If your organisation is required to fill out the PCI DSS self-assessment questionnaire, you may be aware that changes have been made to some of the requirements. Don’t worry if you weren’t aware, that’s what we’re here for.
Here’s everything you need to know about the new updates.
Weren’t the SAQs Updated Last Year?
Yes, indeed. The eagle-eyed among you will have spotted that the SAQs were already updated last April, with the introduction of the new PCI DSS 3.2. The new amendments – made on January 30th – are more like clarifications, designed to clear up any errors or confusion arising from the latest updates.
What Major Changes Do I Need to Know About?
None of the SAQs are entirely new or completely different from before, but a large majority have had some amendments or clarifications added.
These include: SAQ A, SAQ B-IP, SAQ-C, SAQ-C-VT. The two biggest changes apply to B-IP and C-VT.
The first of these, 8.3.1, requires that any merchant who allows non-console access to the CDE must now use multi-factor authentication. The second, 11.3.4, requires that all segmentation controls must now be verified.
How Do I Know Which SAQ Applies to Me Now?
The amendments shouldn’t change which SAQ you’re eligible to use, but they might affect how you fill out your questionnaire, or whether you’ll be subject to additional requirements.
If you’re in any doubt, you can always contact your acquirer or payment processor to find out which SAQ is suitable for your organisation. You can also download the SAQ Instructions and Guidelines or Understanding SAQs for PCI DSS documents from the PCI Security Standards Council document library.
When Do I Need to Start Using the New SAQs?
As with most PCI DSS updates, you’ve got quite a bit of time to review and adjust to the changes. You won’t have to start using the updated SAQs until October 1st 2017.
However, you can start using the new SAQS as soon as you like and we’d always recommend going with the most recent guidelines if you want to make future assessments easier and keep your organisation at its most secure and PCI compliant going forward.
If you need some advice about self-assessment questionnaires or any other aspect of PCI DSS compliance for your business or contact centre, please get in touch with our expert consultants. They’re only too happy to help.