Document Comparison
PCI-DSS-v4-0-1-SAQ-A.pdf
→
PCI-DSS-v4_0_1-SAQ-A-r1.pdf
88% similar
42 → 38
Pages
11338 → 10300
Words
17
Content Changes
Content Changes
17 content changes. 37 administrative changes (dates, page numbers) hidden.
Added
p. 2
Aligned content in Sections 1 and 3 of Attestation of Compliance (AOC) with PCI DSS v4.0 Repo on Compliance AOC.
January 2025 4.0.1 1 Removed Requirements 6.4.3, 11.6.1, and 12.3.1 and added an Eligibility Criteria for merchants to confirm that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
January 2025 4.0.1 1 Removed Requirements 6.4.3, 11.6.1, and 12.3.1 and added an Eligibility Criteria for merchants to confirm that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
Added
p. 13
The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
Added
p. 29
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place 12.8.2 Written agreements with TPSPs are maintained as follows:
Modified
p. 2
January 2017 3.2 1.1 Updated Document Changes to clarify requirements added in the April 2016 update. Added note to Before You Begin section to clarify intent of inclusion of PCI DSS Requirements 2 and 8.
January 2017 3.2 1.1 Updated Document Changes to clarify requirements added in the April 2016 update.
Modified
p. 2
Clarified note under Eligibility Criteria on page iv that addresses applicability of Requirements 2, 6, 8, and 11 to e-commerce merchants.
Clarified note under Eligibility Criteria on page iv that addresses applicability of Requirements 2, 6 8, and 11 to e-commerce merchants.
Modified
p. 2
Clarified notes that address applicability to e-commerce merchants for Requirements 6.4.3, 8, 11, and 11.6.1.
Clarified notes that address applicability to e-commerce merchants for Requirements 6.4.3, 8, 11 and 11.6.1.
Modified
p. 13
Additionally, for e-commerce channels:
Additionally, for e-commerce channels, merchant certifies:
Removed
p. 19
Note: For SAQ A, Requirement 6.4.3 applies to a merchant’s webpage that includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes).
Removed
p. 19
• A method is implemented to confirm that each script is authorized.
• Examine inventory records.
• Examine system configurations.
• A method is implemented to assure the integrity of each script.
• An inventory of all scripts is maintained with written business or technical justification as to why each is necessary.
Applicability Notes (continued)
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place This requirement applies to all scripts loaded from the entity’s environment and scripts loaded from third and fourth parties.
This requirement also applies to scripts in the entity’s webpage(s) that includes a TPSP’s/ payment processor’s embedded payment page/form (for example, one or more inline frames or iframes).
This requirement does not apply to an entity for scripts in a TPSP’s/payment processor’s embedded payment page/form (for example, one or more iframes), where the entity includes a TPSP’s/payment processor’s payment page/form on …
• Examine inventory records.
• Examine system configurations.
• A method is implemented to assure the integrity of each script.
• An inventory of all scripts is maintained with written business or technical justification as to why each is necessary.
Applicability Notes (continued)
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place This requirement applies to all scripts loaded from the entity’s environment and scripts loaded from third and fourth parties.
This requirement also applies to scripts in the entity’s webpage(s) that includes a TPSP’s/ payment processor’s embedded payment page/form (for example, one or more inline frames or iframes).
This requirement does not apply to an entity for scripts in a TPSP’s/payment processor’s embedded payment page/form (for example, one or more iframes), where the entity includes a TPSP’s/payment processor’s payment page/form on …
Removed
p. 20
Where the merchant server redirects customers from the merchant website to a TPSP/payment processor (for example, with a URL redirect), the merchant marks this requirement as Not Applicable and completes Appendix C: Explanation of Requirements Noted as Not Applicable.
Removed
p. 29
Applicability Notes (continued)
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place 11.6 Unauthorized changes on payment pages are detected and responded to.
Note: For SAQ A, Requirement 11.6.1 applies to a merchant’s servers with a webpage that includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes).
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place 11.6 Unauthorized changes on payment pages are detected and responded to.
Note: For SAQ A, Requirement 11.6.1 applies to a merchant’s servers with a webpage that includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes).
Removed
p. 29
• To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security-impacting HTTP headers and the script contents of payment pages as received by the consumer browser.
• Examine system settings and mechanism configuration settings.
• Examine monitored payment pages.
• Examine results from monitoring activities.
• Examine the mechanism configuration settings.
• Examine configuration settings.
• If applicable, examine the targeted risk analysis.
• The mechanism is configured to evaluate the received HTTP headers and payment pages.
• The mechanism functions are performed as follows:
• At least once weekly OR
• Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).
• Examine system settings and mechanism configuration settings.
• Examine monitored payment pages.
• Examine results from monitoring activities.
• Examine the mechanism configuration settings.
• Examine configuration settings.
• If applicable, examine the targeted risk analysis.
• The mechanism is configured to evaluate the received HTTP headers and payment pages.
• The mechanism functions are performed as follows:
• At least once weekly OR
• Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).
Removed
p. 30
Scripts in the TPSP’s/payment processor’s embedded payment page/form are the responsibility of the TPSP/payment processor to manage in accordance with this requirement.
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Where the merchant server redirects customers from the merchant website to a TPSP/payment processor (for example, with a URL redirect), the merchant marks this requirement as Not Applicable and completes Appendix C: Explanation of Requirements Noted as Not Applicable.
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Where the merchant server redirects customers from the merchant website to a TPSP/payment processor (for example, with a URL redirect), the merchant marks this requirement as Not Applicable and completes Appendix C: Explanation of Requirements Noted as Not Applicable.
Removed
p. 30
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place This requirement also applies to entities with a webpage(s) that includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes.) This requirement does not apply to an entity for scripts in a TPSP’s/payment processor’s embedded payment page/form (for example, one or more iframes), where the entity includes a TPSP’s/payment processor’s payment page/form on its webpage.
The intention of this requirement is not that an entity installs software in the systems or browsers of its consumers, but rather that the entity uses techniques such as those described under Examples in the PCI DSS Guidance column (of PCI DSS Requirements and Testing Procedures) to prevent and detect unexpected script activities.
The intention of this requirement is not that an entity installs software in the systems or browsers of its consumers, but rather that the entity uses techniques such as those described under Examples in the PCI DSS Guidance column (of PCI DSS Requirements and Testing Procedures) to prevent and detect unexpected script activities.
Removed
p. 31
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place 12.3 Risks to the cardholder data environment are formally identified, evaluated, and managed.
Removed
p. 31
• Identification of the assets being protected.
• Identification of the threat(s) that the requirement is protecting against.
• Identification of factors that contribute to the likelihood and/or impact of a threat being realized.
• Resulting analysis that determines, and includes justification for, how the frequency or processes defined by the entity to meet the requirement minimize the likelihood and/or impact of the threat being realized.
• Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed.
• Performance of updated risk analyses when needed, as determined by the annual review.
• Examine documented policies and procedures.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place Applicability Notes This requirement is a best practice until 31 March 2025, after which it will be required and must be …
• Identification of the threat(s) that the requirement is protecting against.
• Identification of factors that contribute to the likelihood and/or impact of a threat being realized.
• Resulting analysis that determines, and includes justification for, how the frequency or processes defined by the entity to meet the requirement minimize the likelihood and/or impact of the threat being realized.
• Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed.
• Performance of updated risk analyses when needed, as determined by the annual review.
• Examine documented policies and procedures.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place Applicability Notes This requirement is a best practice until 31 March 2025, after which it will be required and must be …
Modified
p. 34 → 30
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place 12.8.3 An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place 12.8.4 A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.