Are your customers aware of the new SAQ A requirements?

Are your customers aware of the new SAQ A requirements?

By Natasja Bolton, Senior Acquirer Support


SAQ A v3.2 has introduced a number of changes to the self-assessment that will impact your customers that have chosen to outsource the handling and processing of cardholder data to external third party providers.


Although the fundamental expectation of SAQ A has not changed (that all payment acceptance and processing has been outsourced to a PCI DSS validated third-party service provider) there are now additional requirements that your customers need to ensure are met:


  • Security measures are now required to add basic protection to the service;
  • They must be prepared for a security incident.

For the many small businesses whose websites are set-up to redirect consumers to a hosted payment page, this will be a significant change to their self-assessment.  These merchants will need to assess their compliance with an additional eight SAQ questions that they themselves will most likely not know the answer to.  


It is Sysnet’s belief that, up till now, the extent of most small businesses’ ecommerce website security assurance has been seeking confirmation that their hosted payment page provider is a PCI DSS compliant service provider: the minimum needed for compliance with previous versions of SAQ A.


This view is supported by the 2015 HMG Cyber Security Breaches Survey which revealed that micro and small businesses (those with less than 49 employees) using externally hosted services take fewer actions to obtain assurance of their provider’s security:


Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below



Steps respondents have taken to obtain reassurance over the external provider’s security Micro and Small Businesses (less than 49 employees) Larger Businesses (50 + employees)
Ensure that contracts with your provider included provisions for security 41% 75%
Obtain a service auditors report (e.g. ISAE 3402, AAF) on your provider’s controls 6% 24%
Ensure that your provider is certified as ISO27001 compliant 30% 46%
Attain reports from your provider on security breaches that might affect your data 13% 34%



With PCI DSS v3.2, SAQ A eligible small businesses will now have to seek compliance assurance not only from their hosted payment page provider but also from one or more third party providers hosting or managing their ecommerce website (the website that includes the re-direct code, or iFrame code, to the hosted payment page) to ensure that:


  • Vendor defaults have been changed and unnecessary default accounts removed (reqt 2.1);
  • All users are uniquely identified and authenticated (reqt 8.1.1, 8.1.3, 8.2, 8.5);
  • Strong passwords are being used (reqt 8.2.3);
  • Terminated user accounts are de-activated or removed (reqt 8.1.3);
  • An incident response plan is in place (reqt 12.10.1 a))

Many ecommerce merchants are under the misapprehension that, when set-up to use a hosted payment page their own website is ‘out of scope’ for PCI DSS and its requirements.  Unless they are warned in advance they will have no expectation that they need to engage their third party providers when assessing their ecommerce payment channel’s compliance for v3.2.


In order to raise awareness of the SAQ A changes and the additional compliance assessment steps that will be required of these businesses, Sysnet recommend that an education exercise be undertaken in advance of SAQ A re-validation to PCI DSS v3.2.  To explain to affected businesses that:


  • Their ecommerce website is in scope for PCI DSS and, despite the use of a PCI DSS compliant hosted payment page, is being targeted by hackers and could be at risk of a security breach;
  • Their service provider management, due diligence and compliance assessment must include not only their hosted payment page service provider but also those third parties responsible for fulfilling the requirement 2 and 8 security controls now included in SAQ A;
  • They and their third party service providers must be prepared for a security breach.

As noted in the HMG survey, security incident response should include receiving reports or notification from third party providers on breaches that might affect the business’ data, as well as the business themselves having a plan in place so they know what to do if they receive such reports. 


Even the simplest of security incident response plans (step 1: contact your acquirer) will help to reduce exposure of cardholder data and hence reduce the cost and impact of the breach.


Some of your merchants may need assistance when dealing with these new requirements, Sysnet can help with an awareness campaign that empowers your customers and provides support when they need it. For further information on our Merchant Contact Services request a call back or email


Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms