As we continue to discuss the different types of Self-Assessment Questionnaires (SAQs) within PCI, we’re continuing with some of the smaller SAQs from a requirements and scope perspective. SAQ A-EP is interesting and a little different from the SAQs we’ve discussed previously because it is a subset or special case of SAQ A. It’s also one of the most commonly confused or misused SAQs, from what I’ve seen, because of the special circumstances around it. It might be helpful to review our write-up of the SAQ A here before diving into this one because we’ll be comparing and contrasting the two.
What Organizations Can Use This SAQ
An organization that wants to use SAQ A-EP has to be a merchant (not a service provider) that uses an e-commerce platform. This e-commerce payment channel has to be partially outsourced to a PCI DSS validated third party, such that a client could enter cardholder data into a form on the website that your organization controls, but your organization doesn’t actually store, process, or transmit any cardholder data on their systems. Once entered, this data is immediately and directly sent to the PCI DSS validated third party for payment processing. This may still be confusing (and anyone that has worked with PCI for a long time could still get into an argument about what does or doesn’t apply to this SAQ) so let’s look at an example.
What Does it Take to Complete an SAQ A-EP?
For your company to complete an SAQ A-EP, you’ve got to confirm for the applicable payment channel that:
- You’re only accepting e-commerce payments and you don’t electronically store, process, or transmit cardholder data on your systems
- All service providers that store, process, or transmit cardholder data on your behalf are PCI DSS compliant
- Besides the payment page where a customer is entering in payment information, all other processing of cardholder data is outsourced (to a PCI DSS validated third-party, of course)
- Your web server does not receive cardholder data, but your website does control how customers’ cardholder data is sent to your payment processor
- Your website hosting provider (if applicable) is PCI DSS validated
- All elements of the payment page originate from your website or a PCI DSS compliant service provider
- If you do retain any cardholder data, it must be on physical paper and never received electronically