first problem, your pci dss 4.0 is based on the ‘prioritized approach;’
361 questions.
Basically useless. and I do 3 or 4 PCI readiness audits a year (and I can’t use controlmap,
Example: if a client needs to be pci compliant, and can use the SAQ A, there are only 22 controls.
So if I ask the client to go through the 360 questions and mark 338 of them as ‘out of scope’ they will compare me to.. ok, bozo the clown.
how to fix? don’t know. you would need to tag each control with the SAQ that requires is, and let us mark ‘all out of scope except’ these tags.
here is the list:
The number of questions in each PCI Self-Assessment Questionnaire (SAQ) varies based on the SAQ type. Here's a breakdown of the number of questions per SAQ type:
-
SAQ A: ~22 questions
This SAQ is for merchants who have fully outsourced all cardholder data functions to third-party service providers. -
SAQ A-EP: ~191 questions
For e-commerce merchants who outsource all payment processing but manage their own website that does not receive cardholder data. -
SAQ B: ~41 questions
For merchants using imprint machines or standalone dial-out terminals. -
SAQ B-IP: ~82 questions
For merchants using standalone payment terminals connected to the internet. -
SAQ C: ~160 questions
For merchants with payment systems connected to the internet but not storing cardholder data. -
SAQ C-VT: ~72 questions
For merchants using virtual terminals only. -
SAQ D (Merchants): ~329 questions
For merchants who do not outsource all their payment processing. -
SAQ D (Service Providers): ~360 questions
For service providers managing cardholder data on behalf of merchants.