What is a PCI DSS Responsibility Matrix?

A PCI DSS responsibility matrix is a document from a service provider that spells out, requirement by requirement, which PCI DSS controls the provider covers and which remain the merchant's job.

A PCI DSS responsibility matrix is a document your payment service provider gives you that maps every relevant PCI DSS requirement to whoever is responsible for it — the provider, you, or both. It's how you prove that the controls you're relying on a third party for are actually covered.

Why the matrix exists

PCI DSS lets you use service providers to handle parts of your cardholder data environment, but it doesn't let you outsource accountability. Requirement 12 expects you to keep a list of your providers and to know exactly which requirements each one manages on your behalf. The responsibility matrix is the standard way providers answer that question.

Without one, an assessor or acquirer has no way to tell whether a control is genuinely covered or has quietly fallen into the gap between you and your provider — and the gaps are where breaches live.

How to read one

A good matrix lists each PCI DSS requirement (or sub-requirement) with one of three answers: the provider is responsible, the merchant is responsible, or the responsibility is shared. Shared rows deserve the most attention — they usually mean the provider runs the control but you have to configure or use it correctly.

Check the matrix against the provider's Attestation of Compliance (AOC). The AOC proves the provider was assessed; the matrix tells you what that assessment actually covered for customers like you.

What it means for your SAQ

The more requirements your provider takes on, the shorter your own self-assessment questionnaire becomes. A provider that keeps cardholder data off your systems entirely — for example by capturing card digits before they reach your phone lines — can move a contact centre from SAQ D towards SAQ A, and the matrix is the paperwork that backs that up.

How Paytia Uses This

Paytia is a PCI DSS Level 1 service provider, and we give every customer a responsibility matrix showing which requirements we cover when card capture happens on our platform instead of yours. Because DTMF masking keeps card data off your agents, recordings and network, most of the heavy controls sit on our side of the matrix — which is exactly what lets your assessment shrink to SAQ A. Details on our own certification are on the PCI DSS compliance page.

Frequently Asked Questions

Who provides the PCI responsibility matrix?+

Your service provider does. Any provider that touches cardholder data on your behalf should hand you a matrix alongside their Attestation of Compliance — if they can't, that's a warning sign.

Is a responsibility matrix mandatory?+

PCI DSS requires you to track which requirements each of your service providers manages on your behalf, and the matrix is the accepted way to evidence it. Assessors and acquiring banks routinely ask for it.

What's the difference between a responsibility matrix and an AOC?+

The AOC proves the provider passed its own PCI DSS assessment. The matrix tells you which requirements that assessment covers for you as their customer. You generally need both.

How does the matrix affect my SAQ?+

Directly. The more requirements sit on the provider's side, the fewer controls you have to evidence yourself — it's the paperwork behind dropping from SAQ D to a shorter questionnaire like SAQ A.

How often should it be updated?+

Ask for a current version at least annually, and whenever the provider's service or your integration changes. A matrix dated two assessments ago tells you very little.

See how Paytia handles pci dss responsibility matrix

Book a personalised demo and we'll show you how our platform works with your setup.

PCI DSS Level 1
Cyber Essentials Plus

Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia