PCI DSS 4: Self-Assessment Questionnaire Changes – Dionach
Number of requirements for each SAQs for PCI DSS v3.2.1 and PCI DSS v4.0
V3.2.1 v4.0
SAQ Eligibility Criteria Additional Information
Reqs. Reqs.
E-commerce websites still have
All storage, processing and transmission of
SAQ A 24 31 requirements that apply to the web
account data outsourced
server
All processing of account data outsourced CDE requirements apply to the e-
SAQ A-EP 192 151
except for the payment page commerce websites
Not for network connected payment
SAQ B 41 27 Dial-up payment terminals only
terminals
Standalone payment terminals on isolated B-IP requiring network controls and
SAQ B-IP 87 49
network isolation means P2PE is a better option
Payments via payment terminals from a All controls are implemented from the
SAQ P2PE 33 21
validated P2PE solution P2PE instruction Manual
Payment applications such as POS that are Isolation can be done through network
SAQ C 161 132
isolated from other systems segmentation
Virtual payment terminal (such as web Isolation can be done through network
SAQ C-VT 84 54
browser on a PC) isolated from other systems segmentation
SAQ D
330 252 Merchants not eligible for other SAQs Some controls may not be applicable
Merchants
�SAQ D Service 36 27 All service providers (service providers are not eligible for Some controls may not be
Providers 9 8 merchant SAQs) applicable
SAQ D for Merchants
SAQ D for Merchants applies to merchants not eligible for other SAQs, and includes all PCI DSS
requirements except for those only applicable to service providers.
The changes are essentially the Summary of Changes from PCI DSS Version 3.2.1 to 4.0, available on the
PCI SSC website. Please see the other SAQs above for a selection of the new requirements
MUST READ:
The 12 requirements of PCI DSS V4.0 explained. - PCI Compliance Hub
As a new PCI DSS (Payment Card Industry Data Security Standard) assessor, it’s crucial to
understand the 12 PCI DSS requirements and how to audit them effectively. The PCI DSS outlines 12 major
requirements grouped into 6 goals, aimed at securing cardholder data and improving the overall security
of payment systems.
Here's a detailed checklist of things to verify for each of the 12 PCI DSS requirements:
Goal 1: Build and Maintain a Secure Network and Systems
1. Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
o Checklist:
Check if firewalls and routers are implemented between trusted internal networks and
untrusted external networks.
� Verify firewall configuration documentation and ensure firewall rules restrict traffic based
on minimum required access.
Confirm that default firewall configurations have been changed to secure settings (e.g.,
no default passwords).
Ensure firewalls are regularly updated and monitored for security issues.
2. Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters.
o Checklist:
Verify that all default passwords, account names, and security settings provided by the
vendor are changed before installation.
Check that the system configuration ensures secure settings and that unnecessary
services and ports are disabled.
Confirm regular review of system configurations to maintain security.
Goal 2: Protect Cardholder Data
3. Requirement 3: Protect stored cardholder data.
o Checklist:
Ensure cardholder data is encrypted or tokenized when stored.
Verify that only necessary cardholder data is stored, and the data is securely managed
and protected.
Check for proper key management practices, including key rotation, backup, and
restricted access to keys.
� 4. Requirement 4: Encrypt transmission of cardholder data across open, public networks.
o Checklist:
Confirm that encryption protocols (e.g., TLS, IPsec) are used for transmitting cardholder
data over public networks.
Ensure that only strong, approved encryption algorithms and key lengths are used.
Verify that encryption settings are properly configured, and the certificates used for
encryption are valid and regularly updated.
Goal 3: Maintain a Vulnerability Management Program
5. Requirement 5: Protect all systems against malware and regularly update anti-virus
software or programs.
o Checklist:
Ensure that anti-virus or anti-malware software is installed on all systems commonly
affected by malware.
Verify that the software is regularly updated with the latest signatures and has real-time
protection enabled.
Ensure that employees or system administrators regularly check that malware protection
is functional and active.
6. Requirement 6: Develop and maintain secure systems and applications.
o Checklist:
Verify that secure coding practices are followed and documented during development.
� Ensure that security patches and updates are applied to systems and applications in a
timely manner (e.g., within 30 days of release).
Confirm that vulnerability scans and penetration tests are conducted regularly to identify
and resolve security issues.
Check that application-level security is reviewed and tested for vulnerabilities (e.g., SQL
injection, cross-site scripting).
Goal 4: Implement Strong Access Control Measures
7. Requirement 7: Restrict access to cardholder data by business need to know.
o Checklist:
Ensure that access to cardholder data is granted based on a documented business need-
to-know basis.
Verify that access control lists and permissions are properly defined for all users with
access to sensitive data.
Confirm that there are periodic reviews of access rights and user roles to ensure they are
still appropriate.
8. Requirement 8: Identify and authenticate access to system components.
o Checklist:
Check that multi-factor authentication (MFA) is used for users accessing sensitive data or
systems.
Ensure unique user IDs are used to track all access to cardholder data.
� Verify that strong passwords are required and that password complexity, expiration, and
lockout policies are in place.
9. Requirement 9: Restrict physical access to cardholder data.
o Checklist:
Verify that physical access to areas containing cardholder data is restricted to authorized
personnel only.
Ensure that surveillance systems (e.g., CCTV) are in place to monitor sensitive areas.
Check that physical access controls (e.g., card access systems, biometrics) are used to
limit access to critical infrastructure and systems.
Goal 5: Regularly Monitor and Test Networks
10. Requirement 10: Track and monitor all access to cardholder data.
o Checklist:
Ensure that logging mechanisms are in place to track all access to systems storing or
processing cardholder data.
Confirm that logs are generated for system access, security events, and authentication
attempts.
Verify that logs are stored securely and reviewed regularly to detect suspicious activity.
11. Requirement 11: Regularly test security systems and processes.
o Checklist:
� Confirm that vulnerability scanning is conducted regularly on systems that store,
process, or transmit cardholder data.
Ensure that internal and external penetration tests are performed at least annually and
after major system changes.
Check that security testing includes application-level security testing (e.g., code reviews,
penetration testing).
Goal 6: Maintain an Information Security Policy
12. Requirement 12: Maintain a policy that addresses information security for all
personnel.
o Checklist:
Ensure that a comprehensive information security policy is documented, communicated,
and enforced within the organization.
Verify that the policy includes clear guidelines for protecting cardholder data, handling
security incidents, and maintaining compliance with PCI DSS.
Confirm that regular training on security policies and procedures is provided to all
employees, and that compliance with the policies is regularly assessed.
General Steps for Assessing PCI DSS Compliance:
1. Documentation Review: Review all relevant documents (e.g., network diagrams, system
configuration, access control lists, and risk assessments).
� 2. Interviews: Conduct interviews with key personnel (e.g., system administrators, network engineers,
security officers) to understand security practices and policies.
3. Testing: Perform technical testing such as vulnerability scans, penetration tests, and system
configuration checks to ensure systems comply with the PCI DSS.
4. Evidence Collection: Collect evidence of compliance (logs, reports, policies, configurations) to
support your findings.
As an assessor, you will need to ensure that these controls are implemented, documented, and functioning
as expected. You will also need to verify that the company is regularly reviewing and improving its security
practices to ensure compliance with PCI DSS.
