Authored by Brian Odian for VikingCloud’s Compliance Elements Series, available on YouTube.
The PCI SSC has released Self-Assessment Questionnaires For use with PCI DSS Version 4.0 in April 2022. There are some differences to version 4.0’s Report on Compliance, and between the new SAQs and version 3.2.1.
First let’s deal with one difference between the RoC and SAQs in version 4.0. As per the SAQs opening remarks they “cannot be used to document use of the Customized Approach to meet PCI DSS requirements. For this reason, the Customized Approach Objectives are not included in SAQs. Entities wishing to validate using the Customized Approach may be able to use the PCI DSS Report on Compliance (ROC) Template to document the results of their assessment.”
There are also some significant differences between v3.2.1 and v4.0 SAQs. For example, external quarterly vulnerability scans are now a requirement for SAQ-A’s. As a matter of fact, by our calculations, there are 9 new immediate additions to SAQ-A’s and 4 future dated requirements added, with only 1 requirement being removed. Looking at all SAQ types, apart from the all-encompassing SAQ-D, there are around 34 new requirements effective immediately and 24 new future dated requirements, with only 22 being removed. Long story short there is more to do in an SAQ. On new additions alone an SAQ-AEP and SAQ-C experience the largest number of changes.
In v4.0 of the template there are now also 6 possible responses as opposed to the v3.2.1 4 possible responses to the compliance of a requirement. A new interesting response is “In Place with Remediation”. According to the SAQ templates that response means “The requirement was Not in Place when the expected testing was initially performed, but the merchant addressed the situation and put processes in place to prevent re-occurrence prior to completion of the self-assessment. In all cases of “In Place with Remediation”, the merchant has identified and addressed the reason the control failed, has implemented the control, and has implemented ongoing processes to prevent re-occurrence of the control failure.”
As you can see moving to version 4.0 SAQs is not just a matter of different templates, it’s also a matter of being prepared for new and different requirements.