Supporting system providers
Nowadays, often many different parties are involved in enabling end customers to pay with credit cards in merchants’ stores or web shops.Most merchants have outsourced the payment processing to payment service providers (PSPs) in such a way that they are eligible of filling in a small PCI DSS self-assessment questionnaire (SAQ), like SAQ A for e-commerce or SAQ B-IP for point-of-sale.
Many merchants additionally use other service providers to assist them with technology – e.g. provide web shops, or manage network components or web servers. Those additional providers usually do not have access to the cardholder/account data or the encryption, so their security impact is much smaller than the PSP ones. Let’s call them “supporting system providers”.
Supporting system providers still have a small PCI DSS responsibility, as they help their merchants operating the systems securely and fulfilling some PCI DSS requirements.
Former scoping practice
For a long time, for defining the scope and the applicable PCI DSS requirements of such supporting system providers, assessor companies used the merchants’ SAQ as a starting point. They did not fully use the merchants’ SAQ of course (as that is only allowed for merchants, not for service providers), but still they started with the merchants’ SAQ set of requirements and added some service provider specific requirements that they considered applicable in addition.
Clarification by PCI SSC
During the previous year, the PCI Security Standard Council (PCI SSC) mentioned and published more and more clarifications on this topic. It started with them stressing that a service provider is not allowed to use a merchant’s SAQ (which has always been the case, but not all parties seemed to be aware of it).
Last year, they started adding more clarifications to their FAQ entries, such as:
- “It was never the intent that a service provider uses a merchant SAQ to determine applicable requirements for a service provider’s PCI DSS assessment. […] All PCI DSS requirements must be considered when scoping a service provider’s assessment to determine which requirements are applicable to the service being provided and the systems providing that service. To the extent that a given service provider offers a limited service for merchants, […] those service providers are still expected to comply with all applicable PCI DSS requirements related to the service and the systems that provide that service.” (FAQ entry 1578, June 2024)
- “A TPSP that only provides evidence that it meets a limited set of SAQ requirements applicable to a merchant (for example, SAQ A or an SAQ A Attestation of Compliance (AOC)) has not provided sufficient evidence of PCI DSS compliance for its merchant customers.” (FAQ entry 1065, updated November 2024)
- “Service providers cannot use SAQ eligibility criteria to determine applicability of PCI DSS requirements for assessments documented in a Report on Compliance (ROC).” (FAQ entry 1331, updated May 2025)
So the PCI SSC sees a lot more responsibilities on a provider’s side than on a merchant’s side, even if they are doing the exact same task – mainly because a provider usually provides the service for multiple entities, resulting in a higher risk.
PCI DSS scoping for supporting system providers
PCI DSS assessors have to follow the PCI SSC instructions. For that reason, the approach to supporting system providers had to change. If you are a supporting system provider, and you are only responsible for some supporting technology services, it can therefore happen that your QSA requires you to comply to more PCI DSS requirements this year than in previous years – e.g. additional requirements on access control, on malware protection, or on logging and monitoring.
Please be prepared for additional coordination with your PCI DSS assessor to align on which requirements are applicable.
