Organizations will have until March 31, 2024, before they will no longer be able to validate their compliance using version 3.2.1 of the SAQs.
While organizations can continue to validate their compliance using version 3.2.1, you should start now to implement any missing controls that would be required to validate version 4.0.
Something to be aware of is that almost every question in the PCI v4.0 SAQ was re-worded and re-ordered, meaning that filling out the SAQ may take more time. Since all of the questions have been reworded, it means that businesses will need to answer additional questions, even if nothing in your network has changed.
To help mitigate this, our support agents have mapped as many questions from the 3.2.1 to the 4.0 SAQ. By using SecurityMetrics' FastPass, you could reduce the amount of questions you'd need to answer by a significant amount.
Although vulnerability scanning was not a requirement previously, SAQ A merchants will now have to conduct them. This requirement could be confusing or frustrating for merchants that have never needed to scan previously. Getting help with setting up scans will reduce their chance of failing their first time.
SecurityMetrics' support team is ready 24/7 and is able to answer the phone within 15 seconds to aid with any questions you may have about the new scanning requirements or PCI DSS v4.0 in general.
New PCI DSS v4.0 requirements (e.g., requirement 11.6.1) require SAQ A, SAQ A-EP, SAQ D merchants, and SAQ D service providers to implement change detection procedures and technologies. This is to alert personnel of unauthorized modifications to HTTP headers and the contents of the page(s) used to house the TPSP iframe.
These tamper-detection mechanisms must run at least weekly, to identify unauthorized modifications to critical web pages. SecurityMetrics Shopping Cart Monitor can be used to help meet the intent of this requirement.
The new 4.0 version may cause anxiety for those only familiar with the current PCI DSS requirements. Remember, version 4.0 isn't a totally new standard. The 12 core PCI DSS requirements remain fundamentally the same.
PCI DSS v4.0 introduces 64 new requirements (11 of which are only applicable to service providers). Most of these new requirements are future-dated to March 31, 2025, with notable exceptions being requirements around documentation and performing a targeted risk analysis. There are also significant changes to the wording of questions. To find out more about specific requirement updates, check out this resource.
To learn more about PCI DSS v4.0, read our white paper PCI DSS Version 4.0: What You Need to Know.
Our support team has already mapped the new 4.0 questions. When you fill out the PCI v4.0 SAQ with SecurityMetrics, you won’t need to re-fill out the entire SAQ again.
We also have various security and compliance products for merchants from level one to level four, as well as for service providers.
For example, the SecurityMetrics Shopping Cart Monitor can be used to help meet the intent of the new requirement 11.6.1.
SecurityMetrics has produced a number of educational materials about PCI DSS v4.0 for you to reference. We’ll also continue creating content to help you know what requirements you should focus on to achieve compliance with PCI DSS version 4.0.
We’re here to help you, so feel free to reach out with any questions!
%20PCI%2012%20checklists_Main%20Blog%20Image%20700x400%20copy.png.transform/resourceList/img.jpg)
