Skip to main content

first problem, your pci dss 4.0 is based on the ‘prioritized approach;’

361 questions.

https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Supporting%20Document/Prioritized-Approach-For-PCI-DSS-v4-0.pdf

 

Basically useless. and I do 3 or 4 PCI readiness audits a year (and I can’t use controlmap, 

Example: if a client needs to be pci compliant, and can use the SAQ A, there are only 22 controls.

So if I ask the client to go through the 360 questions and mark 338 of them as ‘out of scope’ they will compare me to.. ok, bozo the clown.

how to fix? don’t know.  you would need to tag each control with the SAQ that requires is, and let us mark ‘all out of scope except’  these tags.

here is the list:

 

The number of questions in each PCI Self-Assessment Questionnaire (SAQ) varies based on the SAQ type. Here's a breakdown of the number of questions per SAQ type:

  1. SAQ A: ~22 questions
    This SAQ is for merchants who have fully outsourced all cardholder data functions to third-party service providers.

  2. SAQ A-EP: ~191 questions
    For e-commerce merchants who outsource all payment processing but manage their own website that does not receive cardholder data.

  3. SAQ B: ~41 questions
    For merchants using imprint machines or standalone dial-out terminals.

  4. SAQ B-IP: ~82 questions
    For merchants using standalone payment terminals connected to the internet.

  5. SAQ C: ~160 questions
    For merchants with payment systems connected to the internet but not storing cardholder data.

  6. SAQ C-VT: ~72 questions
    For merchants using virtual terminals only.

  7. SAQ D (Merchants): ~329 questions
    For merchants who do not outsource all their payment processing.

  8. SAQ D (Service Providers): ~360 questions
    For service providers managing cardholder data on behalf of merchants.

 

Thanks for bringing this up. I believe we went through this together on a call together reviewing the scoping of PCI content embedded in the framework. Can review together and possibly enhance as needed further.


Reply