PCI DSS v4: What’s New with Self-Assessment Questionnaires

With the upcoming retirement of PCI DSS v3.2.1 on 31 March 2024 , organizations will be transitioning to new validation documents for their PCI DSS v4 assessments.

In this Q&A with PCI Security Standards Council’s Director of Data Security Standards Lauren Holloway, we look at some of the key changes in the PCI DSS Self-Assessment Questionnaires (SAQs) for version 4 and what organizations using SAQs need to know.

How have the SAQs changed for PCI DSS v4?
The SAQs have been updated to reflect the PCI DSS v4 requirements updates, so that the requirement wording in the SAQs now mirrors that which is used in the standard, and the SAQ reporting responses are aligned with the PCI DSS v4 Report on Compliance template. Additionally, each SAQ contains new guidance to support organizations completing the self-assessment process. For more details about general changes made to all SAQs, see SAQ Instructions and Guidelines - Appendix A: How SAQs Changed for PCI DSS v4.0.

Have requirements been added to the SAQs?
Yes, all SAQs include additional requirements for PCI DSS v4 to ensure the SAQ continues to address the evolving threat landscape.

Some of the additional requirements are noted as being best practices until 31 March 2025, after which they must be fully considered as part of a PCI DSS v4 assessment. Before 31 March 2025, future-dated requirements that are not yet implemented can be marked as "Not Applicable" and documented in Appendix C: Explanation of Requirements Noted as Not Applicable in the SAQ.

Many of the additional requirements are effective immediately for PCI DSS v4 assessments.

Examples of requirements added to each SAQ are summarized below.

Note: This is not an all-inclusive list of new requirements. The following provides an overview of the control areas addressed by the additional requirements. Please review the relevant SAQ(s) documents to see details of all updates.

SAQ A – Summary of new requirements:

Requirement 3 – Policies and procedures for data retention and protection of stored account data if merchant has paper records that include account data (receipts, paper reports, etc.).

SAQ A-EP – Summary of new requirements:

Requirement 2 - Policies and procedures for applying secure configurations to system components).

SAQ B – Summary of new requirements:

Requirement 3– Policies and procedures for data retention and protection of stored account data if merchant has paper records that include account data (receipts, paper reports, etc.).

SAQ B-IP – Summary of new requirements:

Requirements 3 and 9 – Policies and procedures for data retention and protection of stored account data if merchant has paper records that include account data (receipts, paper reports, etc.).

In addition, the v4.0 SAQ Instructions and Guidelines document clarified that SAQ B-IP is intended only for standalone PCI-approved point-of-interaction (POI) devices that are not connected to other types of devices in the same network zone.

SAQ C – Summary of new requirements:

Requirements 3 and 9 – Policies and procedures for data retention and protection of stored account data if merchant has paper records that include account data (receipts, paper reports, etc.).

SAQ C-VT – Summary of new requirements

Requirement 2 - Policies and procedures for applying secure configurations to system components.

In addition, the eligibility criteria were updated to remove segmentation, to clarify that this SAQ is intended only for standalone computers.

SAQ P2PE – Summary of new requirements

• Requirements 3 and 9 - Policies and procedures for data retention and protection of stored account data if merchant has paper records that include account data (receipts, paper reports, etc.).

There were no changes to SAQ D for Merchants other than the general changes made to all SAQs.

Are there any new SAQs?
Yes, the Self-Assessment Questionnaire for Software PIN entry on COTS (SAQ SPoC) was released in September 2023. This SAQ is for merchants using a commercial off-the-shelf mobile device (for example, phone or tablet) with a secure card reader that is part of a SPoC Solution that is on PCI SSC’s list of validated Software-based PIN Entry on COTS (SPoC) Solutions.

And what about SAQ D for Service Providers?
SAQ D for Service Providers is the ONLY SAQ for SAQ-eligible service providers. All other SAQs are for merchant use only.

If any requirement is not applicable for a given service provider’s environment, it can be marked as “Not Applicable” in the SAQ and described in Appendix C: Explanation of Requirements Noted as Not Applicable.

This SAQ includes all PCI DSS requirements, including those designated “for service providers only.” SAQ D for Service Providers for PCI DSS v4 also includes the following additional reporting requirements:

• New Section 2a, which specifies additional required documentation for service provider self-assessments.
• At each PCI DSS requirement, addition of a section for service providers to briefly “Describe Results” including how the evidence examined and testing performed supports the response selected by the service provider for a given requirement.

• To make sure your organization is prepared for what is new in PCI DSS v4 SAQs, perform a gap analysis to understand your PCI DSS status in relation to the new requirements.
• If you need help understanding whether your organization is eligible or required to complete an SAQ, and which SAQ is appropriate for your environment, contact your merchant bank (acquirer), the applicable payment brand(s), or other compliance entity.

Where can I find more information about the SAQs for PCI DSS v4?

• For detailed guidance on what is new in the SAQs, read the SAQ Instructions and Guidelines .
• To understand how to meet the new requirements, you can find detailed guidance, best practices, and implementation examples in the requirements’ Guidance Column in the Standard .
• There are many FAQs (Frequently Asked Questions) to help you with PCI DSS v4 – search our FAQ Page for answers to your questions.