The service provider acknowledgement requirement may be satisfied by:

• A. Always include the exact wording of PCI DSS Requirement 12.9.
• B. Be tailored to the agreement and responsibilities; exact wording is not required.
• C. Only be provided verbally.
• D. Be signed every month.

Answer: (B)

Understanding how service provider acknowledgement works is about documenting who is responsible for protecting cardholder data when third parties are involved. The requirement is satisfied by a written agreement or formal process that clearly outlines the service provider’s security duties and how they align with the card data environment; you don’t need to copy the exact PCI DSS wording into the contract. Tailoring the acknowledgement to the specific services and responsibilities ensures both sides know who does what, how compliance will be demonstrated, and how changes or incidents will be handled. Verbal acknowledgement isn’t sufficient because a formal, enforceable record is needed, and signing every month isn’t a standard requirement.