Find out which companies should use the PCI SAQ A-EP
PCI SAQ A-EP has been developed to address PCI DSS requirements applicable to e-commerce organizations that have websites that do not receive cardholder data but affect the security of the payment process or the integrity of the page that accepts consumer cardholder data.
Eligible merchants for PCI SAQ A-EP are e-commerce vendors who partially transfer e-commerce payment services to third parties approved by PCI DSS and do not store process or transmit any cardholder data electronically in their systems or facilities.
An organization that wants to use SAQ A-EP must be a merchant using an e-commerce platform. This e-commerce payment channel must be partially outsourced to a third-party verified by PCI DSS.
The customer may enter cardholder data in a form on the website your organization controls, but your organization does not store, process, or transmit this data. Once entered, this data is sent immediately and directly to the third party verified by the PCI DSS for payment processing.
You can check our PCI DSS SAQ article to review all PCI SAQ types and get detailed information.
Who is suitable for PCI SAQ A-EP?
If your e-commerce website does not accept cardholder data, but you are specifying how to route cardholder data to a PCI DSS certified third-party payment processor, you must complete the form PCI SAQ A-EP.
Also, suppose you are an e-commerce merchant responsible for sending Cardholder Data to a verified third party. In that case, you should complete the Self-Assessment Questionnaire A-EP instead of SAQ A.
On the other hand, e-commerce merchants that outsource entirely to third parties that have been verified in all respects and consequently do not have direct control over the site forwarding servers can also fill out the SAQ A-EP form.
If you are an organization that accepts payments directly from customers through an internet-facing website, this is an e-commerce payment channel. If this is the only way to accept payments, you must use SAQ A or A-EP.
If the customer is directed to a third-party provider to enter their credit card information and complete the purchase during the payment process, you must complete the SAQ A form.
No part of the payment process for SAQ A compliance should be affected by its primary website. Only a complete referral and all the payment page elements sent to the customer’s browser should originate solely and directly from your service provider.
This payment information is not worth your organization’s systems/facilities, but your e-commerce website’s security may affect the transmission of these cardholder data to the payment processor. In the case of this scenario, you must use the SAQ A-EP form.
You must complete the PCI SAQ A-EP if you have the following qualifications:
- If your company only accepts transactions through e-commerce,
- The processing of all cardholder data other than the payment page is entirely outsourced to a third-party payment processor verified by PCI DSS,
- Your e-commerce website does not accept cardholder data but controls whether customers’ or cardholder data is transmitted to a third-party payment processor verified by PCI DSS.
- If a third-party provider manages the merchant website, it is verified that the provider meets all applicable PCI DSS requirements,
- If all elements of the payment pages are provided to the consumer’s browser from the website of the merchant or the resources of PCI DSS compliant service providers,
- If your organization does not electronically store, process or transmit any cardholder data in your systems or facilities, but rely entirely on a third party to perform all these functions,
- Your company verifies that all third parties managing the storage, processing, or transmission of cardholder data are PCI DSS compliant.
- If cardholder data kept by your organization is on paper and records are not received electronically,
If you meet the above requirements, you can self-assess with the PCI SAQ A-EP. It should not be forgotten that SAQ A-EP can only be applied to e-commerce channels.
What are the Requirements for PCI SAQ A-EP?
The foundation of PCI SAQ A-EP touches all the requirements in PCI DSS. The following PCI DSS requirements apply to SAQ A-EP:
- PCI DSS Requirement 1: Set up and maintain a firewall configuration to protect data
- PCI DSS Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- PCI DSS Requirement 3: Protect cardholder data
- PCI DSS Requirement 4: Encrypt transmission of cardholder data over open public networks
- PCI DSS Requirement 5: Update anti-virus software regularly
- PCI DSS Requirement 6: Develop and maintain secure systems and applications
- PCI DSS Requirement 7: Restrict access to cardholder data by business need to know
- PCI DSS Requirement 8: Define and verify accesses to systems
- PCI DSS Requirement 9: Restrict physical access to cardholder data
- PCI DSS Requirement 10: Monitor all access to network resources and cardholder data
- PCI DSS Requirement 11: Regularly test security systems and processes
- PCI DSS Requirement 12: Maintain a policy that addresses information security for all personnel
PCI SAQ A-EP covers 12 PCI DSS requirements, but some PCI DSS requirements have been reduced. PCI SAQ A-EP is one of the long SAQs with a total of 191 questions.
Sample SAQ A-EP Questions You Should Answer
Unlike PCI SAQ A, which has 22 questions in total, A-EP has 191 questions.
Some questions you have to answer for SAQ A-EP are:
- Do you have a formal process to validate and test all network connections and firewall and router configuration changes?
- Do you have an existing diagram that shows how data travels through systems and cardholder network?
- Are the security parameter settings in the system components appropriately set?
- Do you only accept trusted keys or certificates?
- Is anti-virus software installed on any device commonly affected by malware?
- Are critical security patches installed within a month of being released?
- Are all users given a unique ID so that they can access device components or cardholder data?
- Are all core values and signatures for intrusion detection and prevention systems kept up to date?
- Has a security policy been established and disseminated to all relevant employees?
What are the features that distinguish PCI SAQ A and SAQ A-EP from each other?
While the two SAQs have some differences, they are somewhat similar as they involve e-commerce merchants that transfer card data to a third-party service provider.
The main difference between the two is that SAQ A includes merchants that delegate all responsibility for card data to third-party service providers. In contrast, SAQ A-EP includes vendors who do not receive cardholder data but manage how cardholder data is transmitted to a third-party service provider.
How to Complete the PCI DSS Self-Assessment Questionnaire A-EP?
There are various answers to each question on the SAQ A-EP form that you can indicate your company’s status regarding the requirement. Your answers to the questions may be “Yes, No, Compensating Control or Not Applicable.” Only one answer should be chosen for each item.
You can complete the SAQ A-EP form by following the steps below in order:
- First, determine the applicable SAQ for your environment.
- Confirm that your environment’s scope is adequately defined and meets the eligibility criteria for the SAQ you are using.
- Assess your environment for compliance with PCI DSS requirements for SAQ A-EP.
- Complete all required sections of the SAQ A-EP form.
- Communicate the SAQ and Attestation of Compliance (AOC), along with any other requested documentation, to the recipient, your payment brand, or other requestors.
Other additional tips for filling out SAQ A-EP
There are a few more points you should consider when filling out the SAQ A-EP.
Use intrusion detection/prevention systems: These systems will help you quickly find and eliminate potential violations.
Document everything: Documenting procedures, improvements, and incident response strategies coordinates and allows you to act systematically in the event of an attack.
You can view the PDF form of the PCI Self-Assessment Questionnaire A-EP here.