The PCI SSC has published a further update on the applicability and implementation of the SAQ A requirements to merchant web servers that redirect customers to a third party for payment processing.
The SAQ A is applicable to merchant entities that have wholly outsourced their entire ecommerce website infrastructure to a PCI DSS compliant service provider as well as those that use a URL redirect or iFrame approach for their ecommerce payment processing.
With hosted payment page URL redirect and iFrame outsourced ecommerce integrations, the SAQ A requires PCI DSS controls to be implemented to protect the merchant website and ensure the integrity of the redirect or iFrame mechanism.
The explanatory note in the SAQ A describes the applicability and implementation of these controls: “Requirements 2 and 8) apply … specifically to the merchant webserver upon which the redirection mechanism is located”.
The specific PCI DSS requirements intended to minimise the risk of compromise include:
- Change vendor defaults and remove unnecessary default accounts (requirement 2.1);
- Uniquely identify and authenticate all users (excluding consumer users) (requirements 8.1.1, 8.2, 8.5);
- Use strong passwords for user authentication (requirement 8.2.3);
- Immediately de-activate or remove terminated user accounts (requirement 8.1.3);
The updated FAQ 1439, acknowledges that the PCI SSC’s original statement on the applicability of these SAQ A requirements (that they need to be validated only to the merchant webserver) is only the true for simple ecommerce environments. In our February 2017 article, SAQ A: Changes for e-Commerce, one of Sysnet’s QSAs, Michael Hopewell, noted that not only is the merchant webserver going to be in scope for these requirements; systems conducting identification and authentication will also be in scope.
The updated FAQ expands on this, stating that in more complex ecommerce environments, the redirect or iFrame mechanism may depend on additional system components, such as application servers, database servers, and web proxies. As these system components also control or could impact the integrity of the redirect or iFrame mechanism, the SAQ A controls will need to be validated on these systems components as well.
Mail Order/Telephone Order or Ecommerce merchants that have wholly outsourced all operations to validated PCI DSS compliant third-party service providers are also eligible for SAQ A but will not have any systems in scope for changing vendor default and authentication requirements in the SAQ A. In this case, the requirements noted above would be considered ‘Not Applicable’ in the merchant’s SAQ A compliance assessment.
If you are a merchant that requires technical or PCI DSS help, please click here