PCI Security Standards Council Bulletin: SAQs for PCI DSS v4.0 are Now Available

PCI Security Standards Council Bulletin: SAQs for PCI DSS v4.0 are Now Available

29 APRIL 2022

The PCI SSC has published the Self-Assessment Questionnaires (SAQs) for PCI DSS v4.0. The SAQs
are validation tools intended to assist SAQ-eligible merchants and service providers in performing and
reporting the results of their PCI DSS self-assessment.

Updates to SAQs for PCI DSS v4.0 incorporate feedback received from the industry and include:
• Aligning requirement content with PCI DSS v4.0.
• Adding PCI DSS v4.0 requirements to address evolving threats.
• Rearranging, retitling, and expanding information in the introductory sections.
• Aligning content in the SAQ Attestations of Compliance (AOC) with the PCI DSS v4.0 Report on
Compliance AOCs.
• Adding new appendices, as applicable, to support new reporting responses.
• Updating SAQ D for Service Providers to require additional documentation about the assessed
environment and descriptions of testing results for each PCI DSS requirement.

PCI DSS v4.0 SAQs can be found in the PCI SSC Document Library on the PCI SSC website.

Merchants should confirm they meet all eligibility criteria for a particular SAQ before commencing their
self-assessment. All entities completing SAQs are encouraged to first contact the entity to which the SAQ
will be submitted to confirm they are eligible to complete an SAQ to validate PCI DSS compliance, and to
understand any specific requirements or instructions.

The SAQs for PCI DSS v3.2.1 will remain active until PCI DSS v3.2.1 is retired on 31 March 2024.
Refer to the Countdown to PCI DSS v4.0 blog post for information about transition timelines between PCI
DSS v3.2.1 and v4.0.