PCI DSS 3.2 has added and removed new requirements to the SAQs. 


 Read our white paper, How to Become Compliant with PCI DSS 3.2

3.2 SAQsIf you’re new to the PCI DSS, you might not know much about Self-Assessment Questionnaires (SAQs). SAQs are used to help businesses validate and prove their compliance with the PCI DSS.

As you may know, PCI DSS 3.2 was released in April 28, 2016. On October 31, 2016, PCI DSS 3.1 will retire and all assessments need to use the PCI DSS version 3.2 SAQs.

SEE ALSO: PCI DSS 3.2 Changes: What Your Business Needs to Know

New SAQ Requirements 

So what has changed with the SAQs? While there aren’t any new SAQ types or changes to SAQ descriptions, a fair amount of requirements have been added or removed.
Here’s an overview list of requirement changes in each PCI DSS SAQ:
Tweet: Here’s an overview list of requirement changes in each #PCIDSS SAQ: http://ow.ly/VzxJ303MecM Tweet
    PCI DSS 3.2 SAQ
  • SAQ A added 8 more requirements (multi-factor authentication, improved user access controls, etc.) 
  • SAQ A-EP added 52 more requirements (firewall configuring and documentation rules, coding procedures, intrusion detection and prevention systems, etc.) 
  • SAQ B remained the same 
  • SAQ B-IP added one more requirement (multi-factor authentication) 
  • SAQ C-VT added 6 more requirements (multi-factor authentication, improved user access controls, etc.) 
  • SAQ C added 21 more requirements (multi-factor authentication, user access controls, etc.)
  • SAQ D added 15 more requirements (cryptographic architecture documentation, semi-annual penetration tests on segmentation, etc.) 
  • SAQ P2PE removed 2 requirements (masking and emailing unencrypted PAN data) 
These new changes reflect the changes made with 3.2, including multi-factor authentication, pen testing requirements, and clarifying masking and encryption.

SEE ALSO: PCI DSS Supplemental Guide to Scope: Understanding PCI DSS Scope and Segmentation

What does each SAQ cover? 

Each SAQ handles a different aspect of a business’s payment process. Here’s a quick chart on each SAQ and what it covers.


SAQ
Description
# of questions
Vulnerability scan
Penetration testing
A
E-commerce website (third party)
  •        Fully outsourced card acceptance and processing
  •     Merchant website provides iframe or URL that redirects a consumer to a third party payment processor
  •     Merchant can’t impact the security of the payment transaction
22
N
N
A-EP
E-commerce website (direct post)
  •        Merchant website accepts payment using direct post or transparent redirect service
191
Y
Y
B
Processes cards via:
  •      Analog phone, fax, or stand-alone terminal
  •      Cellular phone (voice), or stand-alone terminal
  •      Knuckle buster/imprint machine
41
N
N
B-IP
Processes cards via:
  •      Internet-based stand-alone terminal isolated from other devices on the network
82
Y
N
C
Payment application systems connected to the Internet:
  •     Virtual terminal (Not C-VT eligible)
  •     IP terminal (Not B-IP eligible)
  •     Mobile device with a card processing application or swipe device
  •     View or handle cardholder data via the internet
  •     POS with tokenization
160
Y
N
D
E-commerce website
  •     Merchant website accepts payment and doesn’t use a direct post or transparent redirect service
Electronic Storage of card data
  •     POS system doesn’t use tokenization or P2PE
  •     Merchant stores card data electronically
329
Y
Y
P2PE
Point-to-point encryption
  •     Validated PCI P2PE hardware payment terminal solution only
  •     Merchant specifies they qualify for P2PE questionnaire
33
N
N


How many SAQs you’ll need to fill out depends on your business environment. For example, companies that don’t have a website accepting payment using a direct post or transparent redirect service don’t have to fill out SAQ A-EP.

SEE ALSO: PCI Standards: Which PCI SAQ is Right for My Business?

A good way to reduce the amount of SAQs you need to is reducing your PCI scope. For example, if you use tokenization and don’t store any card data, you don’t have to fill out SAQ D, which has over 329 questions.
Follow for more data security articles like this

Ask for help!

Getting your SAQs straight can be tricky. An Approved Scan Vendor (ASV) or Qualified Security Assessor (QSA) helps you determine which ones you need to fill out, what kind of business environment you have, and some best practices to implement requirements. QSAs have a deep knowledge of PCI compliance and are the best solution to help you navigate the standard.

To learn more about 3.2, read our white paper, How to Become Compliant with PCI DSS 3.2

SecurityMetrics Guide to PCI DSS Compliance
Tuesday, September 6, 2016