The PCI DSS 12.8 requirments for third party contracts where card holder data is exchanged is a bit vague. Specifically, 12.8.1 reads:

12.8.1 Service providers must adhere to the PCI DSS requirements

Does any one know of or have a definition for what "must adhere" means? Do they have to be a PCI certified service provider? If not, what would the assessor need from the third party to satisfy the must adhere to requirment?

Thanks

A formal letter, on letterhead stating a committment to adhere to PCI-DSS and signed by a senior officer of the company would suffice.
Contract terms/clauses would be another option.

PCI certificate of compliance would also help, but that's also required in 12.10.

Thank you for your response, and yes 12.10 uses a similarly vague "ensure" descriptor. Does the same letter of ensuring PCI compliance hold water with the assessors?:)

Yes, provided the letter covered both aspects:
- Committment to adhere to PCI
- Evidence that PCI compliance currently exists, when it expires etc.

Some card brands/regions list compliant service providers on web sites, so the letter could just refer to those (supposing the info is up to date).

Lyal