PCI DSS Vendor Due Diligence: What Requirement 12.8 Actually Demands

PCI DSS 4.0 Requirement 12.8 contains five sub-requirements:

12.8.1 — Maintain a list of all TPSPs with which account data is shared or that could affect the security of account data, including a description of each service provided. This is your vendor inventory — and the QSA will compare it against actual data flows.

12.8.2 — Maintain written agreements with all TPSPs that include the TPSP's acknowledgment of their responsibility for the security of account data they possess, or to the extent they could impact the security of the entity's cardholder data environment. BAAs, DPAs, or specific PCI-responsibility clauses in master service agreements satisfy this.

12.8.3 — Establish a process for engaging TPSPs, including proper due diligence prior to engagement. This means documented vendor risk assessment before onboarding — not after.

12.8.4 — Monitor TPSPs' PCI DSS compliance status at least annually. Check whether they maintain a current AOC (Attestation of Compliance) or SAQ (Self-Assessment Questionnaire).

12.8.5 — Maintain information about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any shared between the TPSP and the entity. This is the responsibility matrix.

Any vendor that stores, processes, or transmits cardholder data is in scope for 12.8. But PCI DSS 4.0 extends this to vendors that "could affect the security of" the cardholder data environment — a broader scope than previous versions. This includes: payment processors and gateways, hosting providers for cardholder data environments, managed security service providers, tokenization vendors, penetration testing firms, and potentially cloud infrastructure providers even if they don't directly handle card data. Your QSA will review your vendor inventory against your network diagram and data flow documentation to identify gaps.

During a PCI DSS assessment, your QSA evaluates vendor management across several dimensions:

Completeness of vendor inventory. Are all TPSPs listed? Does the list match data flow documentation? Are descriptions accurate?

Written agreements. Does each TPSP have a documented agreement acknowledging their PCI responsibilities? Are agreements current?

Due diligence evidence. Is there documented risk assessment for each TPSP? Was it performed before onboarding? What sources were checked?

Annual monitoring. Can you show annual review of each TPSP's compliance status? Do you have current AOCs or evidence of PCI compliance for each?

Responsibility matrix. Is there clear documentation of which PCI requirements each TPSP manages vs. which you manage? Are shared responsibilities explicitly defined?

The QSA may sample 3-5 vendors and trace through the full documentation chain for each.

Requirement 12.8.4 mandates at least annual monitoring of TPSP PCI DSS compliance status. In practice, this means: requesting current AOC or SAQ from each TPSP annually, verifying the attestation is current (not expired), checking whether the TPSP's scope of attestation covers the services they provide to you, and documenting the review date and reviewer. For vendors that don't have a PCI attestation, document your risk assessment and compensating controls. Not having an AOC isn't disqualifying — but it requires documented justification and additional risk mitigation.

Incomplete TPSP inventory. The most common finding. Teams forget about SaaS tools that touch reporting data, cloud services that host parts of the CDE, or vendors that provide security services. Build your inventory from payment flow diagrams, not just procurement records.

Missing responsibility matrices. 12.8.5 is new in PCI DSS 4.0 and many organizations haven't built these yet. For each TPSP, document which PCI requirements they handle, which you handle, and which are shared.

Expired or missing AOCs. Annual monitoring means current documentation. An AOC from 2023 doesn't satisfy 2025 monitoring requirements. Set calendar reminders for annual AOC requests.

No pre-engagement due diligence. 12.8.3 requires due diligence before engaging a TPSP. If you can't show assessment documentation dated before the vendor was onboarded, it's a finding. For existing vendors, document your retrospective assessment.

Self-reported compliance claims without verification. A vendor saying "we're PCI compliant" on their website is not evidence. Request the AOC or conduct independent verification.