With the upcoming retirement of PCI DSS v3.2.1 on 31 March 2024, organizations will be transitioning to new validation documents for their PCI DSS v4 assessments.
In this Q&A with PCI Security Standards Council’s Director of Data Security Standards Lauren Holloway, we look at some of the key changes in the PCI DSS Self-Assessment Questionnaires (SAQs) for version 4 and what organizations using SAQs need to know.
How have the SAQs changed for PCI DSS v4?
The SAQs have been updated to reflect the PCI DSS v4 requirements updates, so that the requirement wording in the SAQs now mirrors that which is used in the standard, and the SAQ reporting responses are aligned with the PCI DSS v4 Report on Compliance template. Additionally, each SAQ contains new guidance to support organizations completing the self-assessment process. For more details about general changes made to all SAQs, see SAQ Instructions and Guidelines - Appendix A: How SAQs Changed for PCI DSS v4.0.
Have requirements been added to the SAQs?
Yes, all SAQs include additional requirements for PCI DSS v4 to ensure the SAQ continues to address the evolving threat landscape.
Some of the additional requirements are noted as being best practices until 31 March 2025, after which they must be fully considered as part of a PCI DSS v4 assessment. Before 31 March 2025, future-dated requirements that are not yet implemented can be marked as "Not Applicable" and documented in Appendix C: Explanation of Requirements Noted as Not Applicable in the SAQ.
Many of the additional requirements are effective immediately for PCI DSS v4 assessments.
Examples of requirements added to each SAQ are summarized below.
Note: This is not an all-inclusive list of new requirements. The following provides an overview of the control areas addressed by the additional requirements. Please review the relevant SAQ(s) documents to see details of all updates.
SAQ A – Summary of new requirements:
- Requirement 3 – Policies and procedures for data retention and protection of stored account data if merchant has paper records that include account data (receipts, paper reports, etc.).
- Requirement 6 – Identify and manage security vulnerabilities. Supports Requirement 6.3.3, which was already included in SAQ A, to install applicable security patches and updates.
- Requirements 6 and 11 – Protect merchant websites from unauthorized payment page script activity. Applies to merchant websites with an embedded payment page/form (e.g., iframe) provided by a third-party service provider (TPSP)/payment processor.
- Requirement 8 – Secure passwords/passphrases if passwords/passphrases are used.
- Requirement 9 – Secure media with cardholder data if merchant has paper records that include account data (receipts, paper reports, etc.).
- Requirement 11 – External vulnerability scans performed by a PCI Approved Scanning Vendor (ASV). Applies to merchant websites that redirect payment transactions to a TPSP (Third Party Service Provider) (e.g., URL redirect) or with an embedded payment page/form provided by a TPSP (e.g., iframe).
SAQ A-EP – Summary of new requirements:
- Requirement 2 - Policies and procedures for applying secure configurations to system components).
- Requirement 3 - Policies and procedures for data retention and protection of stored account data if merchant has paper records that include account data (receipts, paper reports, etc.).
- Requirement 5 – Malware protections for performing periodic evaluations at frequencies defined in targeted risk analyses (TRAs), to protect removable media, and to protect personnel against phishing attacks.
- Requirement 6 – Maintain inventories of bespoke and custom software and deploy an automated technical solution to detect and prevent web-based attacks on public-facing web applications.
- Requirements 6 and 11 - Protect merchant websites from unauthorized payment page script activity. Applies to merchant websites with an embedded payment page/form (e.g., iframe) provided by a third-party service provider (TPSP)/payment processor
- Requirement 7 - Manage accounts and related access privileges for all users, application, and system accounts.
- Requirement 8 - Secure passwords/passphrases if passwords/passphrases are used, implement multi-factor authentication (MFA) for all access into the CDE (cardholder data environment), and manage application and system accounts.
- Requirement 10 - Perform audit log reviews with automated mechanisms for specified events and system components and perform audit log reviews for all other system components at the frequency defined in a targeted risk analysis (TRA).
- Requirement 12 – Assign responsibility for information security, document any required targeted risk analyses, include phishing and social engineering in security awareness training, and designate specific personnel to be available on a 24/7 basis to respond to suspected or confirmed security breaches.
SAQ B – Summary of new requirements:
- Requirement 3 – Policies and procedures for data retention and protection of stored account data if merchant has paper records that include account data (receipts, paper reports, etc.).
