What must a written agreement with a service provider include under Req 12.8.2?

• A. Observe written agreements and confirm they include an acknowledgement by service providers that they are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment.
• B. They provide annual reports
• C. They are exempt from PCI DSS
• D. They don't attest responsibility

Answer: (D)

This item tests how you formalize accountability with third-party providers. Under PCI DSS, a written agreement with a service provider must include an explicit acknowledgement that the provider is responsible for the security of cardholder data they possess, store, process, or transmit on behalf of the customer, or in any way that could affect the customer’s cardholder data environment. This makes security responsibilities clear in contract and ensures the provider cannot overlook protection of the data.

Annual reports, exemptions from PCI DSS, or statements that the provider does not attest responsibility do not reflect this contract-based accountability requirement. The standard is about making security responsibility explicit in the agreement.