← All questionnaires
PCI DSS 4.0.1 · 20 QUESTIONS · FREE TEMPLATE

PCI DSS Service Provider Questionnaire — 25 questions merchants ask before sharing CHD

If you store, process, or transmit cardholder data on behalf of a merchant, you're a PCI DSS Service Provider. Before sharing CHD, the merchant's QSA will send these questions to validate your scope and AOC.

Total questions
20
Categories
6
Typical timeline
5–10 business days
Effort
10–20 hours
Who requests it
  • Merchant QSAs and ISA teams
  • Acquiring bank vendor-management
  • Brand compliance officers (Visa, Mastercard, AmEx)
Who fills it out
  • PCI lead / QSA-of-record liaison
  • Often the CISO and Head of Payments co-sign

The questionnaire — every question, inline

1. PCI Scope & Validation

4 questions
Your AOC, ROC, and CDE definition.
  1. 1.1
    Provide current PCI DSS Attestation of Compliance (AOC) — service provider type, validated version (4.0 / 4.0.1), assessor name, validation date.
    Critical
  2. 1.2
    Are you Level 1 or Level 2 service provider? Annual transaction volume processed on behalf of merchants?
    High
  3. 1.3
    Provide the Responsibility Matrix (Appendix A in your AOC) — which controls are managed by you vs the customer?
    Critical
  4. 1.4
    Will you supply a copy of the Report on Compliance (ROC) under NDA on request?
    High

2. Cardholder Data Environment (CDE) & Segmentation

3 questions
What touches CHD and how it's isolated.
  1. 2.1
    Describe the data flow from merchant to your CDE — which data elements (PAN, CVV, expiry, name) are captured, in what form (raw, tokenised, encrypted)?
    Critical
  2. 2.2
    How is the CDE segmented from non-CDE networks? Provide the segmentation test report (Req 11.4.5).
    Critical
  3. 2.3
    Is SAD (Sensitive Authentication Data) ever stored after authorisation? It must not be (Req 3.2.1).
    Critical

3. Encryption & Key Management

4 questions
Requirement 3 + 4.
  1. 3.1
    PAN encryption at rest — algorithm, key length, key management provider, HSM type. Confirm Req 3.5 compliance.
    Critical
  2. 3.2
    PAN transmission over open networks — TLS version, cipher suites, certificate authorities (Req 4.2).
    Critical
  3. 3.3
    Key custodian dual control, split knowledge, key rotation cadence (Req 3.6).
    High
  4. 3.4
    Is tokenisation offered? If yes, where do raw PANs land and how long are they retained pre-tokenisation?
    High

4. Access Control & Logging

3 questions
Requirements 7, 8, 10.
  1. 4.1
    MFA enforced for all administrative CDE access and all non-console access (Req 8.4 / 8.5)?
    Critical
  2. 4.2
    Audit logs of all CDE access — retention minimum 1 year, 3 months immediately accessible (Req 10.5)?
    Critical
  3. 4.3
    Log review process — daily for critical assets (Req 10.4)? SIEM or manual?
    High

5. Vulnerability & Penetration Testing

3 questions
Requirements 6, 11.
  1. 5.1
    ASV scans quarterly (Req 11.3.2) — provide the most recent passing scan certificate. ASV name?
    Critical
  2. 5.2
    Annual internal and external penetration test (Req 11.4) — most recent date, provider, executive summary?
    High
  3. 5.3
    Secure SDLC — Req 6.2 / 6.3 controls (training, SAST, code review, change management).
    High

6. Incident Response & Sub-Service Providers

3 questions
Requirements 12.10, 12.8.
  1. 6.1
    Documented IR plan tested annually (Req 12.10.2)? Provide last test date and outcomes.
    High
  2. 6.2
    Maintain a list of all TPSPs (Req 12.8.1) with their PCI DSS responsibility and AOC status?
    Critical
  3. 6.3
    Written agreements with TPSPs acknowledging responsibility for the CHD they handle (Req 12.8.2)?
    High
Email me a clean copy of this questionnaire
Polished HTML — paste into Word, Sheets, or a Notion page. We'll send one delivery email plus one invitation to build an auto-answered version from your audit. No drip spam.
We'll send the questionnaire + one audit-invitation follow-up. Unsubscribe anytime.

Common pitfalls

Want this pre-filled with YOUR controls?

Run a free PCI DSS 4.0.1 audit. ComplianceIQ uses your audit responses and generated policies to populate an answer pack you can paste into any SIG, CAIQ, or custom enterprise questionnaire — in minutes, not days.

Run free PCI audit See answer-pack plans

FAQ

What's the difference between AOC and ROC?
AOC = Attestation of Compliance, a shareable summary signed by your QSA. ROC = Report on Compliance, the full 300+ page assessment. Provide AOC freely under cover, ROC under NDA on request.
We're a Level 4 merchant ourselves but a service provider to others — what level?
Levels are different for SPs vs merchants. SP Level 1 = >300K Visa transactions/yr stored/processed/transmitted; SP Level 2 = anything under that. Confirm with each card brand.
Do we need a QSA or can we self-assess via SAQ-D?
Service providers generally require a QSA-led ROC + AOC. SAQ-D for service providers exists only for very specific scenarios — most enterprise merchants will refuse self-assessment.
How big are PCI fines really?
Not paid to the PCI Council — paid to card brands via your acquirer. Target paid $202M (2013 breach). Heartland paid $145M+. Plus per-card reissuance + per-transaction fines for non-compliance.

Related free policy templates

SOC 2 Access Control PolicySOC 2 Incident Response Plan

What happens when these answers are wrong

Target
~$202M
HVAC vendor credentials → 40M payment cards + 70M customer records
Marriott International
£18.4M
Starwood acquisition inherited a 4-year undetected breach — 339M records

More questionnaires

SaaS VendorCloud ProviderHIPAA BA AssessmentSOC 2 SubserviceGDPR Art. 28