PCI DSS 3.2 has added and removed new requirements to the SAQs.
Read our white paper, How to Become Compliant with PCI DSS 3.2
If you’re new to the PCI DSS, you might not know much about Self-Assessment Questionnaires (SAQs). SAQs are used to help businesses validate and prove their compliance with the PCI DSS.
As you may know, PCI DSS 3.2 was released in April 28, 2016. On October 31, 2016, PCI DSS 3.1 will retire and all assessments need to use the PCI DSS version 3.2 SAQs.
See also: PCI DSS 3.2 Changes: What Your Business Needs to Know
New SAQ Requirements
So what has changed with the SAQs? While there aren’t any new SAQ types or changes to SAQ descriptions, a fair amount of requirements have been added or removed.
- SAQ A added 8 more requirements (multi-factor authentication, improved user access controls, etc.)
-
- SAQ A-EP added 52 more requirements (firewall configuring and documentation rules, coding procedures, intrusion detection and prevention systems, etc.)
- SAQ B remained the same
- SAQ B-IP added one more requirement (multi-factor authentication)
- SAQ C-VT added 6 more requirements (multi-factor authentication, improved user access controls, etc.)
- SAQ C added 21 more requirements (multi-factor authentication, user access controls, etc.)
- SAQ D added 15 more requirements (cryptographic architecture documentation, semi-annual penetration tests on segmentation, etc.)
- SAQ P2PE removed 2 requirements (masking and emailing unencrypted PAN data)
See also: SecurityMetrics PCI Guide
.svg)
