In the last installment of the blog covering policy, we discussed SAQ A. The Self-Assessment Questionnaire (SAQ) A is designed for merchants who have outsourced relatively everything to a PCI compliant third party, and all payment pages are served from that entity.
But what if you need to provide some data elements such as transaction-tracking values, graphics, or a unique value within the payment page? This is where we now look at the requirements within the SAQ A-EP as well as the SAQ A-EP policy.
SAQ A-EP is for those vendors who have outsourced all processing of their cardholder data to a PCI compliant third-party processor (just the same as in SAQ A); however, not all data elements are provided by that service provider. If you are providing data into the payment page as part of your online payment process, but have no other interaction with cardholder data, SAQ A-EP may be the right SAQ for you.
Why is this the case? If your payment page is compromised at the location in which you are providing the data into the payment page, then your activity has impacted the payment security process. Because of this interaction and its ability to impact the payment flow, you will find that there are a significant number of technical controls that are required, above that of an SAQ A.
Eligibility Requirements for SAQ A-EP
To be able to validate against SAQ A-EP, the organization must be able to affirm the following items.
- You are validating as a merchant. If you are a Service Provider, you will need to validate with an SAQ D or with a Report on Compliance (ROC). Remember, the SAQ A-EP will only cover the merchant aspect of your organization, if you are both a merchant and a service provider.
- Your Acquiring entity will accept you validating using the SAQ A-EP validation instrument. Remember, it’s your acquiring bank that determines your merchant levels and validation instruments. If you have any questions, please reach out to your contact; they will be happy to assist you.
- Your company ONLY accepts card-not-present transactions. Card-not-present translates to those transactions that are e-commerce or mail-order/telephone order.
- Your website payment page is hosted by a third-party provider. Your service provider will validate against all applicable controls.
- Each element of the payment page that is delivered to the consumer’s browser originates from either your website or a PCI DSS compliant service provider. This is where things differ from the SAQ A. In SAQ A, all elements of the payment page must originate from the PCI DSS compliant service provider.
- Your Payment Processor is PCI DSS Compliant. As part of your due diligence, you can ask them for a current Attestation of Compliance (AOC) for the services that they are providing you. When you review their AOC, make sure that the scope of the document clearly defines those services you are consuming. Also, keep in mind that you will need to validate they are compliant annually as well.
- Your company does not ELECTRONICALLY store, process, or transmit cardholder data on its systems or premises. All of this must be outsourced to a PCI complaint service provider as noted in item 4 above.
- You do not store electronic cardholder information and do not receive it electronically. However, you can store it in a printed or written format.
If your organization cannot confirm each and every one of the items above, you will need to validate your compliance with something other than SAQ A-EP.
Understanding SAQ A-EP
If you are subject to SAQ A-EP, you will notice that you have obligations in every one of the 12 PCI DSS Domains. The primary intention of these requirements is to protect the systems that could allow a compromise of that cardholder data flow.
Requirement 1: Secure the network
Requirement 2: Secure your systems
Requirement 3: Ensure you are not storing prohibited data
Requirement 4: Secure the data in transmission
Requirement 5: Make sure systems are free of malware
Requirement 6: Ensure software is managed and created in a secure way
Requirement 7: Only provide access to systems on an as needed basis
Requirement 8: Maintain secure authentication
Requirement 9: Protect any media that has cardholder data and ensure proper destruction methods.
Requirement 10: Maintain a secure logging and log review program
Requirement 11: Keep system free of vulnerabilities through constant validation
Requirement 12: Maintain policy and procedures to manage your systems
Please click here to download and review the individual requirements of the SAQ A-EP as well as the formal PCI DSS qualification requirements.
Getting Started with Your SAQ A-EP policy.
This post is part of a series of blogs, each of which includes a free PCI policy template that you can use to meet your compliance efforts. However, please note that you will still have to develop your own procedures and standards to meet the obligations documented in your policy.
The policy template I am sharing here covers merchants validating their compliance using SAQ A-EP.