What does Req 12.8.1 require you to do regarding service providers?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the PCI DSS Requirements Test with our interactive quizzes. Use multiple choice questions, flashcards, and detailed explanations. Ace your exam with confidence!

Multiple Choice

What does Req 12.8.1 require you to do regarding service providers?

Explanation:
In PCI DSS, 12.8 focuses on how you manage third-party service providers that have access to cardholder data or could impact the security of your environment. The idea is to have visibility into every external party involved and to oversee them with appropriate agreements and controls. 12.8.1 specifically requires you to ensure there is a current, maintained list of service providers. In practice, the testing and validation look for evidence that this list exists and is regularly kept up to date, especially when providers are added or removed. This is why the best answer emphasizes verifying that a list of service providers is maintained—the organization must be able to show that the list is current and has been kept up-to-date, not just that such a list exists in theory. So, the emphasis is on demonstrable upkeep of the list, which auditors verify, rather than a one-time creation alone. The other options aren’t correct because they either suggest not maintaining the list, limiting it to IT vendors, or misrepresent the ongoing verification aspect that the requirement and its testing imply.

In PCI DSS, 12.8 focuses on how you manage third-party service providers that have access to cardholder data or could impact the security of your environment. The idea is to have visibility into every external party involved and to oversee them with appropriate agreements and controls.

12.8.1 specifically requires you to ensure there is a current, maintained list of service providers. In practice, the testing and validation look for evidence that this list exists and is regularly kept up to date, especially when providers are added or removed. This is why the best answer emphasizes verifying that a list of service providers is maintained—the organization must be able to show that the list is current and has been kept up-to-date, not just that such a list exists in theory.

So, the emphasis is on demonstrable upkeep of the list, which auditors verify, rather than a one-time creation alone. The other options aren’t correct because they either suggest not maintaining the list, limiting it to IT vendors, or misrepresent the ongoing verification aspect that the requirement and its testing imply.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy