SAQ A ecommerce requirements update

SAQ A ecommerce requirements update

The PCI SSC has published a further update on the applicability and implementation of the SAQ A requirements to merchant web servers that redirect customers to a third party for payment processing.


The SAQ A is applicable to merchant entities that have wholly outsourced their entire ecommerce website infrastructure to a PCI DSS compliant service provider as well as those that use a URL redirect or iFrame approach for their ecommerce payment processing.


With hosted payment page URL redirect and iFrame outsourced ecommerce integrations, the SAQ A requires PCI DSS controls to be implemented to protect the merchant website and ensure the integrity of the redirect or iFrame mechanism. 


The explanatory note in the SAQ A describes the applicability and implementation of these controls: “Requirements 2 and 8) apply … specifically to the merchant webserver upon which the redirection mechanism is located”.


The specific PCI DSS requirements intended to minimise the risk of compromise include:


  • Change vendor defaults and remove unnecessary default accounts (requirement 2.1);
  • Uniquely identify and authenticate all users (excluding consumer users) (requirements 8.1.1, 8.2, 8.5);
  • Use strong passwords for user authentication (requirement 8.2.3);
  • Immediately de-activate or remove terminated user accounts (requirement 8.1.3);


The updated FAQ 1439, acknowledges that the PCI SSC’s original statement on the applicability of these SAQ A requirements (that they need to be validated only to the merchant webserver) is only the true for simple ecommerce environments. In our February 2017 article, SAQ A: Changes for e-Commerce, one of Sysnet’s QSAs, Michael Hopewell, noted that not only is the merchant webserver going to be in scope for these requirements; systems conducting identification and authentication will also be in scope.


The updated FAQ expands on this, stating that in more complex ecommerce environments, the redirect or iFrame mechanism may depend on additional system components, such as application servers, database servers, and web proxies.  As these system components also control or could impact the integrity of the redirect or iFrame mechanism, the SAQ A controls will need to be validated on these systems components as well.


Mail Order/Telephone Order or Ecommerce merchants that have wholly outsourced all operations to validated PCI DSS compliant third-party service providers are also eligible for SAQ A but will not have any systems in scope for changing vendor default and authentication requirements in the SAQ A. In this case, the requirements noted above would be considered ‘Not Applicable’ in the merchant’s SAQ A compliance assessment.


Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms