Learn what businesses qualify for SAQ A-EP. 

By: Michael Simpson
Principal Security Analyst
SAQ A-EP merchants are e-commerce merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises.
Here are a few answered questions about SAQ A-EP.

Who qualifies for the SAQ A-EP?

Here’s what qualifies your business for the SAQ A-EP:
  • Your company accepts only e-commerce transactions;
  • All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor;
  • Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;
  • If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including PCI DSS Appendix A if the provider is a shared hosting provider);
  • Each element of the payment page(s) delivered to the consumer’s browser originates from either the merchant’s website or a PCI DSS compliant service provider(s);
  • Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;
  • Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and
  • Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically.

What’s the difference between SAQ A and SAQ A-EP?

Many businesses are often confused with these two SAQs, and wonder if they’re the same thing. The two SAQs are very similar, in that both involve e-commerce merchants that outsource their card data to a third-party vendor. But there are a few differences.

The biggest difference between the two is SAQ A involves merchants that outsource all responsibility of their card data to third party, while SAQ A-EP involves merchants that don’t receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

If a merchant’s e-commerce website is configured to fully redirect customers to a compliant third-party website prior to requesting cardholder data, or if an iFrame provided by a compliant third-party provider is used for the collection of cardholder data, the flow of cardholder data is controlled by the third-party provider and the merchant will likely qualify to attest using the SAQ A. E-commerce merchants who use other technologies or processes, such as JavaScript or direct post methods, to direct the flow of cardholder data from the customer directly to the compliant third-party payment gateway would need to validate using the SAQ A-EP.

SEE ALSO: SAQ A: What to Know, and What to Do

What PCI Requirements does SAQ A-EP cover?

The SAQ A-EP touches base with all the requirements in the PCI DSS. Here’s a quick look at the involved requirements.
  • Requirement 1: Install and maintain a firewall configuration to protect data
  • Requirement 2: don’t use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 3: protect cardholder data
  • Requirement 4: encrypt transmission of cardholder data across open public networks
  • Requirement 5: regularly update anti-virus software
  • Requirement 6: develop and maintain secure systems and applications
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access to systems
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security for all personnel

Example questions

Here are a few questions you’ll need to answer for this SAQ.
  • Is there a formal process for approving and testing all network connections and changes to the firewall and router configuration?
  • Is there a current diagram that shows all cardholder data flows across systems and networks?
  • Are security parameter settings set appropriately on system components?
  • Are only trusted keys and/or certificates accepted?
  • Is antivirus software deployed on all systems commonly affected by malicious software
  • Are critical security patches installed within one month of release?
  • Are all users assigned a unique ID before allowing them to access system components or cardholder data?
  • Are all intrusion-detection and prevention engines, baselines, and signatures kept up to date?
  • Is a security policy established, published, maintained, and disseminated to all relevant personnel?

Additional tips

Here are a few extra things to think about when filling out SAQ A-EP
  • Protect the integrity of payment pages: It is vital that SAQ A and SAQ A-EP merchants implement controls to prevent unauthorized modification of pages containing code that can affect the flow of cardholder data (redirects, iFrame, JavaScript, etc.). Change detection systems or file integrity monitoring should be in place to identify and alert on any unauthorized changes to payment pages
  • Look into intrusion detection/prevention devices: these devices can help you quickly find and eliminate potential breaches
  • Document everything: having documented policies, changes, and incident response plans prevent you from liability and keeps you organized
Need help getting PCI compliant? Talk to us!

Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.