How is this Going to Impact my Merchants?
Overall Impact of PCI DSS v4.0
Merchants will have until March 31, 2024 before they will no longer be able to validate their compliance using version 3.2.1 of the SAQs.
While merchants can continue to validate their compliance using version 3.2.1, they should start now to implement any missing controls that would be required to validate to version 4.0.
SAQs Will Take Longer to Fill Out
Something to be aware of is that almost every question in the PCI v4.0 SAQ was re-worded and re-ordered, meaning that filling out the SAQ may take more time. Since all of the questions have been reworded, it means that EVERY merchant will need to answer additional questions, even if nothing in their network has changed.
To help mitigate this, our very best support agents worked together, combing through the 3.2.1 and the 4.0 SAQs to find as many questions as possible that would map over. By using SecurityMetrics' FastPass, merchants could reduce the amount of questions they'd need to answer by a significant amount.
Unfortunately, this may cause some frustration for your merchants.
SAQ A Merchant Changes
Additionally for SAQ A merchants, vulnerability scanning is now a requirement, whereas previously it wasn't. For a merchant that has never needed to scan previously, this new requirement could cause some frustration because they may not know how to set up a scan and they likely will fail their scan the first time around.
However, the SecurityMetrics' support team is ready 24/7 and able to answer the phone within 15 seconds to aid your merchants with any questions they may have about the new scanning requirements or PCI DSS v.4.0.
New Requirements for Ecommerce Security
New PCI DSS v4.0 requirements (e.g., requirement 11.6.1) requires SAQ A, SAQ A-EP, SAQ D merchants, and SAQ D service providers to implement change detection procedures and technologies to alert personnel to unauthorized modifications to the HTTP headers and contents of the page(s) used to house the TPSP iframe. Such tamper-detection mechanisms must run at least weekly to look for unauthorized modifications to these critical web pages.
The SecurityMetrics Shopping Cart Monitor can be used to help meet the intent of this requirement.