An In-Depth Look at the PCI 3.2 SAQs

May 3, 2016 • Published Categories Industry Topics Tags , ,

Prepare Your Business for PCI 3.2

As promised, the PCI SSC released the new version 3.2 Self-Assessment Questionnaires (SAQs) last Friday, April 29. Although this is an incremental PCI DSS release, it’s important to understand how the 3.2 SAQs differ from those issued with PCI DSS v3.1.

First, the good news.

There are no new SAQs and with this release, the eligibility criteria for each SAQ is essentially the same:

v3.2 SAQ
Validation Type
ASV Scan
Test Required
Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage
E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage
Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage
Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage
Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage
Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage
All other SAQ-eligible merchants
SAQ-eligible service providers
Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage
*Are you an e-commerce merchant? Read our post, “PCI SAQ 3.1: E-Commerce Options Explained,” to better understand your SAQ options.

In terms of positiveĀ PCI requirements changes:

  • SAQ B v3.2 is identical to SAQ B v3.1 (no change);
  • SAQ B-IP was reduced to 80 from 83 requirements; however, it did receive the added requirement to use multi-factor authentication for both internal and external access to card data systems; and
  • SAQ P2PE-HW just got a little easier. As technologies evolve, the payment card brands have recognized that use of these technologies can dramatically reduce risk. As a result, the PCI Council has reduced the number of requirements in the SAQ P2PE-HW by removing the requirements to mask PAN data and not email unprotected PANs. This is likely because if you use a Validated P2PE Solution you will never have access to an unmasked PAN.

Last but not least, the SSL/TLS implementation date extension is now formally documented with the v3.2 SAQs. In December 2015, the Council shifted its deadline for turning off SSL and early TLS from June 2016 to June 2018. This affects SAQ A-EP, B-IP, C, C-VT, D-Merchant, and D-Service Provider. The requirements have moved to Appendix A2 in these SAQs.

And now, the bad news.

Brace yourself if you utilize SAQ A-EP or SAQ D-Service Provider, because both of these SAQs just got significantly more complicated with v3.2. These changes reflect the unfortunate reality that there are increasing risks associated with certain environments.

LearnĀ more about the various types of e-commerce site implementations.

As EMV adoption gains momentum, fraud rates in e-commerce will increase, just as they have in every other country that has adopted EMV. Merchants who host their own payment pages and use the direct post method of getting card data to the processor are taking a very big risk and will therefore get a lot of additional scrutiny with the new SAQ A-EP.

SAQ A-EP v3.2 now has a total of 194 requirements. There are 51 net new requirements, and they run the gamut:

  • Configuring and documenting more stringent firewall/router rules;
  • Ensuring proper coding techniques;
  • More tightly controlling access to sensitive system components and files, especially audit trails; and
  • Implementing intrusion detection and prevention systems.

The intent in adding these new requirements to an already complex SAQ seems to be to encourage merchants to utilize a fully outsourced payment page or iframe, which is a more secure implementation.

Understanding the risks with third-party service providers.

Of course, as more merchants move to fully outsourced payment pages, there is an increased reliance on service-provider compliance. The PCI SSC has updated the SAQ D-Service Provider accordingly, adding 15 net new requirements to bring the total number of this SAQ’s requirements to 366:

  • After June 30, 2016, all service providers must offer a secure protocol option for their services;
  • Additionally, multi-factor authentication must be used for both internal and remote access to the Card Data Environment; and
  • There are five additional service-provider requirements that are considered “best practices” until February 1, 2018:
    1. Cryptographic architecture must be documented in a specific way and maintained over time (Requirement 3.5.1)
    2. A process for detecting and reporting a failure of critical systems along with an action plan for responding must be in place (Requirements 10.8a,b and 10.8.1a,b)
    3. Penetration tests for network segmentation must now be completed every 6 months by a qualified internal or external resource (,b,c,d)
    4. Executive Management must establish accountability for maintaining PCI DSS compliance and define the charter (Requirements 12.4.1a,b)
    5. Quarterly reviews must be performed and documented to ensure that personnel are following security policies and procedures (Requirements 12.11a,b, 12.11.1)

The following PCI 3.2 SAQs received new requirements that primarily focus on tightened user access:

  • SAQ A now has seven additional requirements, including removing default and unused accounts as well as having unique user IDs, strong passwords and multi-factor authentication for card data systems;
  • SAQ C received 24 net new requirements primarily around using strong passwords, multi-factor authentication for both internal and external access to card data systems, and physical access control to sensitive systems; and
  • SAQ C-VT also received three net new requirements around strong passwords and multi-factor authentication for both internal and external access to card data systems.

Want to learn more about how the v3.2 SAQs apply to your business?

The v3.2 SAQs become the new standard in October, 2016. Learn ways in which you can reduce your business’s scope of compliance. Be sure to subscribe for additional tips and webinar announcements.

Leave a Comment