Ask a QSA

Ask a QSA

‘Ask a QSA’ has received a number of queries recently, the below question is somewhat unusual but is something that will resonate with some of our clients. Seasoned QSA, Natasja Bolton stepped up to the challenge.


Do acquirers need to be listed as a service provider in Part 2f of the SAQ or included in the merchant’s fulfilment of Requirement 12.8? 


Natasja Bolton, Acquirer Support Manager

In helping merchants complete their Self Assessment Questionnaire (SAQ) the Sysnet Contact Centre and our QSA team are often asked this question whether the merchant’s acquirer needs to be listed as a service provider in Part 2f of the SAQ or included in the merchant’s fulfilment of Requirement 12.8 (service provider management).


Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below


Conveniently the PCI SSC has published an FAQ that answers this very question;


Are acquirers considered service providers for the purpose of PCI DSS Requirements 12.8 and 12.9?


Service providers include business entities that are not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This includes organizations providing acquiring services – for example, payment gateways, PSPs, ISOs etc. 


However, an entity that acquires a merchant’s payment transactions and is defined by a payment brand to be an acquirer is not considered a service provider for that particular merchant’s PCI DSS compliance for the purpose of Requirements 12.8.


If the acquirer provides other services to the merchant, for example management of the merchant’s payment terminals, then the merchant and acquirer should work together to understand which party is responsible for managing the applicable PCI DSS requirements for the services provided.


Whether acquirers are required to validate PCI DSS compliance, including Requirement 12.9, is determined by the individual payment brands


This FAQ leads us to conclude that an acquirer, if acting as a provider of services to a merchant (e.g. as a ‘merchant agent’ or ‘merchant servicer’), should be considered a service provider in scope for Requirement 12.8.


Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms