Learn what businesses qualify for SAQ A-EP.
SAQ A-EP merchants are e-commerce merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises.
Here are a few answered questions about SAQ A-EP.
Who qualifies for the SAQ A-EP?Here’s what qualifies your business for the SAQ A-EP:
- Your company accepts only e-commerce transactions;
- All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor;
- Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;
- If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including PCI DSS Appendix A if the provider is a shared hosting provider);
- Each element of the payment page(s) delivered to the consumer’s browser originates from either the merchant’s website or a PCI DSS compliant service provider(s);
- Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;
- Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and
- Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically.
What’s the difference between SAQ A and SAQ A-EP?Many businesses are often confused with these two SAQs, and wonder if they’re the same thing. The two SAQs are very similar, in that both involve e-commerce merchants that outsource their card data to a third-party vendor. But there are a few differences.
The biggest difference between the two is SAQ A involves merchants that outsource all responsibility of their card data to third party, while SAQ A-EP involves merchants that don’t receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
SEE ALSO: SAQ A: What to Know, and What to Do
What PCI Requirements does SAQ A-EP cover?The SAQ A-EP touches base with all the requirements in the PCI DSS. Here’s a quick look at the involved requirements.
- Requirement 1: Install and maintain a firewall configuration to protect data
- Requirement 2: Don’t use vendor-supplied defaults for system passwords and other security parameters
- Requirement 3: Protect cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open public networks
- Requirement 5: Regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 8: Identify and authenticate access to systems
- Requirement 9: Restrict physical access to cardholder data
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
- Requirement 12: Maintain a policy that addresses information security for all personnel Follow for more data security articles like this
Example questionsHere are a few questions you’ll need to answer for this SAQ.
- Is there a formal process for approving and testing all network connections and changes to the firewall and router configuration?
- Is there a current diagram that shows all cardholder data flows across systems and networks?
- Are security parameter settings set appropriately on system components?
- Are only trusted keys and/or certificates accepted?
- Is antivirus software deployed on all systems commonly affected by malicious software
- Are critical security patches installed within one month of release?
- Are all users assigned a unique ID before allowing them to access system components or cardholder data?
- Are all intrusion-detection and prevention engines, baselines, and signatures kept up to date?
- Is a security policy established, published, maintained, and disseminated to all relevant personnel?
Additional tipsHere are a few extra things to think about when filling out SAQ A-EP
- Look into intrusion detection/prevention devices: These devices can help you quickly find and eliminate potential breaches
- Document everything: having documented policies, changes, and incident response plans prevent you from liability and keeps you organized
Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.