PCI DSS 4.0 - Self Assessment Questionnaires

The PCI SSC has released Self-Assessment Questionnaires For use with PCI DSS Version 4.0 in April 2022. There are some differences to version 4.0's Report on Compliance, and between the new SAQs and version 3.2.1.

‍

First let's deal with one difference between the RoC and SAQs in version 4.0. As per the SAQs opening remarks they cannot be used to document use of the Customized Approach to meet PCI DSS requirements. For this reason, the Customized Approach Objectives are not included in SAQs. Entities wishing to validate using the Customized Approach may be able to use the PCI DSS Report on Compliance (ROC) Template to document the results of their assessment.

‍

There are also some significant differences between v3.2.1 and v4.0 SAQs. For example, external quarterly vulnerability scans are now a requirement for SAQ-A's. As a matter of fact, by our calculations, there are 9 new immediate additions to SAQ-A's and 4 future dated requirements added, with only 1 requirement being removed. Looking at all SAQ types, apart from the all-encompassing SAQ-D, there are around 34 new requirements effective immediately and 24 new future dated requirements, with only 22 being removed. Long story short there is more to do in an SAQ. On new additions alone an SAQ-AEP and SAQ-C experience the largest number of changes.

‍

In v4.0 of the template there are now also six possible responses as opposed to the v3.2.1 four possible responses to the compliance of a requirement. A new interesting response is In Place with Remediation. According to the SAQ templates that response means, the requirement was Not in Place when the expected testing was initially performed, but the merchant addressed the situation and put processes in place to prevent re-occurrence prior to completion of the self-assessment. In all cases of In Place with Remediation, the merchant has identified and addressed the reason the control failed, has implemented the control, and has implemented ongoing processes to prevent re-occurrence of the control failure.

‍

As you can see moving to version 4.0 SAQs is not just a matter of different templates, it's also a matter of being prepared for new and different requirements. Contact the VikingCloud team for more information.

PCI DSS 4.0 - Self Assessment Questionnaires

This blog article takes a comparative look at the differences in the PCI SSC Self-Assessment Questionnaires

VIKINGCLOUD NEWS & RESOURCES

Why there’s no one-size-fits all solution to security maturity

Services and Solutions

Ransomware in 2022 and beyond

When the Internet Goes Out, this QSR Relies on a Seamless and Secure Backup

How You Can Use Tokenization to Reduce PCI Scope

VikingCloud™ Achieves PCI Forensic Investigator Certification

“Are ‘Knuckle Busters’ PCI Compliant?”

Security maturity: it is time for organizations to come of age

The PCI Point-to-Point Encryption (P2PE) Program

THOR AI: Reducing Cyber Risk for At-Risk Businesses

Cryptography in the Face of Quantum Computing

“Can We Securely Store Card Data for Recurring Billing?”

Distributed Denial of Service (DDOS) Attack – What can you do?

Updated U.S. Cyber Guidelines Place Emphasis on Risk Governance

ISO27001 vs. ISO27002

PCI DSS v4.0: Authenticated Scans

PayPal and the PCI DSS

PAYSTRAX Selects VikingCloud’s Patented Web Risk Monitoring to Mitigate Merchant Fraud

Phishing 101: everything you need to know to protect your business

Fueling a Healthy Diet

Serving Up Reliable Security

ISO 27002:2022

Avoid Audit Fatigue - Using Automation to Create an Efficient Compliance Framework (and Stay Sane)

In a comply-or-else industry, this payment solutions provider doesn’t just clear the bar, but surpasses the competition.

Ransomware actors ‘tighten the screws’ with legal and financial pressures

The Top Generative A.I. Security Threats Facing the Restaurant Industry

PA-DSS Transformation to SSF

Improving Security Awareness - Best Practices

PCI DSS 4.0: Multifactor Authentication

Business Protection Services

Beyond Fingerprints: Exploring Behavioral Biometrics for Secure Identity Verification

PCI DSS L1 Bundles

IMPORTANT LINKS

How To Select A PCI Compliant Service Provider: Advice For Small Business Owners

Managed Security Services

New “Backoff” Point-of-Sale Malware Alert

PCI Compliance and the Service Provider

VikingCloud to take seat at PCI SSC Global Executive Assessor Roundtable

What in the World is a Qualified Integrator and Reseller?

Staples, 23andMe respond to holiday data breaches

PCI and storage of PAN

PA-DSS and PCI DSS: Beware the critical difference!

The Power of Proactive Cybersecurity Using Ethical Hackers

Managed Compliance Services

SEC Adopts New Rules on Cybersecurity Risk Management, Incident Disclosure, and Ransomware Payments by Public Companies

PCI DSS 4.0 - Risk vs. Requirement

The Value of Powerful, Predictive and Cohesive Cybersecurity

Small Business and PCI Cost vs. Benefit

Protecting Your Business from Phishing Attacks

Five Steps Before Using a Mobile Device to Accept Credit Cards

Cyber Threat Unit Spotlight: Robin Divino

VikingCloud Announces Industry’s First Generative AI-Powered Chatbot Combining Real-Time Cybersecurity and PCI Compliance Intelligence

How To Secure Your Software Supply chain

PCI DSS v4 Transformation when using PCI DSS v3.2.1 validated TPSPs

P2PE Assesment Long Form

VikingCloud Announces Industry’s First PCI L4 Compliance Program with Integrated Cyber Risk Score

The PCI Basics & Quick Guide

P2PE – Don’t Lose Your Investment

Connectivity Services

PCI Compliance and Your Website: A Guide

How Do Cybercriminals Profit From My Stolen Data?

Introducing PCI DSS 4.0

PTS POI v3 Device Expiration: Are You Ready?

LockBit down but far from out

The PCI DSS, Chaining and the Franchise Relationship

PCI DSS 4.0 - Summary of Changes

NIST Cybersecurity Framework 2.0: A Deep Dive into the New Governance Function

What's so scary about AI (Besides human extinction)

Staying PCI DSS compliant as the global payment landscape evolves

What to look for in a PCI Forensic Investigator

Security Incident Preparedness - Tabletop Exercises

EDR or SIEM: Which Should You Choose?

Endpoint protection; a vital tool in the battle against ransomware

Digital Certificates

Programs for Acquirers, ISOs, and Processors

Hardening Against Potential Attacks from Elevated Geopolitical Cybersecurity Risks

Proactive Data Security