PCI 3.2 – Have SAQs Been Changed?

13. September 2016

As of 31 October 2016, it will no longer be possible to use Self-Assessment Questionnaires (short: SAQs) PCI DSS version 3.1. Companies that validate their PCI DSS compliance by completing an SAQ now face the question of whether, and to what extent, they will be affected by the new PCI DSS version 3.2.
We have therefore compiled an overview of the changes for you and briefly address the focus of the changes below.

SAQ A: SAQ A: This SAQ has been expanded by seven requirements which focus on the areas of user management and development of an Incident Response Plan.
SAQ A-EP: Gaining an additional 39 requirements, this SAQ is affected the most by the PCI version changes. The new requirements concern areas such as network security, secure development, authentication, logging and IDS / IPS (intrusion detection systems and intrusion prevention systems).
SAQ B and SAQ B-IP are not affected by the PCI 3.2 changes.^
SAQ C: Companies that validate their compliance using this SAQ can expect 17 additional requirements, including in areas of user management, authentication & physical security.
SAQ C-VT: This SAQ has been expanded by requirements in the areas of user management and physical security as well.
SAQ P2PE: With PCI DSS 3.2, companies that fall under the SAQ P2PE category have to fulfil two requirements less than before. These requirements concern masking (requirement 3.3) and transmission of PANs (requirement 4.2).
We are happy to assist you with any questions you might have. Please contact our PCI Competence Center.

Also interesting:

usd AG Partner to PCI SSC GEAR 2022-2024

usd AG Partner to PCI SSC GEAR 2022-2024

The PCI Security Standards Council (PCI SSC) has reappointed usd AG to the Global Executive Assessor Roundtable (GEAR). Since 2018, the GEAR has enabled a direct exchange between PCI assessors and the PCI Security Standards Council (PCI SSC). Every two years, leading...

Security Advisory for CleverReach

Security Advisory for CleverReach

The analysts at usd HeroLab examined CleverReach as part of their security analyses. This revealed a vulnerability in the  Authentication Bypass Using an Alternate Path or Channel, which was reported to the manufacturer as part of the Responsible Disclosure...

Security Advisories for CA Harvest

Security Advisories for CA Harvest

The analysts at usd HeroLab examined the CA Harvest Software Change Manager as part of their security analyses. This revealed a vulnerability in the CSV export functionality, which was reported to the manufacturer as part of the Responsible Disclosure Policy. The...

Categories

Categories