Document Comparison
SAQ-Instructions-Guidelines-PCI-DSS-v4-0-1.pdf
→
SAQ-Instructions-Guidelines-PCI-DSS-v4-0-1-r1.pdf
97% similar
30 → 30
Pages
9547 → 9573
Words
9
Content Changes
Content Changes
9 content changes. 31 administrative changes (dates, page numbers) hidden.
Added
p. 2
April 2025 4.0.1 r1 Corrected table (Common e-commerce methods and applicable SAQs) to accurately reflect the number of applicable PCI DSS requirements.
Removed Requirements 6.4.3 and 11.6.1 from section “Importance of new requirements added to SAQ A for PCI DSS v4.x.” Added the new SAQ A Eligibility Criteria for e-commerce merchants in the following two places:
To the table for “How does SAQ A compare to SAQ A-EP?” To the SAQ Eligibility Criteria section for SAQ A.
Removed Requirements 6.4.3 and 11.6.1 from section “Importance of new requirements added to SAQ A for PCI DSS v4.x.” Added the new SAQ A Eligibility Criteria for e-commerce merchants in the following two places:
To the table for “How does SAQ A compare to SAQ A-EP?” To the SAQ Eligibility Criteria section for SAQ A.
Added
p. 19
The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
Modified
p. 1
Payment Card Industry Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 4.0.1
Payment Card Industry Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 4.0.1 Revision 1
Modified
p. 2
October 28, 2010 2.0 To align content with new PCI DSS v2.0 and clarify SAQ environment types and eligibility criteria. Addition of SAQ C-VT for Web-based Virtual Terminal merchants.
October 28, 2010 2.0 To align content with new PCI DSS v2.0 and clarify SAQ environment types and eligibility criteria.
Modified
p. 10
Some SAQs were updated to include additional PCI DSS requirements that were not in that SAQ for PCI DSS version 3.2.1. This will impact how the merchant approaches their self-assessment.
Some SAQs were updated to include additional PCI DSS requirements that were not in that SAQ for PCI DSS version 3.2.1. This will have an impact on how the merchant approaches their self- assessment.
Removed
p. 14
PCI DSS Requirement 6.4.3 to manage payment page scripts. The intent is for a merchant to manage any payment page scripts present on the merchant’s server with a webpage.
PCI DSS Requirement 11.3.2 for external vulnerability scans at least once every 90 days and Requirement 11.3.2.1 for external vulnerability scans after significant changes. The intent is for a merchant to scan for and resolve any vulnerabilities on the merchant’s server(s) with a webpage.
PCI DSS Requirement 11.6.1 for a change and tamper-detection mechanism deployed to detect and provide alerts for unauthorized modifications to security-impacting HTTP of script contents of payment pages. The intent is for merchants to deploy this mechanism on the merchant’s server(s) with a webpage and respond to alerts.
PCI DSS Requirement 11.3.2 for external vulnerability scans at least once every 90 days and Requirement 11.3.2.1 for external vulnerability scans after significant changes. The intent is for a merchant to scan for and resolve any vulnerabilities on the merchant’s server(s) with a webpage.
PCI DSS Requirement 11.6.1 for a change and tamper-detection mechanism deployed to detect and provide alerts for unauthorized modifications to security-impacting HTTP of script contents of payment pages. The intent is for merchants to deploy this mechanism on the merchant’s server(s) with a webpage and respond to alerts.
Modified
p. 14
Importance of new requirements added to SAQ A for PCI DSS v4. x SAQ A for PCI DSS v4.x includes additional security controls needed to address common breaches that are targeting SAQ A merchants, specifically to secure webpages that 1) redirect payment transactions to a PCI DSS compliant TPSP or 2) include a PCI DSS compliant TPSP’s embedded payment page/form. To mitigate these common breaches, the following new requirements are included in SAQ A (Note: This list highlights requirements added …
Importance of new requirements added to SAQ A for PCI DSS v4.x SAQ A for PCI DSS v4.x includes additional security controls needed to address common breaches that are targeting SAQ A merchants, specifically to secure webpages that 1) redirect payment transactions to a PCI DSS compliant TPSP or 2) include a PCI DSS compliant TPSP’s embedded payment page/form. To mitigate these common breaches, Requirements 11.3.2 and 11.3.2.1 are included in SAQ A (Note: This list highlights requirements added to …
Modified
p. 15
SAQ A SAQ A-EP All Account Data Functions Completely Outsourced Partially Outsourced E-commerce Payment Channel Applies to: Card-not-present merchants (e-commerce or mail/telephone-order)* E-commerce merchants Functions Outsourced All processing of account data is entirely outsourced to PCI DSS compliant third- party service provider (TPSP)/payment All processing of account data, with the exception of the payment page, is entirely outsourced to a PCI DSS compliant TPSP/payment processor All elements of all payment page(s)/form(s) delivered to the customer’s browser originate only and directly …
SAQ A SAQ A-EP All Account Data Functions Completely Outsourced Partially Outsourced E-commerce Payment Channel Applies to: Card-not-present merchants (e-commerce or mail/telephone-order)* E-commerce merchants Functions Outsourced All processing of account data is entirely outsourced to PCI DSS compliant third- party service provider (TPSP)/payment All processing of account data, with the exception of the payment page, is entirely outsourced to a PCI DSS compliant TPSP/payment processor All elements of all payment page(s)/form(s) delivered to the customer’s browser originate only and directly …
Modified
p. 23
For a graphical guide to choosing your SAQ type, please see “Which SAQ Best Applies to My Environment” on pages 23 and 24.
For a graphical guide to choosing your SAQ type, please see “Which SAQ Best Applies to My Environment” on pages 24 and 25.