes, you can.

If your third party’s PCI DSS assessment is current (that is, completed within the last 12 months) and was against the version of the PCI DSS current at the time of that assessment (so v3.2.1), then your assessor may mark as “Not Applicable” those Requirements for which you rely upon the TPSP but for which they have not yet been assessed.

The other scenario is where your TPSP has been assessed to version 4.0 but that assessment was completed prior to the effective date of new Requirements. Those future-dated new Requirements – that the TPSP will be responsible for meeting on your behalf – were not included in the TPSP’s assessment; they are marked as Not Applicable. Which means for your own assessment, those new Requirements for which you will rely upon the TPSP can again be marked as ‘Not Applicable’ by your own assessor.

There are a couple of FAQs that explain the scenarios here: FAQ 1282 and 1564.

Can my business be PCI DSS compliant using version 4.0, if I use a third party service provider (TPSP) that is validated to PCI DSS v3.2.1?

PCI Portal

Keep your business safe.