Learn what businesses qualify for SAQ A-EP
SAQ A-EP merchants are e-commerce merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises.
Who qualifies for the SAQ A-EP?Here’s what qualifies your business for the SAQ A-EP:
- Your company accepts only e-commerce transactions;
- All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor;
- Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;
- If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including PCI DSS Appendix A if the provider is a shared hosting provider);
- Each element of the payment page(s) delivered to the consumer’s browser originates from either the merchant’s website or a PCI DSS compliant service provider(s);
- Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;
- Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and
- Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically.
What’s the difference between SAQ A and SAQ A-EP?SAQ A-EP vs. SAQ A: many businesses are often confused with these two SAQs, and wonder if they’re the same thing. The two SAQs are very similar, in that both involve e-commerce merchants that outsource their card data to a third-party vendor. But there are a few differences.
The biggest difference between the two is SAQ A involves merchants that outsource all responsibility of their card data to third party, while SAQ A-EP involves merchants that don’t receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
SAQ A-EP questionsHere are a few questions you’ll need to answer for this SAQ.
- Is there a formal process for approving and testing all network connections and changes to the firewall and router configuration?
- Is there a current diagram that shows all cardholder data flows across systems and networks?
- Are security parameter settings set appropriately on system components?
- Are only trusted keys and/or certificates accepted?
- Is antivirus software deployed on all systems commonly affected by malicious software
- Are critical security patches installed within one month of release?
- Are all users assigned a unique ID before allowing them to access system components or cardholder data?
- Are all intrusion-detection and prevention engines, baselines, and signatures kept up to date?
- Is a security policy established, published, maintained, and disseminated to all relevant personnel?
Additional tips for filling out SAQ A-EPHere are a few extra things to think about when filling out SAQ A-EP
- Look into intrusion detection/prevention devices: These devices can help you quickly find and eliminate potential breaches
- Document everything: having documented policies, changes, and incident response plans prevent you from liability and keeps you organized
Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.