PCI DSS v3.2 and the impact to SAQ types

PCI DSS v3.2 and the impact to SAQ types

In a previous article we provided a quick guide to PCI DSS v3.2 to assist you with navigating the updated standard, if you haven’t read it yet we encourage you to do so. In this follow-up article, we examine what are the impacts that v3.2 brings to the various SAQ types.


Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below


The impact on SAQ’s

The SAQ’s affected by the new standard and the fundamental changes are as follows: SAQ’s A, A-EP, C-VT and C have more questions, however SAQ B-IP and P2PE have fewer questions. The reason for the SAQ A and SAQ A-EP changes are related to e-commerce websites being increasingly targeted, as a result additional protection is required by these merchant types. The changes made to the SAQ A and to SAQ A-EP address these challenges. In the case of SAQ A, the PCI Security Standards Council acknowledges that merchant web servers using a redirect to, or using an iframe of a hosted payment page are being targeted by hackers. The inclusion of the new requirements is to address the misconception that an e-commerce website that does not come into direct contact with their customer’s payment card does not need to be protected.


The next greatest impact of v3.2 is on SAQ C. Most of the additions relate to Requirement 8 around user authentication and access controls. The focus is on ensuring that the log and audit trails will give the ability to track user activity to an accountable individual.


Deeper insight

We have created a downloadable fact sheet that explains in further detail and provides deeper insight into the impacts that version 3.2 of PCI DSS has on SAQ types. Simply fill out your details below to download the fact sheet.


Download the Fact Sheet

* indicates required