With the development of PCI DSS v4 most of the changes are in the Report on Compliance (ROC) but there are also updates to the SAQ’s to align with the new standards. Here are some of the highlights and clarifications for the new SAQs. The responsibilities for merchants for which form they need to fill out have not changed from v3.2.1 to v.4, but they have added some new requirements for each type of form.

One thing that first must be cleared up is a common misunderstanding, some merchants think that if they outsource services for card processing, they are not required to be PCI compliant. This is NOT true; you cannot outsource all of your responsibility, but you can reduce your responsibility significantly by outsourcing different services. This applies to PCI v3.2.1 and v4.

What are SAQs?

SAQs are forms that merchants and service providers can use to help them report their compliance for PCI DSS, depending on how your merchant or service provider level will determine if you can do an SAQ or if you must get a 3rd party to do your ROC. Also depending on how a merchant interacts with card data will determine the type of SAQ they can complete.

As a merchant, what are the key SAQ changes?

SAQ A

• Manage all payment page scripts
• The minimum password length increased to 12 characters
• Change and tamper detection mechanism on the payment pages
• Quarterly ASV Scanning

SAQ A-EP

E-commerce merchants that have outsourced their payment card processing to a 3rd party and they have a website that doesn’t directly receive payments but can impact the security of the payment transaction, or the integrity of the page that accepts the customer’s payment card data.

• Target Risk Analysis
• Protections against Phishing
• Inventory of Software Components
• Management of application and system accounts
• Multi-faction Authentication into the CDE
• Automated Log Reviews
• Security Awareness Training

SAQ B

Merchants with imprint machines or with dial-out terminals only

• Policies and Procedures for the protection of stored account data

SAQ B-IP

Merchants using PCI-listed approved PTS terminals with an IP connection to a payment processor

• Policies and Procedures
  • protection of stored account data
  • physical access to cardholder data

SAQ C

Merchants with payment applications are connected to the Internet and have no electronic payment card data storage.

• Policies and Procedures
• Targeted Risk Analysis
• Phishing Protections & Security Awareness Training
• Secure Software Development
• Management of Access Control Privileges
• Multi-factor Authentication Protections
• Logging and Time Synchronization

SAQ C-VT

Merchants with payment applications connected to the Internet and have no electronic payment card data storage that manually enters a single payment card transaction at a time into a virtual terminal that is provided by a PCI DSS compliant 3^rd party service provider.

• Policies and Procedures
• Phishing Protections & Security Awareness Training
• Malware scans for removable media

SAQ P2PE

Merchants using a validated PCI-listed Point-to-Point Encryption solution to process payment card data, with no electronic card payment data storage.  The key here is the merchant must use the solution listed on the PCI council’s website to use this form.

• Policies and Procedures
  • Protection of Stored Account Data
  • Restricting Physical Access to Cardholder Data

SAQ D

Merchants that are storing electronic card data and Service Providers that don’t require a ROC. If a merchant has more than one channel, they must consult with their acquire about how to validate compliance but in most cases, they will ask the merchant to fill out the SAQ D form.

• All PCI DSS v4 requirements are included in SAQ D
• New requirements are either:
  • Effective immediately for all PCI DSS v4 assessments
  • Best practices until March 31, 2025, after which they become effective

The new SAQs will have more information included and will have guidance and wording as in the ROC.