SAQ A-EP Merchants are e-commerce businesses that manage their own payment page but rely on a third-party service provider for actual payment processing. They do not store or process cardholder data themselves, focusing on securing the payment page and ensuring safe redirection to the provider.
- Eligibility Criteria: These merchants must ensure that all account data processing is handled by a compliant third party, with no electronic storage of cardholder data on their premises. They are responsible for securing the payment page, including ensuring safe redirection mechanisms to prevent data skimming or unauthorized access.
- Compliance Requirements: They must complete SAQ A-EP, which includes requirements for vulnerability management, authentication controls, and external vulnerability scans, reflecting the increased risk associated with e-commerce environments. For instance, version 4 emphasizes stronger password policies, with a minimum length of 12 characters and rotation requirements if passwords are the sole authentication factor.
- Requirement 6.4.3 Applicability: It seems likely that requirement 6.4.3 applies to SAQ A-EP Merchants, as they control their payment pages. This requirement ensures all payment page scripts, whether from the merchant’s environment or third/fourth parties, are authorized, their integrity is assured, and an inventory is maintained with justification. This is critical for preventing e-commerce skimming attacks. In the SAQ A-EP document for v4.0 (SAQ A-EP for PCI DSS 4.0), requirement 6.4.3 is explicitly included, with applicability notes focusing on their payment pages.
- Requirement 11.6.1 Applicability: The evidence leans toward requirement 11.6.1 applying to SAQ A-EP Merchants, as they have payment pages that need protection. This requirement mandates a change-detection mechanism to detect unauthorized modifications, evaluated at least weekly or per targeted risk analysis. It is listed in the SAQ A-EP document, ensuring they monitor their payment pages for security.
- Practical Implications: SAQ A-EP Merchants have a moderate compliance burden, with requirements focused on securing their payment pages. This setup is common for online retailers using payment gateways, where the merchant’s role is limited to customer interaction on the website, but they must conduct due diligence to ensure the third party’s compliance.They must implement both script management and change-detection mechanisms, reflecting their role in e-commerce with controlled payment pages.
To illustrate the differences, consider the following table comparing key aspects, including the applicability of requirements 6.4.3 and 11.6.1:
