BLOG HOME > PCI > PCI DSS 4.0 SAQ Questionnaires Q&A

PCI DSS 4.0 SAQ Questionnaires Q&A

*This article was taken from the following webinar. 

Navigating the transition to PCI SAQ version 4.0 may seem daunting, but there's no need to worry excessively. It's important to start the process without delay and familiarize yourself with the upcoming changes. The transition timeline will vary depending on your organization's environment, and it's crucial to identify any new requirements introduced in version 4.0. 

While future-dated requirements are not mandatory until March 31, 2025, it's recommended to implement them early for enhanced security. SecurityMetrics offers tools and services like vulnerability scanning, policy documents, and the Shopping Cart Monitor to assist merchants during the transition. Remember to stay proactive, seek assistance when needed, and ensure compliance with all relevant requirements for a smooth and successful transition to PCI SAQ version 4.0.

Can I use the Customized Approach for SAQ A? 

Get Started with PCI Compliance

Start Here

The Customized Approach is specifically designed for ROC-based assessments and is most suitable for large organizations with a well-established security infrastructure. The Customized Approach is almost like compensating controls on steroids. By adopting the Customized Approach, organizations can demonstrate compliance with PCI requirements that deviate from the Defined Approach outlined in the PCI DSS.

To undergo a Customized Approach assessment, organizations must collaborate with their Qualified Security Assessor (QSA) to define appropriate testing procedures that effectively validate the fulfillment of the requirement's intent.

When should we start working on 4.0?

It is advisable to start familiarizing yourself with the upcoming changes as soon as possible. Effective March 31, 2024, merchants will no longer be able to validate their compliance using version 3.2.1 of the SAQs. While transitioning to version 4.0, many of the SAQ types have undergone minimal modifications, making the migration process relatively straightforward.

However, it's worth noting that certain SAQ types, such as SAQ A, now include additional requirements that may require time and effort to implement within a merchant's environment. If your organization falls into this category, it is recommended to continue validating compliance using version 3.2.1 for now. Concurrently, you should initiate the implementation of any missing controls necessary to meet the requirements of version 4.0.

Taking proactive steps at an early stage will help ensure a smooth transition to version 4.0 and facilitate the timely validation of your organization's compliance.

If I submit a PCI v4.0 SAQ, do we have to follow those future-dated requirements?

Future-dated requirements are not required to be implemented until March 31, 2025. Until that time, these requirements are considered best practices and are not mandatory for compliance.

However, it is highly recommended to have these future-dated requirements in place or actively working towards implementing them. While not mandatory for compliance, they serve as important security measures and can greatly enhance your organization's overall security posture.

Even if you have not yet implemented these future-dated requirements, your organization can still maintain compliance until 2025. 

The main newly added requirements that are immediately required for 4.0 assessments are requirements on documentation (requirements 2.1.2, 3.1.2, 4.1.2, 5.1.2, 7.1.2, 8.1.2, 9.1.2, 10.1.2, 11.1.2), risk assessments (requirement 12.3.2), and scoping (requirement 12.5.2), as well as service providers’ requirements around TPSPs (requirement 12.9.2).

Get my free SecurityMetrics PCI Guide

Download Now

What tips or best practices do you suggest for getting ready for or starting with PCI 4.0?

When considering the transition from version 3.2.1 to version 4.0 of the SAQ, it's important to take into account the time required to complete the SAQ. Therefore, it is advisable to begin the process as soon as the new version becomes available to you. This transition offers the opportunity to enhance your organization's security practices.

The transition to version 4.0 appears to be significantly simpler, primarily due to the reduction in the number of questions. This simplification raises the question of why wait? If version 4.0 is available to you, it is recommended to seize the opportunity and proceed with its adoption.

However, it's worth noting an important consideration for certain SAQ types, such as SAQ A, SAQ A-EP, SAQ C, and SAQ C-VT. These SAQs have incorporated additional existing PCI requirements. Therefore, when reviewing the version 4.0 SAQ, if you come across newly added requirements that are not future-dated, understand that these must be implemented in order to successfully validate your compliance using that specific SAQ.

Take the time to carefully examine the PCI DSS version 4.0 SAQ that aligns with your environment. Evaluate how transitioning to SAQ 4.0 would impact your organization and identify any security controls that may need to be implemented now but are currently missing. If there are such controls, it is advisable to continue using version 3.2.1 for the time being. However, it is essential to commence working towards full compliance with all the requirements outlined in the PCI v.4.0 SAQ.

If you require further clarification or assistance during this transition, please don't hesitate to reach out. We are here to provide guidance and support you in navigating this process smoothly.

Will the SAQ document look different in PCI 4.0 vs. 3.2.1?

The updated SAQs will have some differences, although they aren’t substantial. The Qualifying Criteria section and the section for contact information will still be present, albeit with some formatting changes.

In version 4.0 of the PCI DSS SAQs, except for SAQ A, there are fewer checkboxes as they have consolidated multiple requirements into a single box, simplifying the process compared to previous versions where multiple checkboxes needed to be checked. If you are familiar with or have previously conducted a self-assessment using PCI DSS version 3.2.1, transitioning to version 4.0 should not be a significant challenge.

When will SecurityMetrics update their portal so that we can submit a PCI 4.0 SAQ?

We are currently working on that. Streamlining and simplifying the process for merchants has always been a top priority for us.

In the past, whenever there were updates to an SAQ, we have always sought ways to seamlessly guide you from one question to the next. If the questions remained the same, we were able to pre-populate them, reducing the number of questions you had to answer.

Therefore, we are actively working on implementing these improvements. When you transition to version 4.0, if you have already provided answers to certain sections of the SAQ that remain unchanged, we will transfer them over to simplify the process for you.

Rest assured, we will be fully prepared before the release (March 31, 2024), just as we have been in previous versions.

Get Started with PCI Compliance

Start Here

Will we have both 3.2.1 and 4.0 on the portal where they can choose which one they would want to do? Or will there be a cutoff date where the portal switches from 3.2.1 to 4.0? 

In the past, we have kept previous versions available until a specific cutoff date, enabling partner banks to make the transition at a time that worked best for them. This ensured a smoother process and avoided the possibility of merchants having to restart if they ran out of time to complete SAQ D within a week.

For the requirement 11.6.1, what is this requirement, and which SAQ types need to worry about this?

PCI requirement 11.6.1 focuses on safeguarding third-party iframes utilized for cardholder data collection. This may have implications for organizations implementing iframes on their e-commerce websites, particularly for SAQ A, SAQ A-EP, and SAQ-D. 

Compliance with this requirement entails implementing controls to prevent tampering with HTTP headers and page content associated with payment collection iframes.

The PCI Council offers recommendations in the PCI DSS documentation to assist in achieving compliance with requirement 11.6.1, primarily impacting e-commerce merchant types.

How can we determine which SAQ type we are?

There are a few options available for scoping your organization's requirements. One method is to reach out to SecurityMetrics and consult with one of our experts who will guide you through the process by asking specific questions about your payment environment to determine which SAQ type is right for you.

Another option is to utilize our tool called FastPass, which offers customization for partner banks. FastPass streamlines the scoping process significantly.

Additionally, we have a third tool called SEM Expert that assists in scoping and selecting the correct questionnaire if you have multiple processing methods.

Each scoping process is primarily designed to ensure accurate questionnaire selection, minimizing the risk of heading down the wrong path. FastPass, in particular, goes a step further by pre-answering certain sections of the SAQ, making the process even simpler for you as you progress through the scoping journey.

What are some of the biggest changes in PCI version 4.0 for service providers?

The major change for service providers in SAQ D version 4.0 is the requirement to not only check boxes but also provide detailed documentation of the steps you took to verify the implementation of each required security control. This will make the process more comprehensive and intensive for service providers.

While service providers will likely be able to indicate that the applicable requirements are in place, they will also need to specify the systems and settings reviewed to validate the presence of these controls in their environment. As a result, completing SAQ D version 4.0 will require more effort for service providers compared to version 3.2.1..

What's the best way to explain the difference between a merchant and a service provider?

Determining whether an entity qualifies as a service provider primarily depends on who holds the merchant account. If you are engaged in selling shoes and receive direct credit card payments into your own bank account, you are considered a merchant. 

However, if you assist merchants in carrying out their payment-related activities, such as managing their firewalls or e-commerce servers, and the customer payments are directed to your customers' bank accounts rather than yours, then you fall into the category of a service provider. 

It is also possible to operate as both a merchant and a service provider.

How have the requirements for risk assessments changed in version 4.0?

In version 3.2.1, the requirement for a risk assessment was simply stated as an annual occurrence, without much additional guidance on the process. However, in version 4.0, the risk assessment plays a more significant role, as it is linked to several other requirements.

Under version 4.0, tasks that need to be performed on a "periodic" basis will now be determined based on a targeted risk assessment, providing more flexibility and customization.

For instance, merchants conducting card-present transactions using physical devices are required to carry out tamper prevention inspections periodically. The frequency of these inspections should be determined by your organization's risk assessment.

It is crucial to recognize that numerous requirements in version 4.0 are interconnected with the risk assessment, making it essential to conduct a thorough assessment that covers all associated obligations.

If you are currently conducting a risk assessment under version 4.0, it is important to review and ensure compliance with all the additional requirements linked to the risk assessment process.

Start a vulnerablility scan on your network and find vulnerabilities today

Buy Now

Have requirements changed surrounding documentation?

Version 4.0 introduces changes to documentation requirements that enhance the structure and clarity of the standard. Notably, each section begins with a requirement emphasizing the need for well-defined policies, procedures, and staff awareness.

For instance, in Requirement 1 addressing firewalls and network devices, the initial requirement mandates the presence of policies and procedures that designate responsible individuals or groups within the organization for maintaining device security. These designated individuals should possess copies of the relevant policies and procedures. This pattern of explicit policy and procedure references is present throughout the standard.

Similarly, Requirement 3 focuses on safeguarding cardholder data at rest. To comply, organizations must demonstrate the existence of policies and procedures governing the protection of stored cardholder data. Additionally, an assigned individual assumes responsibility for ensuring the security of data at rest, and they should possess copies of the applicable policies and procedures.

These changes in documentation requirements under version 4.0 serve to emphasize the importance of clear policies, procedures, and staff awareness in various areas of PCI compliance, facilitating a more robust and organized approach to security implementation.

For an ISO, when should we look into focusing on pushing PCI v.4.0 to our merchants?

Organizations, including ISOs, have the flexibility to adopt version 4.0 of the SAQ either early or later, based on their own preferences and timelines.

As mentioned earlier, it's important for merchants to complete their SAQ before the cutoff date, as transitioning to a version 4.0 SAQ after the cutoff may pose challenges.

Our goal is to assist you in the transition process by transferring relevant answers from previous versions to PCI v4.0, if applicable.

However, delaying the process until the last minute carries inherent risks and may result in additional difficulties for the merchant.

It is advisable to start the transition as soon as possible to minimize any potential complications and ensure a smoother experience for the merchant.

When will the SAQs change again? Is this going to switch a year after I finally get compliant?

The short answer is that we never know.

While there have been significant updates in the past, such as addressing vulnerabilities in transmission encryption, the PCI Council's expectations for major changes in the near future seem minimal.

However, considering the two-year timeframe until the retirement of version 3.2.1 and another year until the enforcement of version 4.0 requirements, it is possible for the risk landscape to evolve and new requirements to be introduced if necessary.

The PCI Council is responsive to emerging risks faced by merchants, and if significant changes in the risk landscape occur, they may release new requirements to address those risks.

If the risk environment remains relatively stable, it is unlikely that substantial changes will be made to the standard. The current version, 4.0, is expected to remain relevant for a considerable period.

Ultimately, only time will tell what changes may come, and we will have to wait and see how the PCI SSC addresses emerging risks in the future.

How long will PCI 4.0 requirements take to implement? Specifically, for an SAQ A or SAQ A-EP?

The implementation timeline for complying with version 4.0 of the PCI DSS standard varies based on the specific environment of the merchant or service provider.

For merchants who have outsourced their entire e-commerce environment to third-party providers without their own website, transitioning to version 4.0 and validating compliance should be relatively straightforward.

However, for merchants or service providers with more complex payment environments, the process of achieving compliance with version 4.0 may require more extensive work and effort.

The timeframe for implementation depends on factors such as the configuration of the card data environment and the available resources. While it could be a relatively simple task for some, it may take others a significant amount of time, potentially even a couple of years, to successfully validate compliance with version 4.0.

Will SAQs ever go away?

While there has been speculation about potential replacements for the SAQs, it is unlikely that they will be completely eliminated. Instead, it is more probable that they will continue to evolve and adapt in order to effectively address emerging risks in merchant processing environments.  

Where can I find more information about SAQ updates? Will you go into more detail about the different SAQ updates?

The primary resource to consult for information on the new PCI DSS standard is the PCI Council's website, specifically their document library which provides guidelines and documentation. They also maintain a blog that can be helpful.

In addition, you can check out SecurityMetrics’ content. We have blogs that discuss changes in each of the SAQs as well as other PCI 4.0 topics. We also have podcasts and webinars that discuss how to prepare and transition to PCI 4.0, FAQ’s, updates and changes to the standard, and more.

Both SecurityMetrics and the PCI Council will continue to provide information and support throughout this transition. For quick access to the official document, the PCI Council's website is the recommended source, while other resources like podcasts and webinars from SecurityMetrics can offer further explanations and insights.

What sorts of tools does SecurityMetrics have that could help us with the PCI 4.0 transition?

We offer a range of tools and services to assist merchants in their PCI compliance efforts. One of our popular offerings is our PCI programs or policies and procedure documents, which are often challenging to create from scratch. These documents can simplify the compliance process for merchants.

As an Approved Scanning Vendor (ASV), we can manage your vulnerability scanning requirements. Our scan portal is designed to automatically scan your systems on a quarterly basis, as mandated by PCI, to identify and address vulnerabilities.

In particular, our Shopping Cart Monitor tool is highly beneficial, especially for merchants using SAQ A or other SAQ types affected by requirement 11.6.1. This tool is specifically designed to prevent e-commerce skimming attacks, aligning with the new requirements introduced in SAQ A and SAQ A-EP.

Get Started with Shopping Cart Monitor

Start Here

Any final tips or advice about 4.0?

My main advice is to stay calm and not get overly stressed about the transition to PCI SAQ version 4.0. However, it is important to take proactive steps and not delay the process.

Begin by reviewing the SAQ for your specific environment and identify any new requirements that you may not have encountered before. Assess what actions and measures are needed to confidently address these new requirements in your PCI SAQ version 4.0.

In case you encounter any challenges or have questions along the way, don't hesitate to reach out to our dedicated support team at SecurityMetrics. They are available 24/7 to provide assistance, answer your queries, and guide you through the process. Remember, they are here to support you throughout the transition.

Michael Simpson, CISSP, CISA, QSA
By: Michael Simpson
Principal Security Analyst

Scott Robinson
Director of Content Success

Join Thousands of Security Professionals and Subscribe