SAQ B-IP – Summary of new requirements:
- Requirements 3 and 9 – Policies and procedures for data retention and protection of stored account data if merchant has paper records that include account data (receipts, paper reports, etc.).
In addition, the v4.0 SAQ Instructions and Guidelines document clarified that SAQ B-IP is intended only for standalone PCI-approved point-of-interaction (POI) devices that are not connected to other types of devices in the same network zone.
SAQ C – Summary of new requirements:
- Requirements 3 and 9 – Policies and procedures for data retention and protection of stored account data if merchant has paper records that include account data (receipts, paper reports, etc.).
- Requirement 5 – Malware protections for performing periodic evaluations at frequencies defined in targeted risk analyses (TRAs), for removable media, and to protect personnel against phishing attacks.
- Requirement 6 – Maintain inventories of bespoke and custom software, train personnel working on such software, perform manual code reviews, use secure software engineering techniques, and implement change control procedures for production systems.
- Requirement 7 – Manage accounts and related access privileges for all user, application, and system accounts.
- Requirement 8 – Manage accounts for terminated and inactive users, manage authentication factors, secure passwords/passphrases if passwords/passphrases are used, implement multi-factor authentication (MFA) for all access into the CDE, and manage use of application and system accounts.
- Requirement 10 – Protect audit logs, perform audit log reviews with automated mechanisms for specified events and system components, perform audit log reviews for all other system components at the frequency defined in a targeted risk analysis (TRA), and implement time-synchronization mechanisms for all systems.
- Requirements 12 - Document any required targeted risk analyses, include phishing and social engineering in security awareness training, and designate specific personnel to be available on a 24/7 basis to respond to suspected or confirmed security breaches.
SAQ C-VT – Summary of new requirements
- Requirement 2 - Policies and procedures for applying secure configurations to system components.
- Requirements 3 and 9 - Policies and procedures for data retention and protection of stored account data if merchant has paper records that include account data (receipts, paper reports, etc.).
- Requirement 5 – Malware protections for removable media, and to protect personnel against phishing attacks.
- Requirement 8 - Secure passwords/passphrases if passwords/passphrases are used.
- Requirement 12 - Include phishing and social engineering in security awareness training.
In addition, the eligibility criteria were updated to remove segmentation, to clarify that this SAQ is intended only for standalone computers.
SAQ P2PE – Summary of new requirements
- Requirements 3 and 9 - Policies and procedures for data retention and protection of stored account data if merchant has paper records that include account data (receipts, paper reports, etc.).
SAQ D-Merchant
- There were no changes to SAQ D for Merchants other than the general changes made to all SAQs.
Are there any new SAQs?
Yes, the Self-Assessment Questionnaire for Software PIN entry on COTS (SAQ SPoC) was released in September 2023. This SAQ is for merchants using a commercial off-the-shelf mobile device (for example, phone or tablet) with a secure card reader that is part of a SPoC Solution that is on PCI SSC’s list of validated Software-based PIN Entry on COTS (SPoC) Solutions.
And what about SAQ D for Service Providers?
SAQ D for Service Providers is the ONLY SAQ for SAQ-eligible service providers. All other SAQs are for merchant use only.
If any requirement is not applicable for a given service provider’s environment, it can be marked as “Not Applicable” in the SAQ and described in Appendix C: Explanation of Requirements Noted as Not Applicable.
This SAQ includes all PCI DSS requirements, including those designated “for service providers only.” SAQ D for Service Providers for PCI DSS v4 also includes the following additional reporting requirements:
- New Section 2a, which specifies additional required documentation for service provider self-assessments.
- At each PCI DSS requirement, addition of a section for service providers to briefly “Describe Results” including how the evidence examined and testing performed supports the response selected by the service provider for a given requirement.
Next steps
- To make sure your organization is prepared for what is new in PCI DSS v4 SAQs, perform a gap analysis to understand your PCI DSS status in relation to the new requirements.
- If you need help understanding whether your organization is eligible or required to complete an SAQ, and which SAQ is appropriate for your environment, contact your merchant bank (acquirer), the applicable payment brand(s), or other compliance entity.
Where can I find more information about the SAQs for PCI DSS v4?
- For detailed guidance on what is new in the SAQs, read the SAQ Instructions and Guidelines.
- To understand how to meet the new requirements, you can find detailed guidance, best practices, and implementation examples in the requirements’ Guidance Column in the Standard.
- There are many FAQs (Frequently Asked Questions) to help you with PCI DSS v4 – search our FAQ Page for answers to your questions.