12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
12.8.4 Verify that the entity maintains a program to monitor its service providers’ PCI DSS compliance status at least annually.
Knowing your service providers’ PCI DSS compliance status provides assurance and awareness about whether they comply with the same requirements that your organization is subject to. If the service provider offers a variety of services, this requirement should apply to those services delivered to the client, and those services in scope for the client’s PCI DSS assessment.
The specific information an entity maintains will depend on the particular agreement with their providers, the type of service, etc. The intent is for the assessed entity to understand which PCI DSS requirements their providers have agreed to meet.