Cybersecurity Insights

Benjamin Hosack

SAQ A & SAQ A-EP - Security & PCI Compliance For eCommerce Businesses

05/07/2016, 08:30

Understanding Payment Card Industry Data Security Standards (PCI DSS) and how it relates to a small to medium-sized eCommerce business is the first challenge for most businesses trying to becoming PCI DSS Compliant. With this article we hope to simplify what you need to know, what you need to do and why it is important.

So what is the PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security controls based on security best practice, designed and developed by the major card payment schemes (Visa, MasterCard, American Express, JCB, Diners and Discover) to enhance the security of cardholder data and thereby reduce the risk of data compromise and fraud on a global basis.

Who does the PCI DSS apply to?

The PCI DSS applies to all organisations that store, process or transmit payment cardholder data. For online businesses, if you can accept a payment card transaction for goods or services on your eCommerce website (even if you hand the transaction off to your payment processor), then the PCI DSS applies to you.

How to validate your PCI DSS compliance:

There is a single Payment Card Industry Data Security Standard which details all the controls required to be in place in any Cardholder Data Environment (CDE). The CDE is the part of a business that handles all payment card data.

Depending on the type and size of your business, you may be asked to either validate your compliance with the PCI DSS via a Self Assessment Questionnaire or to have an Onsite Assessment by a Qualified Security Assessor (QSA). Merchants (a business that accepts payment card transactions) are categorised into one of four levels. Level 1 merchants being the largest and requiring an onsite assessment, through to level 4 merchants who are required to validate their compliance via a Self Assessment Questionnaire.

Visa and MasterCard clearly define the merchant levels here:

PCI Compliance for eCommerce Websites

We assist many eCommerce businesses in either understanding what they need to do to become PCI Compliant, or in helping them get their business back following a compromise (hack) of their website where they have had their customers' cardholder data stolen.

Unfortunately there is a lot of misunderstanding about security and compliance, which often results in businesses thinking they are secure because they have completed a PCI DSS Self Assessment Questionnaire (SAQ) when, actually, they are not.

So with this understanding and experience, we always advise our clients to focus on security first – do that well and PCI Compliance will come naturally.

This article is aimed at the small to medium sized eCommerce businesses, generally categorised as a level 3 or level 4 merchant in PCI terms.

Security First

In one of our previous blog posts we discussed PCI Compliance, SAQ A and the Hacked Website. The basis of this article was that through misinformation, misunderstanding or a myriad of other reasons, a lot of businesses complete a Self Assessment Questionnaire, carry out the necessary (basic) vulnerability scans and believe that they are secure. That is  until they get the call from their bank saying that they have been hacked and need to spend £thousands on a forensic investigation to find out why.

Unfortunately, it seems that a lot of businesses assume that they are secure because they have outsourced their payments, have passed their scans and completed a SAQ for their bank. And that is where their security strategy stops.

Perhaps they're slightly justified in thinking that their web developer agency/IT solutions provider is taking care of the technical detail – however, as we talk about in a different blog post, it is generally NOT the case when it comes to security.

Website security is a key part of running a successful eCommerce business and requires careful consideration, a good strategy and a competent team to ensure that a website remains secure. An insecure website with an outsourced payment model can still be hacked and lose payment card data – as you can read in our blog articles.

Self Assessment Questionnaires

The PCI DSS is a comprehensive standard and the assessment process is detailed, lengthy and can be costly. Fortunately for smaller businesses, the PCI Security Standards Council (the body that manages the PCI DSS) has recognised this and have a number ofSAQ_A_or_SAQ_A-EP.png Self Assessment Questionnaires that smaller businesses can complete to validate their compliance with the PCI DSS.

Which SAQ applies to your eCommerce Business?

For companies that accept eCommerce payment card transactions (but don’t accept card-present payments from customers in person) – then there are two SAQs that could apply to your business. Depending on how you handle payment card transactions, you could complete either:

  • SAQ A, or
  • SAQ A-EP


This Self Assessment Questionnaire is for eCommerce or mail order/telephone order merchants that meet the following description:



Websites utilising an iFrame or Hosted Payment Page are able to complete SAQ A. In these payment acceptance models, payment data is input directly into a form or page hosted by the eCommerce website’s payment service provider. A few examples of payment options that meet SAQ A criteria are:

 The SAQ A asks merchants to confirm that they meet this criteria and then focuses on passwords, access control measures, physical security and policies and procedures. It is a relatively short questionnaire and often once completed, most businesses don’t generally think about security until the following year when they are asked to complete the SAQ again.

SAQ A Merchants can still get hacked. 

Unfortunately, this is where a lot of eCommerce businesses fall victim to attackers resulting in expensive, disruptive forensic investigations and penalties from the card schemes.

Just because the questionnaire is short and simple, it does not mean that the rest of the PCI DSS is no longer of importance. The SAQ A is merely the method by which a merchant validates compliance with the PCI DSS.

So, when the merchant’s website technology (Magento, Drupal, OS Commerce etc) is identified as having a security vulnerability and the web developer does not get the website patched quickly, an attacker may have a opportunity at hacking the site (and they often do).

Need some more convincing?

Have a read of the following blog articles – most of these were written following forensic investigations of numerous small to medium eCommerce businesses that had been hacked and had their customers' payment card stolen from them – even though they had been outsourcing their payments and did not think that they had to worry about securing the transaction:

 The message is:

If you want to have secure payments, you need to secure your website.


SAQ A-EP is for eCommerce merchants who meet the following criteria:


To simplify this paragraph from the PCI SSC a little, this means that direct post, JavaScript, XML or any other techniques which involve the eCommerce merchant’s server to process and/or transmit cardholder data to the payment service provider are required to complete SAQ A-EP.

Essentially, the eCommerce merchant is capturing the payment data in a form and passing it on to their payment service provider’s API. Generally we see this form of payment more frequently in larger eCommerce environments.

Most of the payment service providers mentioned earlier have options that fall into this category, such as:

Always check with your payment service provider about how the integration works and whether you meet SAQ A or A-EP definitions - and then check with your Qualified Security Assessor.

SAQ A-EP asks considerably more questions than SAQ A about the security of the web server environment, making it slightly more challenging to complete. But, in asking the more in-depth questions, it could easily be argued that it makes those eCommerce businesses think about their security in a more detailed way than SAQ A and therefore they tend to be more secure.

Security and PCI DSS

So now that you know which SAQ - A or A-EP - applies to your business, we would urge you to not stop at simply answering the questions presented to you without thinking through the following:

  • Who manages and maintains your website?
  • Do you have an agreement for them to maintain the security of your website?
  • What exactly do they provide you in the way of website security?
  • What happens if your business gets hacked? Be prepared for the worst.

(Here’s a link to a free example Incident Response Guide, which you will need to have in place – who to call, what to do, how to handle clients, how to handle media, how to handle legalities). 

  • Do you have Cyber Breach Insurance?

Working with a secure, PCI DSS Compliant payment gateway is the first step in securing your client transaction data. The next step is to ensure that your website is secure, because if your website is not secure, it is easy for criminals to steal from you.

Without a secure website, your client data is at risk of being stolen.

To learn more about website security, download our eBook - 7 Tips to Secure Your Website. 

eBook - 7 Expert Tips to Secure Your Website


Tags: Web Security