How often must an entity monitor a service provider's PCI DSS compliance status under Req 12.8.4?

Monitoring service providers' PCI DSS compliance on an ongoing basis is the key idea here. Under Req 12.8.4, an entity must verify and document the service provider’s PCI DSS status at least once a year to ensure they continue to meet the requirements, rather than assuming they stay compliant after initial verification. This ongoing check helps catch changes in the provider’s environment or controls that could affect the security of cardholder data. While more frequent reviews can be useful in response to changes or incidents, the minimum baseline is annual. The other options don’t fit because waiting only for the initial engagement misses ongoing risk, biannual checks aren’t specified as the minimum, and never monitoring would leave the environment unassessed.