It is easy for time to get away from you, especially when it comes to transitioning to new compliance standards and their respective deadlines. On March 31, 2024, the era of PCI DSS v.3.2.1 comes to an end, ushering in the implementation of v4.0 beginning April 1. With the new version, SAQ A merchants are required to implement an expanded set of 31 controls, an increase from the 24 mandated by the preceding version, signifying a more rigorous approach to compliance and security measures. New requirements include enhanced password settings, script and code integrity verification, and the introduction of ASV scans, which were not previously mandated for SAQ A vendors, presenting a significant change in compliance obligations.
What is a SAQ A Merchant?
A SAQ A merchant typically refers to businesses that outsource all cardholder data functions to PCI DSS compliant third-party service providers (TPSPs), with no direct handling, processing, or storage of any cardholder data on their systems or premises. This includes organizations that outsource their eCommerce environments (either through a fully outsourced solution, a URL redirect or an iFrame) to third party service providers. Allowing Merchants to use third-party hosted webpages for capturing cardholder data. This ensures that their own systems are not exposed to sensitive payment information.
SAQ A Merchants can implement full site redirects for payments by directing the customer from their website to a hosted payment page provided by a PCI DSS-compliant third-party payment processor where the customer can enter their payment information. This approach minimizes the merchant’s PCI DSS compliance requirements while maintaining a secure transaction process.
SAQ A Merchants might also use iFrames, which is an HTML element designed to embed another webpage within the merchant’s site. This technique allows the incorporation of a third-party payment interface seamlessly on the merchant’s webpage, ensuring that the payment process appears integrated while maintaining that sensitive payment information is handled directly by the compliant payment processor.
What is Different in the SAQ A
The PCI SSC added in a lot of guidance and SAQ completion guidance in 4.0. In the SAQ A, you will notice that the PCI SSC added notes to sections 2, 6, 8 and 11 explaining where it is expected for these requirements to be applicable:
“Note: For SAQ A, Requirement 11 applies to merchant web servers that host the page(s) that either 1) redirects customers from the merchant website to a TPSP/payment processor for payment processing (for example, with a URL redirect) or 2) includes a TPSP’s/payment processor’s embedded payment page/form (for example, an inline frame or iFrame).”
The SAQ A in several places now clearly explain that when a merchant is using a URL redirect or an iFrame transfer consumers to their party service providers for outsourcing, the merchant servers hosting those integrations are in-scope for the merchants compliance.
What are ASV Scanning Requirements?
The purpose of the new ASV scanning requirements for SAQ A merchants is to ensure external vulnerability assessments are conducted by an Approved Scanning Vendor (ASV). You can obtain a up to date list of approved vendors from the PCI website. Note that inclusion on the approved lists only indicates that the applicable ASV successfully met all PCI requirements and is not an endorsement. Approval ensures that an Approved Scanning Vendor (ASV) is qualified to perform external vulnerability scans, confirming compliance with the new PCI DSS ASV scan requirement.
According to the specific PCI 11.3.2 requirement, scans must be performed on a quarterly basis and any vulnerabilities must be resolved before a passing scan can be given. Rescans are to be performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan. You can refer to the official PCI documentation for more information on ASV scanning requirements.
Also, please note there is a “Description of Timeframes Used in PCI DSS Requirements” in PCI DSS defining quarterly as at least once every 90 to 92 days apart, or on the nth day of the third month.
Act Now if You Haven’t Already
Proactively addressing the new PCI DSS v4.0 requirements is essential as any delayed action can complicate compliance efforts, especially since vulnerabilities identified during scans need resolution by set deadlines. Managing the ever-evolving landscape of regulatory compliance adds complexity to operating a business. At HALOCK Security Labs, compliancy is our business, and we have a team of PCI DSS experts ready to assist in navigating the requirements and deadlines of the forthcoming PCI v4.0 standards. Reach out today to ensure your readiness for the new era of PCI compliance.