Last week the PCI council released the new Self Assessment Questionnaire version 1.2. We’ve spent a fair amount of time analyzing the new version so that we can report key changes to you. Overall, the changes aren’t significant, but it is clear that the PCI Council is starting to pay more attention to Level 4 merchants (as defined by VISA) by providing more clarity and flexibility in its questioning. And since we are exclusively focused on small and medium-sized merchants, we are pleased to see progress in this area. That’s not to say that there isn’t more work that needs to be done.

But, I digress. In this post I’ll highlight the most notable change, and then I will provide you with a link to access more comprehensive analysis.

The most notable change in SAQ 1.2 is the ability to select "Non-Applicable" for questions in the SAQ. Previously, only merchants qualifying for SAQ D (versus A, B and C) could respond to questions with "Special" and still achieve compliance. In this case their alternate answer was "Compensating Controls" which required that the spirit of the requirement still be met. The merchant was also required to fill out a large worksheet that detailed the specific compensating control employed by the merchant. With SAQ 1.2, merchants filling out SAQ A, B or C can indicate that a specific requirement is not applicable to their environment and then provide a brief explanation. For example, if a merchant is trying to answer question 9.7.2, “Is the media sent by secure courier or other delivery method that can be accurately tracked?" and the merchant never sends media by courier, the merchant can indicate that information on the SAQ.

To access ControlScan’s complete analysis on changes employed via the SAQ version 1.2, please click on the following link: http://www.pcicomplianceguide.org/merchants-20081030-saq-version-1_2.php

I am also interested in hearing your thoughts on the latest changes. Please share your point of view by commenting on this post.

'Til next time,
Joan
The eSecurity Diva