thePCI Portal

New SAQs and guidance PCI V3.1

… light at the end of SAQ A web server security tunnel…

As of April 24th, there are new SAQs for PCI DSS V3.1. This includes a new document titled “SAQ Instructions and Guidelines v3.1” and a revision to the May 2014 document titled: “Understanding SAQs for PCI DSS v3“.

A little more fuel for the SAQ A vs SAQ A-EP fire is included so I updated the list of supporting info in the “SAQ A vs A-EP – lots of links” post.  SAQ A is good for iFrames and redirects, SAQ A-EP includes the controls for the webserver.

It looks like there might be a small mistake in the SAQ A-EP eligibility criteria.   Although the council removed this from the table in the “Understanding the SAQs for PCI DSS v3″ doc, it was not removed from the criteria for SAQ A-EP v3.1:
“Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;”

When consumers are redirected, it appears to be clearly a SAQ A, so this criteria might be reworded.   I can see more evolution coming here in the future and light at the end of the tunnel.

Ad below this line:

Leave a Reply