Self-Assessment Questionnaire (SAQ) A Changes in PCI DSS v4.0

5 min read
Sep 16, 2022 2:45:00 PM

With the recent updates to the Payment Card Industry Data Security Standard (PCI DSS) requirements, many organizations that are currently PCI compliant in accordance with version 3.2.1 may become noncompliant with version 4.0. This series of blogs will outline the changes to each of the eight self-assessment questionnaires (SAQs) and areas that merchant organizations should consider prior to the required implementation date of March 31st, 2024.

Merchants’ eligibility criteria for version 3.2.1 and version 4.0 remain the same and are for those merchants whose account data (cardholder data) functions are completely outsourced to PCI DSS validated and compliant third parties, and the merchant only retains paper reports or receipts with account data.

Merchant organizations that qualify and are adhering to PCI 3.2.1 SAQ-As currently have 5 requirements with 21 specific controls that must be in-place to achieve a PCI-DSS “compliant” rating. In version 4.0, merchant organizations will need to adhere to 7 requirements and 31 specific controls to receive a compliant rating. Below is a list of the additional requirements that have been included in the PCI DSS v4.0 SAQ-A:

NEW REQUIREMENT - Requirement 3.1.1

All security policies and operational procedures for protecting stored account data are defined and understood are:

  • Documented
  • Kept up to date
  • In use
  • Known to all affected parties

NEW REQUIREMENT - Requirement 3.2.1

Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:

  • Coverage for all locations of stored account data
  • Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization
    This bullet is a best practice until its effective date March 31st, 2025.
  • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements
  • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification
  • Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy
  • A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable

NEW REQUIREMENT - Requirement 6.3.3

All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:

  • Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release

NEW REQUIREMENT - Requirement 6.4.3

All payment page scripts that are loaded and executed in the consumer's browser are managed as follows:

  • A method is implemented to confirm that each script is authorized
  • A method is implemented to assure the integrity of each script
  • An inventory of all scripts is maintained with written justification as to why each is necessary
    This requirement is a best practice until March 31st, 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

NEW REQUIREMENT - Requirement 8.3.5

If passwords/passphrases are used as authentication factors, they are set and reset for each user as follows:

  • Set to a unique value for first-time use and upon reset
  • Forced to be changed immediately after the first use

NEW REQUIREMENT - Requirement 8.3.6

If passwords/passphrases are used as authentication factors, they meet the following minimum level of complexity:

  • A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of 8 characters)
  • Contain both numeric and alphabetic characters
    This requirement is a best practice until March 31st, 2025, after which it will be required and must be fully considered during a PCI DSS assessment. Until March 31st, 2025, passwords must be a minimum length of 7 characters in accordance with PCI DSS v3.2.1 Requirement 8.2.3 (minimum 7 characters that contain both alphabetic and numeric characters).

NEW REQUIREMENT - Requirement 8.3.7

Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.

NEW REQUIREMENT - Requirement 8.3.9

If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either:

  • Passwords/passphrases are changed at least once every 90 days
    OR
  • The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly
    This requirement applies to in-scope system components that are not in the CDE because these components are not subject to MFA requirements. This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).

NEW REQUIREMENT - Requirement 9.4.1.1

Offline media backups with cardholder data are stored in a secure location.

NEW REQUIREMENT - Requirement 11.3.2

External vulnerability scans are performed as follows:

  • At least once every three months
  • By PCI Security Standards Council (PCI SSC) Approved Scanning Vendor (ASV)
  • Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met
  • Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan

NEW REQUIREMENT - Requirement 11.3.2.1

External vulnerability scans are performed after any significant change as follows:

  • Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved
  • Rescans are conducted as needed
  • Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV)

NEW REQUIREMENT - Requirement 11.6.1

A change- and tamper-detection mechanism is deployed as follows:

  • To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser
  • The mechanism is configured to evaluate the received HTTP header and payment page
  • The mechanism functions are performed as follows:
    • At least once every seven days
      OR
    • Periodically (at the frequency defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1)
    This requirement is a best practice until March 31st, 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Another change in version 4.0 is the compliance responses available, specifically the “in place with remediation” response. In some cases of version 3.2.1, merchants would not fully be adhering to a specific requirement at the time of the assessment and would receive a “not in place” response because some or all elements of the requirement had not been met, and the merchant cannot confirm the requirement was in place. Merchants would make necessary changes to adhere to the requirement and an in place” response would be checked. With version 4.0, a new response, “in place with remediation” is available to address these issues. In place with remediation means that the requirement was not in place when the initial testing was performed but the merchant identified and addressed the reason the control failed, has implemented the control, and has implemented ongoing processes to prevent reoccurrence of the control failure.

Merchant organizations that qualify to complete an SAQ-A should immediately identify solutions to adhere to these new requirements, prior to the required implementation date of March 31st, 2024, and specifically requirement 11.3.2 – external vulnerability scanning by an ASV. This has never been a requirement for SAQ-As and does incur an additional cost to the merchant since free tools will not meet the criteria for an “in place” remark. The PCI SSC does provide a list of 87 ASVs on their website to make the selection process easier.

Compass IT Compliance has spent the past decade serving as a trusted PCI DSS Qualified Security Assessor (QSA) for merchants and service providers across the nation. We were early adopters of PCI DSS and have the extensive expertise and resources to simplify the compliance process from start to finish. Contact our team today to discuss your unique situation!

Contact Us

Get Email Notifications

No Comments Yet

Let us know what you think