Professional Documents
Culture Documents
Assessor Newsletter - October 2023-1700148722.63958
Assessor Newsletter - October 2023-1700148722.63958
PCI Qualified Professionals | Products & Solutions Listings | Training | Resources | Newsroom | Events | Get Involved
October 2023
In this Issue:
• FAQ #1331: Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments
documented in a Report on Compliance?
Participation Opportunities
Training
Hello, Assessors!
The Assessors and the Participants of the PCI community are among the finest people in the world. They truly are genuine, concerned,
wise, and kind. What an honor to be a part of such a longstanding organization whose mission is to keep information true and secure.
In a discussion recently, the comment “What do you do?” was asked. Putting the standard answer aside I said, “my goal is to be the best
When I ask those in the data security community, “what do you see that can be improved in your focus for keeping data secure?”, I get all
kinds of comments and suggestions but the one that sits with me longest is “how can we make MULTI-FACTOR AUTHENTICATION as
common as username/password?”
Indeed, MFA won’t solve all of the world’s problems, but it seems to be a powerful step for the masses. If a vast number of users would
adopt MFA there would be a noticeable change in the security of payment data. Keeping data protected is easy, keeping data secure is
altogether a different challenge. Think about it and please accept the challenge.
Wen Free
We invite you and your colleagues to attend the 2023 PCI SSC Asia-Pacific Community
Meeting! Learn more about the latest updates and technologies in the payment card industry,
network with industry colleagues, and connect with the vendors and sponsors.
You won't want to miss our inspiring keynote speaker Khoo Swee Chiow and other great sessions
including:
• PCI SSC - Where We Are Going And How We Are Getting There
vendor showcase or become an exhibitor. Be sure to book your hotel soon as rooms are filling
quickly.
Did you know this event is open to the entire payment card industry? Let your payments
industry colleagues know they are welcome to attend, even if they are not a PCI SSC stakeholder.
In an effort to help connect the industry, the PCI SSC has launched a new PCI Community Job
Board. Designed to be a centralized resource, the new website offers a way to make it easier for
the payment industry to advertise its available jobs, while also creating an easy-to-use platform for
The PCI Community Job Board is open to all companies and professionals involved in all sectors
Help Improve the PCI SSC Mobile App by Taking a Quick Survey!
Did you know that PCI SSC has a mobile app? Whether you’ve used it yet or not, we want to hear
from you so that we can continue to make the mobile app a valuable resource. We invite you to
take a brief survey about your current mobile application usage and preferences. We value your
feedback and are always seeking ways to improve the user experience.
Ruth Barra knows that when you enter a career in technology, you will never know everything. You
are, in fact, signing up for a lifetime of learning. However, one of the most important aspects of
lifelong learning is having the benefit of mentorships. In this edition of our blog, Ruth explains how
the sharing of knowledge and lessons learned can have a significant impact on both the mentor
Coffee with the Council Podcast: A Panel Discussion from India featuring Nitin Bhatnagar
In this episode of Coffee with the Council, PCI SSC Regional Director of India and South Asia Nitin
Bhatnagar hosts a panel discussion about the latest trends and challenges in India’s payment
landscape with two prominent leaders from the payment industry, Ms. Anuprita Daga, CISO, YES
BANK and Mr. Avs Prabhakar, Chief Risk and Compliance Officer, Zeta.
It should be noted that while the PCI SSC portal does require the completed Appendix A to be
submitted with fields unlocked, that rule does not apply to the copies you may send to the Payment
Brands along with your final report. In fact, in most cases, it is preferred to completely lock down
the version sent to the Payment Brands without any fields editable – please contact the affected
payment brand(s) for their specific requirements.
Should you have any questions related to this request, please do not hesitate to reach out to the
PCI SSC would like to thank everyone who participated in the Secure Software Lifecycle (Secure
SLC) v1.1 RFC. The RFC, which ran from 15 August to 15 October, produced over 125 individual
comments from 12 different organizations. Each feedback item will be evaluated and considered
An RFC on the currently published version of the Secure Software Standard (version 1.2.1) is also
PCI SSC recently held its second of two planned SSF Assessor Roundtable sessions at the
Community Meeting in Dublin. Like the first SSF Assessor Roundtable session at the NACM in
Portland, the EUCM session was well attended and represented. PCI SSC plans to present a
summary of the discussion and feedback received during both sessions at the Q4 2023 SSF
SAQ A-EP has been updated to remove the erroneous SAQ Completion Guidance at Requirement
11.6.1, as it is not applicable to SAQ A-EP merchants. The updated document, PCI DSS v4.0 SAQ
New:
consumer’s device (for example, a smartphone, tablet, or laptop) and is used to accept
payment account data, can the organization store card verification codes for those
consumers?
Updated:
• FAQ 1280 – Can card verification codes be stored for card-on-file or recurring
transactions?
