The new SAQ SPoC is very similar to the SAQ P2PE – with only one additional requirement – for authentication of the users of the merchant mobile device (e.g. PIN or biometric such as FaceID).

The SAQ SPoC includes 22 new requirements. 21 are effective immediately and 1 requirement is future dated. The most significant Of the new requirements are highlighted below.

Effective Immediately

• If the merchant has paper storage with account data:
  • Security policies and operational procedures for managing the secure storage of any paper records with account data (3.1.1)
  • Data retention and disposal policies and procedures to ensure account data storage is kept to a minimum, incl. no retention of the card verification codes post-authorization (3.2.1, 3.3.1.2)
  • Security policies and operational procedures to physically secure all media with cardholder data, including secure storage of offline media backups and secure disposal (9.1.1, 9.4.1, 94.1.1, 9.4.6)
• Authentication of the users of the merchant’s COTS mobile device, e.g. passphrase, PIN or biometric such as FaceID (8.3.1)
• Protect Secure Card Reader-PIN (SCRP) devices from tampering and unauthorized substitution (9.5 incl. all sub-requirements)
• Information security policy and security awareness program to ensure personnel are aware of the security policies, procedures and their role and responsibilities (12.1, 12.1.1, 12.1.3, 12.6.1)
• Manage relationships with third-party service providers (12.8.1 – 12.8.5)
• Documented incident response plan ready to be activated in the event of a suspected or confirmed security incident (12.10.1)

Future-dated

• Data retention and disposal policies and procedures to cover any Sensitive Authentication Data stored pre-authorization (3.2.1)