pci saq a-ep
pci saq a-ep

Find out which companies should use the PCI SAQ A-EP

PCI SAQ A-EP has been developed to address PCI DSS requirements applicable to e-commerce organizations that have websites that do not receive cardholder data but affect the security of the payment process or the integrity of the page that accepts consumer cardholder data.

Eligible merchants for PCI SAQ A-EP are e-commerce vendors who partially transfer e-commerce payment services to third parties approved by PCI DSS and do not store process or transmit any cardholder data electronically in their systems or facilities.

An organization that wants to use SAQ A-EP must be a merchant using an e-commerce platform. This e-commerce payment channel must be partially outsourced to a third-party verified by PCI DSS.

The customer may enter cardholder data in a form on the website your organization controls, but your organization does not store, process, or transmit this data. Once entered, this data is sent immediately and directly to the third party verified by the PCI DSS for payment processing.

See Also: Choosing the Right PCI DSS SAQ

You can check our PCI DSS SAQ article to review all PCI SAQ types and get detailed information.

Who is suitable for PCI SAQ A-EP?

If your e-commerce website does not accept cardholder data, but you are specifying how to route cardholder data to a PCI DSS certified third-party payment processor, you must complete the form PCI SAQ A-EP.

Also, suppose you are an e-commerce merchant responsible for sending Cardholder Data to a verified third party. In that case, you should complete the Self-Assessment Questionnaire A-EP instead of SAQ A.

On the other hand, e-commerce merchants that outsource entirely to third parties that have been verified in all respects and consequently do not have direct control over the site forwarding servers can also fill out the SAQ A-EP form.

If you are an organization that accepts payments directly from customers through an internet-facing website, this is an e-commerce payment channel. If this is the only way to accept payments, you must use SAQ A or A-EP.

If the customer is directed to a third-party provider to enter their credit card information and complete the purchase during the payment process, you must complete the SAQ A form.

No part of the payment process for SAQ A compliance should be affected by its primary website. Only a complete referral and all the payment page elements sent to the customer’s browser should originate solely and directly from your service provider.

Suppose instead of redirecting your users to a third-party payment page via a pop-up, you accept payment information in your website’s form field and then send it directly to the third-party payment provider via an API call JavaScript.

This payment information is not worth your organization’s systems/facilities, but your e-commerce website’s security may affect the transmission of these cardholder data to the payment processor. In the case of this scenario, you must use the SAQ A-EP form.

You must complete the PCI SAQ A-EP if you have the following qualifications:

  • If your company only accepts transactions through e-commerce,
  • The processing of all cardholder data other than the payment page is entirely outsourced to a third-party payment processor verified by PCI DSS,
  • Your e-commerce website does not accept cardholder data but controls whether customers’ or cardholder data is transmitted to a third-party payment processor verified by PCI DSS.
  • If a third-party provider manages the merchant website, it is verified that the provider meets all applicable PCI DSS requirements,
  • If all elements of the payment pages are provided to the consumer’s browser from the website of the merchant or the resources of PCI DSS compliant service providers,
  • If your organization does not electronically store, process or transmit any cardholder data in your systems or facilities, but rely entirely on a third party to perform all these functions,
  • Your company verifies that all third parties managing the storage, processing, or transmission of cardholder data are PCI DSS compliant.
  • If cardholder data kept by your organization is on paper and records are not received electronically,

If you meet the above requirements, you can self-assess with the PCI SAQ A-EP. It should not be forgotten that SAQ A-EP can only be applied to e-commerce channels.

What are the Requirements for PCI SAQ A-EP?

The foundation of PCI SAQ A-EP touches all the requirements in PCI DSS. The following PCI DSS requirements apply to SAQ A-EP:

PCI SAQ A-EP covers 12 PCI DSS requirements, but some PCI DSS requirements have been reduced. PCI SAQ A-EP is one of the long SAQs with a total of 191 questions.

Sample SAQ A-EP Questions You Should Answer

Unlike PCI SAQ A, which has 22 questions in total, A-EP has 191 questions.

Some questions you have to answer for SAQ A-EP are:

  • Do you have a formal process to validate and test all network connections and firewall and router configuration changes?
  • Do you have an existing diagram that shows how data travels through systems and cardholder network?
  • Are the security parameter settings in the system components appropriately set?
  • Do you only accept trusted keys or certificates?
  • Is anti-virus software installed on any device commonly affected by malware?
  • Are critical security patches installed within a month of being released?
  • Are all users given a unique ID so that they can access device components or cardholder data?
  • Are all core values ​​and signatures for intrusion detection and prevention systems kept up to date?
  • Has a security policy been established and disseminated to all relevant employees?

What are the features that distinguish PCI SAQ A and SAQ A-EP from each other?

While the two SAQs have some differences, they are somewhat similar as they involve e-commerce merchants that transfer card data to a third-party service provider.

The main difference between the two is that SAQ A includes merchants that delegate all responsibility for card data to third-party service providers. In contrast, SAQ A-EP includes vendors who do not receive cardholder data but manage how cardholder data is transmitted to a third-party service provider.

E-commerce vendors using technologies or transactions such as JavaScript or direct HTTP post methods to route the stream of cardholder data from the customer directly to the PCI-compliant third-party payment gateway must use SAQ A-EP.

In other words, if you use a post method or JavaScript implementation, you will be responsible for complying with SAQ A-EP. Because in both cases, you’re capturing information via your form using actions and methods to send data to an API.

How to Complete the PCI DSS Self-Assessment Questionnaire A-EP?

There are various answers to each question on the SAQ A-EP form that you can indicate your company’s status regarding the requirement. Your answers to the questions may be “Yes, No, Compensating Control or Not Applicable.” Only one answer should be chosen for each item.

You can complete the SAQ A-EP form by following the steps below in order:

  1. First, determine the applicable SAQ for your environment.
  2. Confirm that your environment’s scope is adequately defined and meets the eligibility criteria for the SAQ you are using.
  3. Assess your environment for compliance with PCI DSS requirements for SAQ A-EP.
  4. Complete all required sections of the SAQ A-EP form.
  5. Communicate the SAQ and Attestation of Compliance (AOC), along with any other requested documentation, to the recipient, your payment brand, or other requestors.

Other additional tips for filling out SAQ A-EP

There are a few more points you should consider when filling out the SAQ A-EP.

Maintain the integrity of payment pages: SAQ A-EP merchants must implement the necessary controls to prevent unauthorized modification of pages (redirects, iFrames, JavaScript, etc.) containing code that could affect the flow of cardholder data. To detect and alert any unauthorized changes to payment pages, you must use change detection systems or file integrity monitoring systems.

Use intrusion detection/prevention systems: These systems will help you quickly find and eliminate potential violations.

Document everything: Documenting procedures, improvements, and incident response strategies coordinates and allows you to act systematically in the event of an attack.

You can view the PDF form of the PCI Self-Assessment Questionnaire A-EP here.

Previous articlePCI SAQ A
Next articlePCI SAQ B
Surkay Baykara
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.