Self-Assessment Questionnaire A-EP (SAQ A-EP) has been released by the Standard Security Council to address requirements of those e-commerce merchants whose website does not receive payment card data, but does have the ability to affect the security of the payment transaction or the integrity of the page that accepts the cardholder’s payment card details.

cardholder data

What type of merchants is supposed to fill out the SAQ A-EP and why?

As explained in the official documentation from PCI SCC about the Questionnaire A-EP:

“your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor”

Therefore, if you are an e-commerce merchant who is responsible for the redirection of CardHolder Data to a validated third party, you must complete Self-Assessment Questionnaire A-EP instead of SAQ A.

On the other hand, e-commerce merchants who completely outsourced all aspects to validated third parties and as a result have no direct control over the web redirection servers, may still complete SAQ A.

What is in Questionnaire A-EP?

Unlike SAQ A, which comes with a total of 14 questions, A-EP contains 139 questions. Many of them will be unfamiliar to those that previously validated compliance with A version 2.0. Significantly SAQ A-EP, in line with PCI DSS version 3.0, clearly brings the web redirection servers into the scope of compliance. In summary, A-EP requires merchants to:

  • Secure the server adopting industry-standard hardening practices
  • Follow secure coding guidelines and assess the security of the application
  • Monitor the security of the server and application ensuring that audit trails and alerts are in place - such as detecting and alerting upon unauthorised changes to the payment page
  • Regularly test the security engaging an Approved Scanning Vendor (ASV) to conduct quarterly external vulnerability scans as well as performing penetration-testing

Merchants websites are the weak link in the chain

It is common sense that merchants not wanting to validate their environments against the PCI DSS 3.0, must avoid storing, transmitting and processing cardholder data.
They have the option of outsourcing such processes to compliant third parties, specialized in the protection of payment cardholder data by investing heavily in this area. However, this might leave a weakness that is being exploited by hackers, the merchant’s website.

Under certain circumstances, depending on the nature of the services offered by the mentioned third party, hackers can introduce changes to the payment process, capturing the cardholder’s payment card details prior to the cardholder being redirected to the compliant service provider. To do so they only need to deal with the merchant's website.

The SSC, with the new version of the SAQs, specifically, with the A-EP, is addressing the need of applying different security controls to the different mechanisms offered in the market by compliant service providers to the merchants' e-commerce realm. 

How can Advantio help?

Advantio's team is made of experienced QSAs. Advantio can help with PCI DSS compliance and as a trusted advisor can assist your organisation to achieve and maintain compliance.  We have identified some services that are specifically relevant to e-commerce merchants:

  • Secure Code Review & Training – Ensure that your code does not contain vulnerabilities that may be exploited
  • Vulnerability Assessment – Conducting vulnerability scans against your external IP addresses
  • Penetration Testing - Simulating attacks at the network and application layers to try bypassing your existing security controls
  • Web Application Security Testing - Inspecting the security posture of your web applications
Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA