PCI SAQ A vs. A-EP Overview for e-Commerce Merchants

The PCI SAQ A vs PCI SAQ A-EP discussion seems to be a hot topic with many of today’s e-commerce merchants and for good reason. After all, for years, the vast majority of e-commerce merchants were able to successfully validate PCI DSS compliance by using the simple and easy-to-implement SAQ A guidelines. But that’s all changed as the bigger, meaner, and more complex SAQ A-EP has arrived on the scene. Call it the playground bully of PCI DSS compliance for e-commerce merchants as it’s causing a lot of headaches and sleepless nights.

PCI SAQ A vs A-EP – Which One to Use and Why?

Is the Payment Card Industry Security Standards Council (PCI SSC) just trying to make life hard for e-commerce businesses – no – but it sure seems that way, doesn’t it. The old days of simply complying with SAQ A are long gone, so here’s what you need to know about SAQ A vs. A-EP from pcipolicyportal.com, the world’s leading authority and provider of PCI DSS Policies and Procedures and PCI Compliance Toolkits. From policies to risk assessment templates, security awareness training materials – and more – we are the unquestioned leader for PCI DSS compliance documentation. Visit pcipolicyportal.com to learn more.

Can you use SAQ A instead of SAQ A-EP? Good question, so first ask yourself the following questions:

  • Does your company accept only card-not-present (e-commerce or mail/telephone-order) transactions?
  • Is all processing of cardholder data entirely outsourced to PCI DSS validated third-party service providers?
  • Do you NOT electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions?
  • Have you confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant?
  • For any cardholder data your company retains, is it ONLY on paper (for example, printed reports or receipts), and these documents are not received electronically?

SAQ A vs A-EP – The One BIG Question to Ask Yourself

Answered yes to the above questions – great – one more question left, and it’s the one question that’s unfortunately resulting in many e-commerce merchants having to assess against SAQ A-EP:

Do all elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s)?

So what does “all elements of the payment page(s) delivered to the consumers’ browser” really mean? It means the following: That the payment page being served up to the end-user’s browser is a page developed, configured, secured, managed, and hosted by another entity, such as a payment processor, gateway, etc. It’s important to note that prior to the release of SAQ A-EP, many e-commerce merchants may have felt they were eligible for SAQ A because their web server does not store, process, or transmit cardholder data. As a result, these web servers failed to have sufficient security controls applied to them and now have become common targets for attackers as a means to compromise cardholder data. That being said, if all elements of the payment page(s) delivered to the consumer’s browser do NOT originate only and directly from a PCI DSS validated third-party service provider(s), then you CANNOT use SAQ A and must use SAQ A-EP – it’s just the cold hard truth.

Learn about the Different Payment Integration Platforms

With that said, you need to be aware of the following payment integration offerings/platforms:

Direct Post/Transparent Redirect: Direct Post or Transparent Redirect are essentially the same, which is a process involves one’s web platform that results in “serving up” a payment page including fields to capture cardholder data, with these fields posting the cardholder data directly to your payment gateway, thus bypassing your web server. While the form that capturing the cardholder data is effectively served up from your web server, the data, however, is sent directly to the payment gateway.

JavaScript: JavaScript is a programming language used to make web pages interactive. It runs on your visitor’s computer and doesn’t require constant downloads from your website. JavaScript is often used to create polls and quizzes.

iFrame: An iFrame is an inline frame used inside a webpage to load another HTML document inside it.
Hosted Page: A page that is developed, configured, secured, managed, and hosted by another entity, thus allowing consumers to enter cardholder data directly onto a secure server being hosted by an entity other than you.

Examples of e-commerce implementations addressed by SAQ A

  • Merchant has no access to their website, and the website is entirely hosted and managed by a compliant third-party payment processor
  • Merchant website provides an inline frame (iFrame) to a PCI DSS compliant third-party processor facilitating the payment process.
  • Merchant website contains a URL link redirecting users from merchant website to a PCI DSS compliant third-party processor facilitating the payment process.

Download our SAQ A Policy Packet Today and Get Compliant!

Becoming compliant with SAQ A requires merchants to have documented policies and procedures in place, but developing such materials can often take considerable time and money, so the easy choice is to instantly download the SAQ A Policy Packet today from pcipolicyportal.com. Developed by industry leading PCI experts, the SAQ A Policy Packet contains all the essential policies, forms, and other material for helping merchants become PCI DSS compliant – quickly and cost-effectively.

Access our SAQ A-EP Policy Packet Today from pcipolicyportal.com!

Need to become compliant with SAQ A-EP, then you’ll need to develop a large number of policies and procedures, undertake security awareness training, perform a risk assessment, along with many other initiatives. The mandates for SAQ A-EP can be quite challenging as this is one of the more lengthier and complex Self-Assessment Questionnaires, and add to the fact of all the policies that are required, SAQ A-EP quickly becomes a task indeed. Luckily, you can have hundreds of hours and thousands of dollars by simply downloading the SAQ A-EP Policy Packet today from pcipolicyportal.com. Developed by one of North America’s longest licensed PCI-QSA’s, the SAQ A-EP Policy Packet contains all the policies, forms, checklist, and templates needed for becoming PCI compliant.  The SAQ A vs A-EP debate will surely continue, and pcipolicyportal.com will there to bring you the latest information and news.