As of 31 October 2016, it will no longer be possible to use Self-Assessment Questionnaires (short: SAQs) PCI DSS version 3.1. Companies that validate their PCI DSS compliance by completing an SAQ now face the question of whether, and to what extent, they will be affected by the new PCI DSS version 3.2.
We have therefore compiled an overview of the changes for you and briefly address the focus of the changes below.
SAQ A: SAQ A: This SAQ has been expanded by seven requirements which focus on the areas of user management and development of an Incident Response Plan.
SAQ A-EP: Gaining an additional 39 requirements, this SAQ is affected the most by the PCI version changes. The new requirements concern areas such as network security, secure development, authentication, logging and IDS / IPS (intrusion detection systems and intrusion prevention systems).
SAQ B and SAQ B-IP are not affected by the PCI 3.2 changes.^
SAQ C: Companies that validate their compliance using this SAQ can expect 17 additional requirements, including in areas of user management, authentication & physical security.
SAQ C-VT: This SAQ has been expanded by requirements in the areas of user management and physical security as well.
SAQ P2PE: With PCI DSS 3.2, companies that fall under the SAQ P2PE category have to fulfil two requirements less than before. These requirements concern masking (requirement 3.3) and transmission of PANs (requirement 4.2).
We are happy to assist you with any questions you might have. Please contact our PCI Competence Center.