• FAQ 1283 – How do PCI standards apply to organizations that develop software that runs
• FAQ 1089 – How can hashing be used to protect Primary Account Numbers (PAN) and in
what circumstances can hashed PANs be considered out of scope for PCI DSS?
What is pre-screening? Program Managers perform an initial quality check of the submission for
consistency, completeness, and accuracy prior to sending the listing on to AQM for review. The
pre-screening process helps ensure that all required documentation has been included and the
submission requirements have been satisfied. More information about pre-screening can be found
Vendor Listing Submission reviews could be expedited by reducing errors in the initial
submissions. Please review and consider the following common misses or errors identified during
the pre-screening process. Be sure to incorporate a check for these into your internal QA
Processes:
• Consistency between the Portal and the listing documentation, e.g., ROV, ROC, P-ROV,
o Date of Report in the ROC, ROV, or P-ROV should match the Report of
Completion Date in the Portal and the Report date in the AOV
o Dependencies
• The version of the applicable Standard must be consistent in the Portal and the
assessment
• Signatures, signatures, signatures! Per FAQ 1481 Attestation documents, including
AOCs, AOVs, and program-related attestations that are provided by the PCI SSC, require
an assessor’s signature
Note: Acceptable forms of signature currently are wet signature (performed with ink) or PCI SSC-
ESIGN Act, the Uniform Electronic Transactions Act (UETA), or European Union Regulation NO
With your help, submissions can complete the pre-screen process more expeditiously.
Each Self-Assessment Questionnaire (SAQ) was created to support the assessment of a specific
type of environment, depending on how the entity stores, processes, and/or transmits payment
account data. The Self-Assessment Questionnaire Instructions and Guidelines v4.0 has been
recently updated and published in the Document Library on the PCI SSC website.
With PCI DSS v4.0, there is a new SAQ as well as clarified eligibility criteria for existing SAQs.
Organizations will need to review the eligibility criteria to understand which SAQ is right for them.
For example, the new SAQ may be better aligned with an organization’s particular environment
than the SAQ used previously. Similarly, an organization that previously completed one type of
SAQ under PCI DSS v 3.2.1 will need to review the updated eligibility criteria for that SAQ to
The intent of the eligibility criteria is to ensure that the environment is properly scoped and is
suitable for validation against the subset of PCI DSS requirements contained in the SAQ.
Environments not meeting the criteria will not be eligible for assessment against the particular
SAQ, as they will likely be subject to additional or all PCI DSS requirements.
Please ensure Merchants consult with their acquirer (merchant bank) or the payment brands
MUST include details in ROC Section 3.1 documenting how it was determined the assessed
merchant meets ALL eligibility criteria for the applicable SAQ. Please refer to the recently updated
FAQ 1331 for additional details regarding using SAQ eligibility criteria for determining applicability
For additional information regarding SAQ eligibility criteria, please refer to the following PCI SSC
published guidance:
• FAQ 1331 (recently updated): Can SAQ eligibility criteria be used for determining
Compliance?
• SAQ Instructions and Guidelines (recently updated) available in the Document Library
The following diagram is from the PCI DSS Self-Assessment Questionnaire Instructions and
Guidelines, v4.0 published September 2023 available in the Document Library on the PCI SSC
website.
Please note: SAQ D for Service Providers is the ONLY SAQ option for SAQ eligible service
providers. A service provider undergoing assessment for services it offers cannot “meet the
eligibility criteria” of any SAQ except for SAQ D for Service Providers because that service provider
is not a merchant.
Merchants may use any SAQ, including SAQ D. Each SAQ defines specific criteria that must be
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements
Service providers cannot use SAQ eligibility criteria to determine applicability of PCI DSS
requirements for assessments documented in a Report on Compliance. The only acceptable SAQ
for service providers is SAQ D for Service Providers. All other SAQs are intended for merchant use
only.
Merchants with environments that fully meet all the eligibility criteria defined in a particular SAQ
may use that SAQ as a reference to identify the applicable PCI DSS requirements for that
environment. This approach must be clearly documented in “Description of Scope of Work and
• For each criteria, document how the assessor verified that the merchant environment
For PCI DSS v4.0, this approach is documented as specified in ROC Section 3.1.
The assessor will need to perform appropriate testing and validation to verify the non-applicability
of any PCI DSS requirements. As an example: If an e-commerce merchant has a webserver using
a URL redirect to a PCI DSS compliant third-party payment processor, the assessor will need to
verify that the merchant environment, including redirection method and the configuration of the
webserver, meets all the eligibility criteria for SAQ A before they can consider using that SAQ for
guidance. This would include verifying that the merchant accepts only card-not-present
transactions, does not electronically store, process, or transmit any account data on its systems or
premises, that all processing of account data is entirely outsourced to PCI DSS validated third-
party service providers, and that all the other eligibility criteria for SAQ A are met.
Any PCI DSS requirements verified by the assessor to be not applicable should be reported as
“Not Applicable” in accordance with instructions in the Report on Compliance (ROC) Template.
