SAQ Validation Type / Criteria / # of Questions v3.0 / Change # from v2.1 / ASV Scan Required v3.0 / Penetration Test Required
V3.0
A / Card-not-present merchants
Merchant website is 100% hosted and managed by a PCI-compliant, 3rdparty payment processor, OR
No elements of the page originate from the merchant website.
No Electronic cardholder data storage / 14 / +1 / No / No
NEW
A-EP / Card-not-present merchants:
Merchant website creates a payment form and “direct posts” payment data to PCI-compliant, 3rd party payment processor, OR
Some elements of the payment page originate from the merchant website
No electronic cardholder data storage / 139 / NEW / Yes / Yes
B / Merchants with only standalone analog dial-out payment terminals:
No e-commerce transactions or electronic cardholder data storage / 41 / +12 / No / No
NEW
B-IP / Merchants with standalone, IP-connected payment terminals
No e-commerce or electronic cardholder data storage / 83 / NEW / Yes / No
C / Merchants with payment application systems connected to the Internet:
No e-commerce transactions or electronic cardholder data storage / 139 / +59 / Yes / Yes
C-VT / Merchants with web-based virtual payment terminals
No e-commerce transactions or electronic cardholder data storage / 73 / +22 / No / Yes
D-MER / E-commerce merchant that cannot meet the criteria for SAQ A or SAQ A-EP, OR
E-commerce merchant that stores credit card data, OR
Payment pages are delivered from the merchant’s website. / 326 / +38 / Yes / Yes

PCI Compliance 3.0

Updates to Requirements
Penetration Testing Required for SAQ A-EP, C, C-VT and D
  • Cash Management & HUIT IT Security has negotiated pricing with Trustwave for penetration testing.TECHNICAL UPDATE
  • Merchants will be responsible for the cost of penetration testing.

Anti-Virus Requirement Updates – SAQ A-EP, C, C-VT and D – Requirement #5 TECHNICAL UPDATE
  • 5.3 New requirement - Anti-virus solutions must be actively running and cannot be disabled or altered.

Log Review Updates – SAQ A-EP, C, C-VT and D – Requirement #10TECHNICAL UPDATE
  • Audit trails should be implemented to link access to system components to each individual user, in addition to establishing a process.
  • All individual user access to cardholder data is to be included in audit trails.
  • Log reviews should identify anomalies or suspicious activity, and logs should be reviewed daily.

Cardholder Data Updates – SAQ A-EP, C, C-VT, and D – Requirement #3TECHNICAL UPDATE
  • Clarification of sensitive authentication data in memory is to be protected and documented.

Point-of-Sale Devices – SAQ B, B-IP, C and D – Requirement # 9BUSINESS PROCESS UPDATE
  • Protect devices that capture payment card data via physical tampering and substitution of credit card.
  • Maintain list of devices and periodically inspect devices for tampering.
  • Train personnel to be aware of suspicious behavior and to report tampering or substitution of devices.

Managing Service Providers – All SAQs – Requirement #12BUSINESS PROCESS UPDATE
  • 12.8.5 New Requirement – Document which PCI DSS requirements are managed by each service provider, and which are managed by the merchant.
  • 12.9 New Requirement - Service providers provide the written acknowledgement to their customers of services provided and security of card data.

SAQ UpdateBUSINESS PROCESS UPDATE
  • Merchants accepting credit cards using multiple payment channels must complete multiple SAQs addressing each payment environment.

PCI 3.0 Boot Camp-March 2015