PCI - SAQ Confusion
Gary Hawkins
Views are my own, may be exaggerated for dramatic effect, and subject to change without warning or reason.
It seems to be a common occurence when discussing anything PCI related that there is room for manouvering, that opinions differ, and that there is more than one right answer. One area of confusion is whether an e-commerce merchant can use SAQ-A or SAQ-A-EP in order to achieve compliance, depending on merchant level and acqurier agreement of course.
The catch-all SAQ-D long form contains over 250 requirements that must be evidenced and satisfied, SAQ-A-EP contains around 135 and SAQ-A contains only 14, so clearly there is a significant saving in effort if a shorter form can be used. Many InfoSec folk will argue that in theory any measure of PCI consists only of basic security controls so there is no reason to chase a reduced form. In practice though it is often necessary to pursue the lowest level of assessment that will suffice.
The PCI council produced an Instructions and Guidelines for SAQs which attempts to provide some clarification, but even this leaves room for confusion. A more concise source of guidance comes from a Visa guide on processing e-commerce payments and in particular the table from page 5 that's partly shown in the image above.
If your website uses Direct Post in order to process card payments then you need to use (at least) SAQ-A-EP. If your website uses a Redirect or an iFrame then you may be able to use SAQ-A. That's it.
For clarity; Direct Post is when card details are typed into the merchant website and are then posted to the PSP (Payment Service Provider) upon submission. Redirect is when the merchant website links the customer out to the website of the PSP. iFrame is when the website of the PSP is presented as a subcomponent within the merchant website. There are other methods but these are by far the most common.
In the second and third scenarios the customer would type their card details directly into the website of the PSP and that's seen as an important distinction. Compromise of the merchant website could see the Redirect or iFrame amended so that card details are typed into a malicious website so it seems strange that these methods are treated as less risky, but that's the guidance we've been given. It would make sense to still adhere to SAQ-A-EP when using Redirect or iFrame but it's unlikely that a business will opt to satisfy almost ten times as many requirements than is necessary.
If you've been advised differently by an Acqurier, a QSA, or another authority figure then let me know in the comments... I'd be glad to discuss further.
I protect data, don't care what kind.
9 年In the end, the acquirer is the one to dictate the SAQ a merchant of any sort completes. It's a commercial obligation, not a law, so the acquirer can use both the SAQ D and a QSA to monitor their riskier clients if they so choose. The biggest confusion is when the acquirer doesn't tell their merchants which SAQs to complete, which is often. Either the acquirer does not know their merchant's payment channels well enough, have little experience in PCI, or both. Often all it takes is for a QSA to tell the acquirer which SAQ is relevant based on their initial examination. The acquirer almost always bows to this hands-on knowledge. Yes it costs you a day of a QSA, but this can save you a fortune down the road.