Self Assessment Questionnaires

Authored by Brian Odian for VikingCloud’s Compliance Elements Series, available on YouTube.

The PCI SSC has released Self-Assessment Questionnaires For use with PCI DSS Version 4.0 in April 2022.  There are some differences to version 4.0’s Report on Compliance, and between the new SAQs and version 3.2.1.

First let’s deal with one difference between the RoC and SAQs in version 4.0.  As per the SAQs opening remarks they “cannot be used to document use of the Customized Approach to meet PCI DSS requirements. For this reason, the Customized Approach Objectives are not included in SAQs. Entities wishing to validate using the Customized Approach may be able to use the PCI DSS Report on Compliance (ROC) Template to document the results of their assessment.”

There are also some significant differences between v3.2.1 and v4.0 SAQs.  For example, external quarterly vulnerability scans are now a requirement for SAQ-A’s.  As a matter of fact, by our calculations, there are 9 new immediate additions to SAQ-A’s and 4 future dated requirements added, with only 1 requirement being removed.  Looking at all SAQ types, apart from the all-encompassing SAQ-D, there are around 34 new requirements effective immediately and 24 new future dated requirements, with only 22 being removed.  Long story short there is more to do in an SAQ. On new additions alone an SAQ-AEP and SAQ-C experience the largest number of changes.

In v4.0 of the templ