PCI DSS 12.9.1: Obtaining Written TPSP Acknowledgment of CHD Responsibility
Service providers handling cardholder data must document their security accountability. PCI DSS 12.9.1 requires third-party service providers to provide written acknowledgment that they understand and accept responsibility for protecting shared account data. This foundational requirement establishes clear contractual security expectations between your organization and vendors.
What this means
This control mandates that any third-party service provider (TPSP) with access to your shared account data or cardholder data environment (CDE) must formally acknowledge in writing their responsibility for maintaining the security of that data. The written acknowledgment serves as documented proof that the service provider understands security obligations, accepts accountability, and commits to protecting CHD. This requirement applies specifically to service providers and must be obtained before or during the vendor engagement period.
How to comply
- 1.Identify all third-party service providers with access to shared account data or the cardholder data environment
- 2.Develop a written acknowledgment template that clearly states the TPSP's responsibility for CHD security and data protection
- 3.Include specific language referencing PCI DSS compliance obligations and security requirements applicable to the vendor's scope
- 4.Obtain signed acknowledgment from each TPSP before granting access to CHD or shared account data
- 5.Document and maintain all executed acknowledgments as evidence of compliance
- 6.Review and update acknowledgments periodically or when service provider relationships change
- 7.Ensure acknowledgments are incorporated into vendor agreements or signed as standalone documents
Evidence auditors look for
- Signed written acknowledgment letter from each TPSP stating responsibility for CHD security
- Vendor contracts with explicit security responsibility clauses referencing PCI DSS 12.9.1
- Email confirmation from TPSP acknowledging CHD protection responsibilities
- Completed vendor security assessment forms with acknowledgment of data protection duties
- Master service agreements (MSAs) containing service provider security responsibility language
- Dated acknowledgment documents retained in vendor management files
- List of all TPSPs with documented acknowledgment dates and signatures
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch streamlines TPSP management by centralizing acknowledgment tracking, automating renewal reminders, and maintaining audit-ready documentation of all vendor security commitments in one compliance platform.
See how GRCWatch handles this control automatically
Start free trial