It’s finally happened – on April 1st NZ time, PCI DSS v4.0 was released, and then on April 28th we saw the Self-Assessment Questionaries released. In this post we cover at a high level what’s changed and what stays the same.
What Stays the Same
The good thing about the SAQs is that the actual SAQs types have stayed the same – so odds are good that if your payment channels haven’t changed, you’ll still be looking at the same report type. We still have all the same SAQ names that you’re used to hearing about and no new SAQ types have been added.
But that’s about where the similarities end. Sure, there are plenty of requirements that stay the same, but we know those aren’t the things that people are interested in.
What’s Changing
SAQ D (Service Providers)
The biggest changes that are coming are for service providers. We will be covering this in more detail in a separate post. Service providers in v4.0 will have a more in-depth reporting process – gone are the days of just tick boxes, and a summary of the reporting is now required.
SAQ A
For those of you who complete SAQ A, you can expect to see some changes to which requirements you have to comply with. Overall, a few more controls have been added that we have always considered as basic security controls. This includes ASV scanning (not previously required) and more monitoring of servers and code (new requirements for e-commerce merchants).
SAQ A-EP
SAQ A-EP sees more updates to requirements as well as new requirements being added. Things like phishing and more robust management of user accounts are featured in the updated SAQ A-EP. It also includes the same monitoring of servers and code mentioned in SAQ A. And one thing that people will need to be aware of is the new requirement around the integrity of the MFA system – start thinking now about whether your MFA provider has an attestation of compliance and if they don’t already have one for that service, hopefully they will have one before this requirement comes into force.
SAQ C
SAQ C picks up more requirements than some of the other SAQs. In version 4.0 it also includes antivirus updates, TLS management updates, anti-phishing updates, passwords are longer, and MFA will apply to all access to the CDE, not just admin access to the CDE. There is a much greater focus on authentication systems, including management of service accounts and the integrity of MFA systems. Automated log tools will now be required and certain “periodic” requirements will need to have a targeted risk assessment completed. Overall, SAQ C is one of the bigger changes to the SAQs.
Summary
Overall, many of the updates are iterative with most SAQs only adding a handful of new requirements. The biggest change for the SAQ is with SAQ D (Service Provider) which takes an entirely new approach to how service providers completing a SAQ are required to report.
We will go into more depth on these SAQs in the coming weeks, so look out for more information which will also be linked below:
- SAQ D (Service Provider)
- SAQ A (More Information Coming Soon)
- SAQ A-EP (More Information Coming Soon)
- SAQ B (More Information Coming Soon)
- SAQ B-IP (More Information Coming Soon)
- SAQ P2PE (More Information Coming Soon)
- SAQ C (More Information Coming Soon)
- SAQ C-VT (More Information Coming Soon)
- SAQ D (Merchant) (More Information Coming Soon)
Need More Information?
If you’re wondering how PCI DSS version 4 will impact your existing PCI compliance, we can help you proactively develop a roadmap to move from version 3.2.1 to version 4.0. At Confide we love talking about PCI DSS and understanding how security and compliance can fit into the way that organisations do things. Contact us for more information.