Assessors should refer to the ROC Template and ROC Template FAQs for the version of the
If an environment meets some but not all eligibility criteria for a particular SAQ, then the SAQ
Merchants and service providers should always consult with their compliance accepting entity—
such as their acquirer (merchant bank), payment brand, or other entity—to confirm their PCI DSS
validation and reporting method. If a detailed assessment and ROC is the appropriate method,
merchants meeting the eligibility criteria from an SAQ should also confirm that the approach
outlined above is acceptable. Contact information for the payment brands can be found in FAQ
Participation Opportunities
Participating Organizations (which includes Affiliate Members) and Qualified Security Assessor
Companies with a significant presence* in Brazil that are in good standing** have an opportunity to
provide regional and industry expertise to the PCI SSC as a member of the Brazil Regional
Engagement Board. Brazil Regional Engagement Board members will serve as advisors to the PCI
SSC on payment data security issues in Brazil and represent the perspectives of PCI SSC and
industry stakeholders in your region. Consider nominating yourself or someone from your
organization for the PCI SSC Brazil Regional Engagement Board. The nomination period opens on
1 November 2023.
** Good standing means, with respect to a given PCI Program, being in compliance with the
PCI SSC Community Meetings bring together the brightest minds in payment security. Don’t miss
your opportunity to collaborate and learn about the latest developments in global payment security
and in the PCI Security Standards this year in Kuala Lumpur, Malaysia.
The PCI SSC Community Meetings are open to all in the payments industry. We invite you to
1. Grow Your Connections: These events are a perfect place to network with colleagues
face-to-face, meet new industry members, and chat with members of the Council!
2. Gain Valuable Industry Insights: This year’s packed agendas offer terrific opportunities
to gain knowledge on industry updates, trends, and standards. Your attendance allows
you to bring meaningful solutions and ideas back to your own organization!
3. Attend a Training: Make the most of your experience and attend one of our several
4. Get Your Unique Questions Answered: A prime benefit of attending the Community
Meetings is having 1 on 1 access to PCI SSC executives and card brands. Ask questions
about your unique environment in one on one conversations with the experts that know
5. Generate Leads and Boost Brand Visibility: Face-to-face interaction cannot be beat
when it comes to networking! Whether you are staffing a booth, or just visiting, the Vendor
Showcase is a great way to build lasting business relationships and view product
demonstrations, services and solutions!
There are only 3 spaces left in the Asia-Pacific Community Meeting Vendor Showcase! Exhibitors
select their booth location in the order in which they sign-up. Be sure to visit our website to reserve
your spot in the Vendor Showcase. Limited space is available, be sure to secure your booth space
soon!
• Networking Break - Provide a raffle prize and supply attendees with branded gifts during
the sponsored break. The raffled prize is announced through the mobile app.
• Wellness Sponsor - Give attendees the opportunity to step away to relax and unwind
with comfortable seating, low lighting, and relaxing music right in the Vendor Showcase
Hall. - NEW
Download our 2023 PCI SSC Sponsorship Prospectus to review all of the sponsorship
opportunities.
Training
Assessor (ISA) training in the Asia-Pacific region. These trainings will be delivered by a PCI SSC
industry expert where you will have the opportunities to interact with other industry experts as well
Maximize your training and travel budgets when you take training in Malaysia and attend the 2023
ISA Training:
Date: 9 - 10 November
Time: 9:00 - 17:30 GMT
QSA Training:
Date: 13 - 14 November
QSA Training:
Date: 27 - 28 November
ISA Training:
Date: 29 - 30 November
Knowledge Training. These training courses are designed to bridge the knowledge gap between
organizations and assessors by helping learners speak the same language as the Assessor. In
doing so, learners will be able to guide their organization through an assessment and any pre-work
and work alongside the Assessor during an engagement, making for a much smoother, more
efficient process for all involved. All P2PE, SSF, Card Production, 3DS and PIN assessor training
Learn more by watching a video interview with Tracey Long, VP of Programs, or by visiting the
The PCI SSC Working from Home Security Awareness Training course outlines many of the
threats and challenges of handling and securing payment account data within home offices and
remote working environments. This training also reinforces how following a PCI DSS compliant
organization’s information security policies and requirements can help ensure that payment
Geared to all audiences including executives, managers, as well as staff who are affected by PCI
DSS compliance requirements, this course is for anyone working from a home office or remote
office environments that may handle payment account data or could affect the security of those
Get your team trained together! We are pleased to offer all our PCI training programs in-person or
via eLearning with remote exam for organizations wishing to train their teams remotely. Corporate
PCI Security Standards Council, LLC 401 Edgewater Place Suite 600 Wakefield, MA 01880
You received this email because you are subscribed to Qualified Security Assessor (QSA) ™ from PCI Security Standards Council, LLC.
Update your email preferences to choose the types of emails you receive. Unsubscribe from all future emails