PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

SAQ-InstrGuidelines-v3_2.pdf SAQ-InstrGuidelines-v3-2-1-r1.pdf
97% similar
21 → 21 Pages
5904 → 5979 Words
27 Content Changes

Content Changes

27 content changes. 21 administrative changes (dates, page numbers) hidden.

Added p. 2
August 2022 3.2.1 Revision 1 Updated to reflect the inclusion of UnionPay as a Participating Payment Brand.

This document aligns with PCI DSS v3.2.1 r1.
Added p. 10
• The PCI DSS Glossary of Terms, Abbreviations and Acronyms

• Frequently Asked Questions (FAQs)

• Information Supplements and Guidelines

• Imprint machines with no electronic cardholder data storage, and/or
Added p. 20
• E-commerce merchants who accept cardholder data on their website;

• Merchants with electronic storage of cardholder data;

• Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type;
Modified p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2.1 Revision 1
Modified p. 7
Storage of sensitive authentication data (SAD), such as track data, after authorization (Requirement 3.2). Many compromised entities were unaware that their systems were storing this data.
Storage of sensitive authentication data (SAD), such as track data, after authorization (Requirement 3.2). Many compromised entities were unaware that their systems were storing this data.
Modified p. 7
Inadequate access controls due to improperly installed point-of-sale (POS) systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2, and 8.3).
Inadequate access controls due to improperly installed point-of-sale (POS) systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2, and 8.3).
Modified p. 7
Default system settings and passwords not changed when the system was installed (Requirement 2.1).
Default system settings and passwords not changed when the system was installed (Requirement 2.1).
Modified p. 7
Unnecessary and insecure services not removed or secured when the system was installed (Requirements 2.2.2 and 2.2.3).
Unnecessary and insecure services not removed or secured when the system was installed (Requirements 2.2.2 and 2.2.3).
Modified p. 7
Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the website (Requirement 6.5).
Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the website (Requirement 6.5).
Modified p. 7
Missing and outdated security patches (Requirement 6.2).
Missing and outdated security patches (Requirement 6.2).
Modified p. 7
Lack of logging (Requirement 10).
Lack of logging (Requirement 10).
Modified p. 7
Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems) (Requirements 10.6, 11.2, 11.4 and 11.5).
Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and change-detection mechanisms) (Requirements 10.6, 11.2, 11.4 and 11.5).
Modified p. 7
Poor scoping decisions•for example, excluding part of the network from PCI DSS scope due to inadequate network segmentation that was not verified to be effective. This results in the cardholder data environment being unknowingly exposed to weaknesses in other parts of the network that have not been secured according to PCI DSS (for example, from unsecured wireless access points and vulnerabilities introduced via employee e-mail and web browsing) (Requirements 1.2, 1.3 and 1.4).
Poor scoping decisions

•for example, excluding part of the network from PCI DSS scope due to inadequate network segmentation that was not verified to be effective (Requirement 11.3.4). This results in the cardholder data environment being unknowingly exposed to weaknesses in other parts of the network that have not been secured according to PCI DSS (for example, from unsecured wireless access points and vulnerabilities introduced via employee e-mail and web browsing) (Requirements 1.2, 1.3 and 1.4).
Modified p. 10
 The PCI DSS Glossary of Terms, Abbreviations and Acronyms  Frequently Asked Questions (FAQs)  Webinars  Information Supplements and Guidelines  SAQ forms and Attestations of Compliance c. PCI SSC also provides a number of training programs to help build awareness for an organization’s personnel. Examples include PCI Awareness, the PCI Professional (PCIP) program, and the Internal Security Assessor (ISA) program.
SAQ forms and Attestations of Compliance c. PCI SSC also provides a number of training programs to help build awareness for an organization’s personnel. Examples include PCI Awareness, the PCI Professional (PCIP) program, and the Internal Security Assessor (ISA) program.
Modified p. 11
 Imprint machines with no electronic cardholder data storage, and/or  Standalone, dial-out terminals with no electronic cardholder data storage.
Standalone, dial-out terminals with no electronic cardholder data storage.
Modified p. 12
Not applicable to e-commerce merchants.
Not applicable to e-commerce channels.
Modified p. 13
Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions; All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers; Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions; Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and Any …
Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions; All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers; Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions; Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and Any …
Modified p. 13
All elements of all payment pages delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s).
All elements of all payment pages delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s).
Modified p. 14
Your company accepts only e-commerce transactions; All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor; Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor; If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including …
Your company accepts only e-commerce transactions; All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor; Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor; If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including …
Modified p. 15
Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information; The standalone, dial-out terminals are not connected to any other systems within your environment; The standalone, dial-out terminals are not connected to the Internet; Your company does not transmit cardholder data over a network (either an internal network or the Internet); Any cardholder data your company retains …
Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information; The standalone, dial-out terminals are not connected to any other systems within your environment; The standalone, dial-out terminals are not connected to the Internet; Your company does not transmit cardholder data over a network (either an internal network or the Internet); Any cardholder data your company retains …
Modified p. 16
Your company uses only standalone, PTS-approved point-of-interaction (POI) devices (excludes SCRs) connected via IP to your payment processor to take your customers’ payment card information; The standalone, IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs); The standalone, IP-connected POI devices are not connected to any other systems within your environment (this can be achieved via network segmentation to isolate POI devices from other systems); The …
Your company uses only standalone, PTS-approved point-of-interaction (POI) devices (excludes SCRs) connected via IP to your payment processor to take your customers’ payment card information; The standalone, IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs); The standalone, IP-connected POI devices are not connected to any other systems within your environment (this can be achieved via network segmentation to isolate POI devices from other systems); The …
Modified p. 17
Your company’s only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser; Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider; Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation …
Your company’s only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser; Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider; Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation …
Modified p. 18
Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN); The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems); The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single store only; …
Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN); The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems); The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single store only; …
Modified p. 19
 All payment processing is via a validated PCI P2PE solution approved and listed by the PCI SSC;  The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices which are approved for use with the validated and PCI- listed P2PE solution;  Your company does not otherwise receive or transmit cardholder data electronically.
The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices which are approved for use with the validated and PCI- listed P2PE solution;
Modified p. 19
There is no legacy storage of electronic cardholder data in the environment;  If your company stores cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically; and Your company has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
• All payment processing is via a validated PCI P2PE solution approved and listed by the PCI SSC;

• Your company does not otherwise receive or transmit cardholder data electronically.

 There is no legacy storage of electronic cardholder data in the environment; • Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and Your company has implemented all controls in the P2PE Instruction Manual (PIM) provided by …
Removed p. 20
For a graphical guide to choosing your SAQ type, please see “Which SAQ Best Applies to My Environment?” on page 18.
Modified p. 20
 E-commerce merchants who accept cardholder data on their website;  Merchants with electronic storage of cardholder data;  Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type;  Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment.
Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment.