GRCWatch
Sign inStart free trial

PCI DSS 12.8.4: Monitor TPSP Compliance at Least Annually

Your third-party service providers handle sensitive payment data, making their compliance your responsibility. PCI DSS 12.8.4 requires documented annual monitoring of each TPSP's PCI DSS compliance status. This control ensures you maintain visibility into vendor security postures and address gaps before they become breaches.

What this means

Organizations must establish and maintain a documented program that monitors all third-party service providers (TPSPs) for PCI DSS compliance status on a minimum annual basis. This requirement ensures that vendors handling payment card data or having access to cardholder information environment (CDE) remain compliant with PCI DSS standards. Monitoring must be systematic, documented, and cover all in-scope TPSPs regardless of their role or data access level.

How to comply

  1. 1.Create a comprehensive inventory of all TPSPs with access to payment data or the CDE
  2. 2.Define monitoring frequency requirements and document them in your compliance program
  3. 3.Establish criteria for assessing TPSP PCI DSS compliance (attestations, audit reports, assessments)
  4. 4.Schedule annual compliance reviews for each TPSP and document the completion date
  5. 5.Request and review PCI DSS compliance documentation from each vendor (AOC, SAC, or RoC)
  6. 6.Document assessment results, including compliance status and any identified deficiencies
  7. 7.Follow up on non-compliance findings with remediation timelines and verification
  8. 8.Maintain audit evidence showing monitoring completion and outcomes for each annual period
  9. 9.Escalate critical compliance gaps to management and implement corrective actions

Evidence auditors look for

  • Annual TPSP compliance monitoring schedule with documented completion dates
  • PCI DSS Attestations of Compliance (AOC) received from service providers
  • Service Auditor Compliance (SAC) reports for TPSPs performing assessments
  • Report on Compliance (RoC) documents from qualified assessors
  • Email correspondence requesting and receiving compliance documentation
  • TPSP compliance assessment worksheets documenting review procedures and findings
  • Remediation tracking logs for non-compliance items identified during monitoring
  • Management sign-off on annual monitoring results and compliance status
  • TPSP spreadsheet or database tracking compliance status and expiration dates

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates TPSP compliance tracking by centralizing vendor attestations, scheduling annual monitoring cycles, and generating audit-ready evidence reports—eliminating manual spreadsheet management and ensuring no vendor falls through the cracks.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 12.8.1 - Maintain TPSP listPCI DSS 12.8.2 - Maintain written agreements with TPSPsPCI DSS 12.8.3 - Ensure TPSP responsibility for securityPCI DSS 12.8.5 - Document TPSP interactions