Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Self-Assessment Questionnaire A-EP (SAQ A-EP) has been released by the Standard Security Council to address requirements of those e-commerce merchants whose website does not receive payment card data, but does have the ability to affect the security of the payment transaction or the integrity of the page that accepts the cardholder’s payment card details.
As explained in the official documentation from PCI SCC about the Questionnaire A-EP:
“your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor”
Therefore, if you are an e-commerce merchant who is responsible for the redirection of CardHolder Data to a validated third party, you must complete Self-Assessment Questionnaire A-EP instead of SAQ A.
On the other hand, e-commerce merchants who completely outsourced all aspects to validated third parties and as a result have no direct control over the web redirection servers, may still complete SAQ A.
Unlike SAQ A, which comes with a total of 14 questions, A-EP contains 139 questions. Many of them will be unfamiliar to those that previously validated compliance with A version 2.0. Significantly SAQ A-EP, in line with PCI DSS version 3.0, clearly brings the web redirection servers into the scope of compliance. In summary, A-EP requires merchants to:
It is common sense that merchants not wanting to validate their environments against the PCI DSS 3.0, must avoid storing, transmitting and processing cardholder data.
They have the option of outsourcing such processes to compliant third parties, specialized in the protection of payment cardholder data by investing heavily in this area. However, this might leave a weakness that is being exploited by hackers, the merchant’s website.
Under certain circumstances, depending on the nature of the services offered by the mentioned third party, hackers can introduce changes to the payment process, capturing the cardholder’s payment card details prior to the cardholder being redirected to the compliant service provider. To do so they only need to deal with the merchant's website.
The SSC, with the new version of the SAQs, specifically, with the A-EP, is addressing the need of applying different security controls to the different mechanisms offered in the market by compliant service providers to the merchants' e-commerce realm.
Advantio's team is made of experienced QSAs. Advantio can help with PCI DSS compliance and as a trusted advisor can assist your organisation to achieve and maintain compliance. We have identified some services that are specifically relevant to e-commerce merchants:
I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.
Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA