I had a question this week regarding v3.2 of SAQ A that pointed out there have been some changes to that SAQ that people may have not noticed given the larger issues with the changes to the PCI DSS. As a reminder, SAQ A is the least amount of PCI requirements any in-scope organization can comply.
Those added requirements to SAQ A are:
- 2.1(a) – Are vendor-supplied defaults always changed before installing a system on the network?
- 2.1(b) – Are unnecessary default accounts removed or disabled before installing a system on the network?
- 8.1.1 – Are all users assigned a unique ID before allowing them to access system components or cardholder data?
- 8.1.3 – Is access for any terminated users immediately deactivated or removed?
- 8.2 – In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?
- 8.2.3(a) – Are user password parameters configured to require passwords/passphrases meet the following?
- 8.5 – Are group, shared, or generic accounts, passwords, or other authentication methods prohibited
- 12.10.1(a) – Has an incident response plan been created to be implemented in the event of system breach?
Even when a merchant outsources all of their card processing, these are controls that can still apply because in a lot of cases, a merchant is responsible for setup, management and maintenance of their outsourced payment processes and applications.
In addition, merchant employees will also interact with an outsourced payment system to handle chargebacks and disputes. Those user accounts used by the outsourced environment will normally be managed by someone at the merchant, not necessarily the service provider.
In regards to incident response, the merchant will be involved with incident response even when they have totally outsourced their payment environment. The merchant will work with their outsourcer to work through an incident and those responsibilities of the merchant need to be documented.
As a result, the addition of these controls should not be a surprise to anyone.