Which statement is accurate about 12.8.5's requirement?

• A. Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
• B. Service providers are always responsible for all PCI DSS requirements.
• C. The entity has no responsibility for PCI DSS.
• D. Maintain information about the service providers' data privacy policies.

Answer: (A)

Understanding how responsibility is shared with service providers is essential for PCI DSS. 12.8.5 requires maintaining information about which PCI DSS requirements are managed by each service provider and which are managed by the entity. This creates a clear, auditable map of obligations so security controls are not overlooked and both parties know their duties. For example, a merchant using a cloud service would document that the provider handles certain network security aspects while the merchant remains responsible for protecting access to systems and any cardholder data within their control. The other statements misstate the balance of responsibility or focus on data privacy policies rather than the explicit allocation of PCI DSS responsibilities.