It’s finally happened – on April 1st NZ time, PCI DSS v4.0 was released, and then on April 28th we saw the Self-Assessment Questionaries released. In this post we cover at a high level what’s changed and what stays the same.
What Stays the Same
The good thing about the SAQs is that the actual SAQs types have stayed the same – so odds are good that if your payment channels haven’t changed, you’ll still be looking at the same report type. We still have all the same SAQ names that you’re used to hearing about and no new SAQ types have been added.
But that’s about where the similarities end. Sure, there are plenty of requirements that stay the same, but we know those aren’t the things that people are interested in.
The biggest changes that are coming are for service providers. We will be covering this in more detail in a separate post. Service providers in v4.0 will have a more in-depth reporting process – gone are the days of just tick boxes, and a summary of the reporting is now required.
For those of you who complete SAQ A, you can expect to see some changes to which requirements you have to comply with. Overall, a few more controls have been added that we have always considered as basic security controls. This includes ASV scanning (not previously required) and more monitoring of servers and code (new requirements for e-commerce merchants).
SAQ A-EP sees more updates to requirements as well as new requirements being added. Things like phishing and more robust management of user accounts are featured in the updated SAQ A-EP. It also includes the same monitoring of servers and code mentioned in SAQ A. And one thing that people will need to be aware of is the new requirement around the integrity of the MFA system – start thinking now about whether your MFA provider has an attestation of compliance and if they don’t already have one for that service, hopefully they will have one before this requirement comes into force.
SAQ B & B-IP
We’ve combined these SAQs in this post because neither of them gains any of the requirements new to PCI DSS v4.0.
SAQ P2PE loses a requirement in Version 4.0! The only thing new to add is a requirement around storage of SAD prior to authorization. This is the SAQ that stays the most the same out of all of them.
SAQ C picks up more requirements than some of the other SAQs. In version 4.0 it also includes antivirus updates, TLS management updates, anti-phishing updates, passwords are longer, and MFA will apply to all access to the CDE, not just admin access to the CDE. There is a much greater focus on authentication systems, including management of service accounts and the integrity of MFA systems. Automated log tools will now be required and certain “periodic” requirements will need to have a targeted risk assessment completed. Overall, SAQ C is one of the bigger changes to the SAQs.
C-VT adds a few more requirements in version 4 – antivirus scanning gets expanded to include continual behavioural analysis, Anti-phishing gets added and password lengths increase in line with the other SAQs that include password length requirements.
SAQ D Merchants
Unlike SAQ D for Service Providers, SAQ D for Merchants stays the same in how reporting is handled. No additional sections have been added to the SAQ. All of the new requirements from v4.0 (excluding those that are specific to service providers) are included in SAQ D for merchants.
Overall, many of the updates are iterative with most SAQs only adding a handful of new requirements. The biggest change for the SAQ is with SAQ D (Service Provider) which takes an entirely new approach to how service providers completing a SAQ are required to report.
We will go into more depth on these SAQs in the coming weeks, so look out for more information which will also be linked below:
If you’re wondering how PCI DSS version 4 will impact your existing PCI compliance, we can help you proactively develop a roadmap to move from version 3.2.1 to version 4.0. At Confide we love talking about PCI DSS and understanding how security and compliance can fit into the way that organisations do things. Contact us for more information.