What must be maintained under Req 12.8.5 regarding assignments of PCI DSS responsibilities?

Responsibilities for PCI DSS compliance must be clearly defined and documented between the entity and its service providers. Under 12.8.5 you keep information that shows exactly which PCI DSS requirements are managed by each service provider and which remain the entity’s responsibility. This clarity ensures accountability, supports ongoing compliance assessment, and makes it easier to monitor and manage third-party risk. Without this mapping, there can be gaps or duplications in controls. A list of providers alone doesn’t show who handles what, and demanding that a provider handle all requirements ignores the necessary division of responsibilities. Tracking neither the provider’s nor the entity’s duties would leave risk unmanaged.