Critical Update to PCI Self-Assessment Questionnaire (SAQ) Coming in 2024 

PCI Credit CardHistorically, PCI self-assessment questionnaires (SAQ) have served as a method for merchants or service providers without PCI level 1 reporting responsibilities to assess themselves. 

While the PCI SSC expects SAQs to adhere to the same testing procedures as assessments performed by external assessors, many organizations have typically relied on inquiries to complete their self-assessments. Alternatively, they may indicate that controls are implemented based on what they perceive to be accurate, often without additional testing beyond anecdotal experience. 

The inconsistencies and inaccuracies in self-assessment methodologies were permitted due to two main factors: 

      1. When engaging in self-assessment, businesses assume liability for the accuracy of their reporting. This grants organizations ownership of the risks associated with assessment results. 

        1. The SAQ form itself is merely a series of check boxes indicating the presence or absence of controls, with minimal contextual information provided in the executive summary. 

      Big Changes with v4.0 SAQ D for Service Providers

      Here an example control from the current version of the DSS within SAQ D is presented below. Notably, the responses are limited to checkboxes. 

      Now, here is an example of a similar control in the upcoming v4.0 SAQ D template for service providers: 

      You will notice two significant changes that are crucial to service providing organizations: 

          1. The SAQ is no longer presented in a question format; instead, the new format reflects how a Report on Compliance (ROC) is formatted and completed. 

            1. A new requirement in the template mandates service providers to articulate the process behind determining their response. The reporting template requires a description of how the testing conducted led to their conclusion. 

          What This Means for PCI SAQ Respondents 

          Service providers performing insufficient testing or none at all may have difficulty moving forward under the new v4.0 SAQ D template. In this scenario, they could benefit from enlisting an internal audit team, compliance team, or PCI practitioner to perform and draft the PCI SAQ on their behalf. An internal general security or executive team member may need more time or expertise to properly complete the assessment and subsequent report.  

          Without these internal resources, organizations will likely need to engage contractors, consultants, or opt for their SAQ to be performed by a PCI QSA in a facilitated or attested format. 

          If you have any questions regarding the v4.0 SAQ D update, please don’t hesitate to contact us and speak with one of our PCI experts. 

          Share to


          Share to

          Like our content? Subscribe and stay informed.