In service provider arrangements (Req 12.9), what must a service provider acknowledge in writing?

• A. They are not responsible
• B. They are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment.
• C. They provide annual incident reports
• D. They must share data with customer monthly

Answer: (B)

The central idea here is establishing clear accountability in service provider arrangements. When a service provider handles cardholder data for a customer, PCI DSS requires that they acknowledge in writing that they are responsible for the security of the cardholder data they possess, store, process, or transmit on the customer’s behalf, and for anything that could impact the security of the customer’s cardholder data environment. This written acknowledgment makes security responsibilities explicit, ensuring both parties understand who is responsible for controls, monitoring, and incident response in those systems. It isn’t about the provider denying responsibility, and it doesn’t mandate annual incident reports or monthly data sharing—that would be governed by separate requirements or contractual terms.