PCS DSS: SAQ A – Changes Announced
Last night, The PCI Council released an update to Self-Assessment Questionnaire (SAQ) A.?
The major changes highlighted in this update are the removal of the future dated requirements designed to combat e-skimming attacks. Requirements 6.4.3, 11.6.1 and 12.5.2 have now been removed as future dated requirements and are no longer in this SAQ.??
Having said that, the SAQ now introduces a new eligibility criterion; merchants must now confirm that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).?
What could this mean for you??
At first glance, this looks like a reduction in security controls protecting your customers Account Data; however, after further reading this seems to insinuate a broader approach to security and controls to be implemented across your website as a whole.??
Why now??
Yes, the timing seems a little bit out of the blue with the deadline for these requirements being 31st March, and this may mean a change of scope for merchants if you are not ready for this. Remember, if you don’t meet the eligibility criteria, then you can’t use the reduced set of requirements and so you may now fall into the larger SAQ A-EP or SAQ D.??
领英推荐
So, what has actually changed??
Removal of the specific requirements while adding in the broader eligibility criteria about scripts seems to be a move in line with the previous Version 4 changes and goals around continuous compliance, the flexibility in reporting subsequently, and a more outcome-based approach.?
With this broader outcome-based approach, this may give merchants more ways to meet this criterion, rather than the focused requirements of old. By all means you can still go down the approach of 6.4.3 and 11.6.1, but now you could also look at Pen Testing, Content Security Polices or Output (En)Coding as examples. Additionally, do we now need to look wider than just your payment page??
How can we help??
If you need support in what this means for you, how this may have changed your plans, or what you may need to do next, please reach out to the CSA Cyber QSA team at [email protected] and we can discuss in more detail.??
The full PCI Council blog release can be found here:?