What changes are applicable to SAQ C?

SAQ C: Merchants with point-of-sale (POS) system or other payment application systems connected to the internet.

PCI DSS version 4.0 has had the greatest impact on the number of Requirements now included in the SAQ C. The majority of the additions affect Requirement 8: ‘Identify Users and Authenticate Access to System Components’ and Requirement 10: ‘Log and Monitor All Access to System Components and Cardholder Data’.

If the merchant’s POS or payment application system is custom or bespoke software developed and maintained in accordance the PCI SSC Secure Software Standard and/or the Secure SLC Standard (which together comprise the PCI Software Security Framework) that can help to meet several of SAQ C’s new Requirements from Requirement 6 ‘Develop and Maintain Secure Systems and Software’. For more details see the PCI DSS version 4.0 Appendix F ‘Leveraging the PCI Software Security Framework to Support Requirement 6’.

The v4.0 SAQ C includes:

  • 23 Requirements are new and effective immediately.
  • 17 Requirements are new but future dated.

While 13 consolidated, redundant or no longer applicable version 3.2.1 SAQ Requirements have been removed from SAQ C: 1.3.4, 1.3.5, 2.2.4 a, 3.2.1, 9.6 a, 9.7, 11.1.2 a&b, 12.3.2, 12.3.3, 12.3.6, 12.3.8, 12.3.9, 12.5.3.
The version 4.0 SAQ C Requirements are listed in full in Appendix B; the most significant of the new or additional Requirements are highlighted below:

Effective Immediately

  • Secure software development practices and methods to prevent common coding vulnerabilities (6.2.1 – 6.2.4)
    • Only applicable to merchants with bespoke software (developed to the entity’s specifications by a third party) or custom software (developed by the entity)
  • Changes to all system components in the production environment are made according to established procedures (6.5.1)
    Manage the addition, deletion, and modification of user IDs, authentication factors, and other identifier objects (8.2.4 – 8.2.6)
  • Implement controls to limit access to and protect audit logs (10.3.1 – 10.3.4)
  • Configure systems to ensure accurate and synchronised time (10.6.1 – 10.6.3)
  • Designated personnel to be available for 24*7 incident response (12.10.3)

Future-dated

  • Implement automated mechanisms to detect and protect against phishing attacks, include phishing and social engineering in security awareness training (5.4.1, 12.6.3.1)
  • Additional requirements for multi-factor authentication (MFA) (8.4.2, 8.5.1)
    • MFA to be implemented for all access into the CDE.
    • Configure MFA systems to ensure they are not susceptible to replay attacks, cannot be bypassed by any users without authorization, use at least two different types of authentication factors and grant access only after all authentication factors are successful.
  • Review user accounts and related access privileges, including third-party/vendor accounts,
    at least once every six months (7.2.4)
  • Manage application and system accounts (7.2.5, 8.6.1, 8.6.2, 8.6.3)
  • Implement automated mechanisms to perform audit log reviews (10.4.1.1)
  • Perform targeted risk analyses to determine the frequency a requirement is performed (12.3.1)
    • Applicable to Requirements 5.2.3.1, 5.3.2.1, 8.6.3, 10.4.2.1

What changes are applicable to SAQ C?

SAQ C: Merchants with point-of-sale (POS) system or other payment application systems connected to the internet.

PCI DSS version 4.0 has had the greatest impact on the number of Requirements now included in the SAQ C. The majority of the additions affect Requirement 8: ‘Identify Users and Authenticate Access to System Components’ and Requirement 10: ‘Log and Monitor All Access to System Components and Cardholder Data’.

If the merchant’s POS or payment application system is custom or bespoke software developed and maintained in accordance the PCI SSC Secure Software Standard and/or the Secure SLC Standard (which together comprise the PCI Software Security Framework) that can help to meet several of SAQ C’s new Requirements from Requirement 6 ‘Develop and Maintain Secure Systems and Software’. For more details see the PCI DSS version 4.0 Appendix F ‘Leveraging the PCI Software Security Framework to Support Requirement 6’.

The v4.0 SAQ C includes:

  • 23 Requirements are new and effective immediately.
  • 17 Requirements are new but future dated.

While 13 consolidated, redundant or no longer applicable version 3.2.1 SAQ Requirements have been removed from SAQ C: 1.3.4, 1.3.5, 2.2.4 a, 3.2.1, 9.6 a, 9.7, 11.1.2 a&b, 12.3.2, 12.3.3, 12.3.6, 12.3.8, 12.3.9, 12.5.3.
The version 4.0 SAQ C Requirements are listed in full in Appendix B; the most significant of the new or additional Requirements are highlighted below:

Effective Immediately

  • Secure software development practices and methods to prevent common coding vulnerabilities (6.2.1 – 6.2.4)
    • Only applicable to merchants with bespoke software (developed to the entity’s specifications by a third party) or custom software (developed by the entity)
  • Changes to all system components in the production environment are made according to established procedures (6.5.1)
    Manage the addition, deletion, and modification of user IDs, authentication factors, and other identifier objects (8.2.4 – 8.2.6)
  • Implement controls to limit access to and protect audit logs (10.3.1 – 10.3.4)
  • Configure systems to ensure accurate and synchronised time (10.6.1 – 10.6.3)
  • Designated personnel to be available for 24*7 incident response (12.10.3)

Future-dated

  • Implement automated mechanisms to detect and protect against phishing attacks, include phishing and social engineering in security awareness training (5.4.1, 12.6.3.1)
  • Additional requirements for multi-factor authentication (MFA) (8.4.2, 8.5.1)
    • MFA to be implemented for all access into the CDE.
    • Configure MFA systems to ensure they are not susceptible to replay attacks, cannot be bypassed by any users without authorization, use at least two different types of authentication factors and grant access only after all authentication factors are successful.
  • Review user accounts and related access privileges, including third-party/vendor accounts,
    at least once every six months (7.2.4)
  • Manage application and system accounts (7.2.5, 8.6.1, 8.6.2, 8.6.3)
  • Implement automated mechanisms to perform audit log reviews (10.4.1.1)
  • Perform targeted risk analyses to determine the frequency a requirement is performed (12.3.1)
    • Applicable to Requirements 5.2.3.1, 5.3.2.1, 8.6.3, 10.4.2.1