In our previous PCI DSS 3.2: What’s New? post, we outlined the key changes in the latest version of the PCI Data Security Standard (PCI DSS). In this Q&A with Director of Data Security Standards Emma Sutcliffe we look at how these changes impact the validation tools, known as Self-Assessment Questionnaires (SAQ), which eligible merchants and service providers use to report the results of a PCI DSS self-assessment.
So why is the Council updating the SAQs?
Emma Sutcliffe: First, the updates introduced in PCI DSS 3.2 need to be incorporated, including the new appendix for reporting SSL/early TLS migration efforts.
We’ve also made changes to the SAQs to address the current threat environment. For example, merchant web servers that redirect customers to a third party for payment processing continue to be highly targeted by attackers because basic security controls are not being applied. SAQs A and A-EP include new requirements to help organizations address this threat.
Are there any new SAQs?
Emma Sutcliffe: No, there have not been any new SAQs created with PCI DSS 3.2. Currently there are nine SAQs, each one intended to meet a different scenario based on how an organization stores, processes, or transmits cardholder data.
What are the key changes for each SAQ?
Emma Sutcliffe: The key changes focus on strengthening authentication, providing greater assurance for merchants that partially outsource their e-commerce environment, and simplifying requirements for merchants using PCI Point-to-Point Encryption solutions. Specifically, these changes include:
SAQ A:
- Addition of requirements to change default passwords and implement an incident response plan
- Addition of basic authentication requirements, such as requiring a unique user ID and strong password, disabling access for terminated users, and not using group or shared passwords
SAQ A-EP:
- Addition of requirements related to secure configuration of the webserver and network, access controls, authentication, and audit logs
- Additional process/policy requirements
SAQ C-VT:
- Addition of basic authentication requirements, such as requiring a unique user ID and strong password, disabling access for terminated users, and not using group or shared passwords
- Addition of requirement to protect cardholder data environment systems from unauthorized physical access
SAQ C:
- Additional authentication and physical security requirements
SAQ P2PE:
- Removed two requirements to simplify merchant validation
How do merchants and service providers determine which SAQs they are eligible to use?
Emma Sutcliffe: Merchants and service providers should contact their merchant bank (acquirer) or the applicable payment brand(s) to understand if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment. The SAQ Instructions and Guidelines document (note this link takes you to the earlier version) is also being updated for v3.2 to provide additional guidance about the PCI DSS self-assessment process and the different SAQs. It will be available soon in the PCI SSC website document library.
More questions on PCI DSS 3.2 resources?