Merchants had until March 31, 2024 before they could longer be able to validate their compliance using version 3.2.1 of the SAQs.
Merchants will need to start validating with version 4.0.1 and should start now to implement any missing controls, especially those future-dated requirements, which need to be in place by March 31, 2025.
Something to be aware of is that almost every question in the PCI v4 SAQ was re-worded and re-ordered, meaning that filling out the SAQ may take more time. Since all of the questions have been reworded, it means that businesses will need to answer additional questions, even if nothing in your network has changed.
To help mitigate this, our support agents have mapped as many questions from the 3.2.1 to the 4.0 SAQ. By using SecurityMetrics' FastPass, you could reduce the amount of questions you'd need to answer by a significant amount.
New PCI DSS v4.0.1 requirements (e.g., requirement 6.4.3 and 11.6.1) requires SAQ A, SAQ A-EP, SAQ D merchants, and SAQ D service providers to implement change detection procedures and technologies to alert personnel to unauthorized modifications to the HTTP headers and contents of the page(s) used to house the TPSP iframe. Such tamper-detection mechanisms must run at least weekly to look for unauthorized modifications to these critical web pages.
The SecurityMetrics Shopping Cart Monitor can be used to help meet the intent of these requirements.
The release of the new 4 version may cause anxiety for those already familiar with the current PCI DSS requirements. Rest assured that the 12 core PCI DSS requirements remain fundamentally the same; version 4 is not a totally new standard.
However, PCI DSS v4.0 introduced 64 new requirements (11 of which are only applicable to service providers). Most of these new requirements are future-dated to March 31, 2025, with notable exceptions being requirements around documentation and performing a targeted risk analysis. To find out more about specific requirement updates, check out this resource. There were also significant changes to the wording of questions.
To find out about more of the fundamental changes within PCI DSS v4.0.1, read our white paper PCI DSS Version 4.0.1: What You Need to Know.
While there is plenty of time to prepare for v4.0, start your transition to implement PCI v4.0.1 requirements early. You can move to v4 SAQ now, while working to implement future-dated requirements over the next year.
Our support team has already mapped the new PCI version 4 questions. When you fill out the PCI v4 SAQ with SecurityMetrics, you won’t need to re-fill out the entire SAQ again.
We also have a variety of security and compliance products for merchants from level one to level four.
For example, the SecurityMetrics Shopping Cart Monitor can be used to help meet the intent of the new requirements 6.4.3 and 11.6.1.
SecurityMetrics has produced a number of educational materials about PCI DSS v4.0 for you to reference. We’ll also continue creating content to help you know what requirements you should focus on to achieve compliance with PCI DSS version 4.0.
We’re here to help you, so feel free to reach out to us with any questions!
The following are related resources that we have prepared for you. Find more answers to your questions in our Learning Center.
.svg)