PCI DSS is not a law. It is a contractual standard maintained by the PCI Security Standards Council, enforced through the contracts between card brands (Visa, Mastercard, Amex, Discover, JCB), acquirers, and merchants. Any entity that stores, processes, or transmits cardholder data is subject to PCI DSS, and failure to comply can result in fines, increased transaction fees, or loss of card-acceptance privileges.
Scope and levels
Merchants are tiered by transaction volume into Levels 1-4, with corresponding validation requirements (annual on-site audit by a Qualified Security Assessor at Level 1, self-assessment questionnaires at lower levels).
Service providers — third parties that provide services to merchants involving card data — have their own tiering (Level 1 and 2) and obligations.
Requirement 12.8 — Service Provider Management
PCI DSS Requirement 12.8 specifically addresses third-party service providers. The current sub-requirements:
- 12.8.1 — Maintain a list of service providers.
- 12.8.2 — Maintain a written agreement that includes the service provider's responsibility for cardholder data security.
- 12.8.3 — A documented process for engaging service providers, including due diligence prior to engagement.
- 12.8.4 — A program to monitor service providers' PCI DSS compliance status at least annually.
- 12.8.5 — Information on which PCI DSS requirements are managed by each service provider, which are managed by the entity, and which are shared.
Requirement 12.8.4 — annual monitoring — is the core ongoing-oversight obligation. The expectation is that the merchant or service provider obtains, reviews, and retains evidence of each service provider's compliance status (Attestation of Compliance, Report on Compliance summary, or equivalent) on at least an annual basis.
What "monitoring" means here
Compared to GDPR or SOC 2, PCI DSS monitoring is more documentary and less continuous. The annual checkpoint is the headline obligation. But several subsidiary expectations fill in between:
- Tracking attestation expiry. Service provider AOCs are dated; an expired AOC is a finding.
- Tracking scope changes. A service provider whose PCI scope has narrowed may have moved part of the cardholder data flow out of validated systems.
- Tracking incidents. A service provider involved in a publicly-disclosed breach affecting cardholder data is a separate concern.
- Tracking sub-service providers. PCI DSS 4.0 strengthened requirements around the chain of service providers, with explicit visibility into the responsibility allocation.
v4.0 changes relevant to vendor monitoring
PCI DSS v4.0 (mandatory from March 2025) made several changes that affect vendor oversight:
- More explicit responsibility allocation between the entity and its service providers (Requirement 12.8.5).
- Customised approach option, allowing entities to demonstrate compliance through alternative means — but with additional documentation and evidence requirements.
- Targeted Risk Analysis required for several controls, including those involving service providers.
- Stronger expectations around third-party software used in the cardholder data environment.
What vendor monitoring looks like under PCI DSS
The compliance pattern complements GDPR/SOC 2 monitoring rather than competing with it. Specific PCI items to track on service providers:
- AOC validity dates. Calendar reminders for re-attestation.
- Scope statements. Did the service provider's validated scope change?
- Service-provider-specific responsibility documents. PCI DSS v4.0 expects clear delineation; document the matrix.
- Encryption claims. PCI requires encryption of cardholder data in transit and at rest; vendor changes affecting encryption posture matter.
- Tokenisation strategies. Many merchants narrow their PCI scope by using a tokenisation vendor; that vendor's controls become disproportionately important.
Penalties
PCI penalties flow through contractual relationships rather than direct regulator action. They include:
- Fines from card brands (commonly $5,000-$100,000 per month for unresolved findings).
- Increased per-transaction fees.
- Loss of card-acceptance privileges in severe cases.
- Mandatory forensic investigation costs after a breach.
A breach involving cardholder data also typically triggers state breach notification laws and, in many cases, FTC consent orders — meaning a single incident can produce contractual, regulatory, and class-action consequences in parallel.