I think that everyone would agree that the a service provider does not necessarily have to be independently “assessed” as PCI DSS compliant. They could also be assessed as part of the assessed entity’s assessment. But do they need to be “assessed” or “compliant” at all?
I think its a risk based decision that depends on the service provided (does a company like DUO need to be assessed as PCI DSS compliant for providing a MFA service to an assessed entity?). The final call will always be with the card brands and acquirers as per FAQ 1312. The Third-Party Security Assurance Information Supplement from March 2016 is probably the best guidance to managing the risk to cardholder data imposed by third party service providers (TPSPs). That information supplement will reinforce the opinion that the TPSP is going to have to at least be “compliant” with applicable PCI DSS controls.
“Connected to” service providers are a whole ‘nother kettle of fish that can pose a risk to cardholder data without even be involved in providing a directly related service and this information supplement considers that. And this FAQ makes it pretty clear that if your TPSP was ever assessed as compliant, they better stay up to date.
If you ask me, I think will say that NO, you may not use a non-compliant TPSP.
Ad below this line: