PCI DSS 3.2: New SAQ Changes, Revision 1.1 (January 2017)

In our post PCI DSS 3.2: The Major Changes, we reviewed the  changes related to the Version 3.2 release of PCI Data Security Standard (PCI DSS 3.2).  In this post, we will discuss recent changes (January 2017) to certain PCI DSS Self Assessment Questionnaires (SAQs) – PCI DSS SAQ Rev. 1.1.  For those of you new to the world of PCI DSS, Self Assessment Questionnaires (SAQ) are forms that certain merchants can complete and self-attest to for satisfying their annual PCI DSS compliance requirements.  For more information on PCI DSS compliance, review our post What is PCI Compliance?.

Why are the PCI DSS SAQs Being Updated?

With the release of PCI DSS version 3.2 in April of 2016, the SAQs also received some major updates.  So, many merchants and service providers are asking why the Security Standards Council (SSC) is already updating the SAQs following a relatively recent major change.  According to PCI, the changes are meant only to clarify points of confusion around the SAQs and there are “no major changes,” per the Council.  Although the changes are considered minor, the Council notes that “changes do include the addition of guidance and may impact how SAQs are filled out.

 

Changed SAQs

The following PCI DSS SAQs have been updated as part of the January 2017 SAQ update:

  • SAQ A: Card Not Present (eCommerce) Merchants, All Cardholder Data Functions Fully Outsourced
  • SAQ B-IP: Card Present, Standalone IP-based PTS (PIN Transaction Security) Point-of-Interaction (POI) Terminals (e.g., Ingenico, Verifone, etc.) – No electronic cardholder data storage
  • SAQ C: Merchants with Payment Application Systems Connected to the Internet – No electronic cardholder data storage
  • SAQ C VT: Merchants with Web-Based Virtual Terminals – No electronic cardholder data storage.

SAQ A Changes (PCI DSS 3.2, Revision 1.1)

  • Updated Document Changes to clarify requirements added in the April 2016 update.
  • Added note to Before You Begin section to clarify intent of inclusion of PCI DSS Requirements 2 and 8.

SAQ B-IP Changes (PCI DSS 3.2, Revision 1.1)

  • Updated Document Changes to clarify requirements added in the April 2016 update.
  • Updated Before You Begin section to clarify term “SCR” and intent of permitted systems.
  • Added Requirement 8.3.1 to align with intent of Requirement 2.3.
    • Requirement 8.3.1: Use multi-factor authentication for all non-console administrative access into the cardholder data environment
    • Explanation: Merchants that perform administrative access via non-console connections are already required to secure these connections with strong cryptography (Requirement 2.3), and the addition of Requirement 8.3.1 provides consistency for how these connections are secured.
  • Added Requirement 11.3.4 to verify segmentation controls, if segmentation is used.
    • Requirement 11.3.4 Verify segmentation controls (assuming segmentation is used). SAQs B-IP requires that specific device types be used, and that the defined devices are not connected to other systems. The addition of Requirement 8.3.1 in SAQs B-IP is consistent with requirements in other SAQs for merchants using segmentation.

SAQ C Changes  (PCI DSS 3.2, Revision 1.1)

  • Updated Document Changes to clarify requirements added in the April 2016 update.
  • Added footnote to Before You Begin section to clarify intent of permitted systems.
  • Checkboxes fixed in Requirements 8.1.6 and 11.3.4.

SAQ C VT Changes (PCI DSS 3.2, Revision 1.1)

  • Updated Document Changes to clarify requirements added in the April 2016 update.
  • Added footnote to Before You Begin section to clarify intent of permitted systems.
  • Added Requirement 8.3.1 to align with intent of Requirement 2.3.
    • Requirement 8.3.1: Use multi-factor authentication for all non-console administrative access into the cardholder data environment
    • Explanation: Merchants that perform administrative access via non-console connections are already required to secure these connections with strong cryptography (Requirement 2.3), and the addition of Requirement 8.3.1 provides consistency for how these connections are secured.
  • Added Requirement 11.3.4 to verify segmentation controls, if segmentation is used.
    • Requirement 11.3.4 Verify segmentation controls (assuming segmentation is used). SAQs C-VT requires that specific device types be used, and that the defined devices are not connected to other systems. The addition of Requirement 8.3.1 in SAQs C-VT is consistent with requirements in other SAQs for merchants using segmentation.

Click here for the full list of the PCI DSS Self Assessment Questionnaires (SAQ)

Thoughts?  Join the discussion on the PCI Blog Forum.

 

About PCI Blog 870 Articles
PCI Blog is the most trusted PCI Compliance and IT Security blog on the web. Authored by industry experts within the payments and IT security industries, PCI Blog provides insight on the complex world behind modern compliance and security standards. As a wholly independent source of news within the payments industry, PCI Blog focuses on the ever-changing responsibilities of merchants who accept credit cards. PCI Blog also provides reviews on PCI compliance tools and enterprise security solutions to offer a fair, independent critique of product offerings within the payments industry.

Be the first to comment

Leave a Reply