How is this Going to Impact my Business?
Overall Impact of PCI DSS v4.0
Organizations will have until March 31, 2024 before they will no longer be able to validate their compliance using version 3.2.1 of the SAQs.
While organizations can continue to validate their compliance using version 3.2.1, you should start now to implement any missing controls that would be required to validate to version 4.0.
SAQs Will Take Longer to Fill Out
Something to be aware of is that almost every question in the PCI v4.0 SAQ was re-worded and re-ordered, meaning that filling out the SAQ may take more time. Since all of the questions have been reworded, it means that EVERY business will need to answer additional questions, even if nothing in your network has changed.
To help mitigate this, our very best support agents worked together, combing through the 3.2.1 and the 4.0 SAQs to find as many questions as possible that would map over. By using SecurityMetrics' FastPass, you could reduce the amount of questions you'd need to answer by a significant amount.
SAQ D Service Provider Changes
The SAQ D Service Provider version 4.0 report has had significant changes and now requires individuals performing the assessment to explain what observations led to their conclusions, as does the Report on Compliance report.
These changes will contribute to a significant increase in time required to perform an assessment and to complete the report.
There are also 11 new requirements which are only applicable to service providers, such as requirement 12.5.2.1, which requires that your "PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment."
To find out the exact changes for service providers, read our blog about Performing an SAQ D Service Provider version 4.0 Self-Assessment.