Common challenges for SAQ A/e-commerce merchants and how to resolve them
E-commerce merchants, by definition, accept card payments. So, theyâre subject to the PCI DSS (Payment Card Industry Data Security Standard).
This standard, currently at v4.0.1 (a limited revision to PCI DSS v4.0), contains 277 sub-requirements. However, you can reduce your scope to drastically lower the number of requirements you must meet, thereby significantly reducing your compliance burden.
Example: Online merchants can aim for SAQ A
This SAQ (self-assessment questionnaire) contains just 31 questions (1 per applicable sub-requirement). To qualify, you must fully outsource your account data functions.
As an online merchant, that means:
- Your website must be entirely hosted and managed by a PCI DSS-compliant third party; or
- You need to set up a web page redirect or iframe via a compliant TPSP (third-party service provider).
Many online merchants use a third party to host their website, and usually qualify for SAQ A.
However, as Iâve seen with some recent clients (Iâm a PCI QSA â Qualified Security Assessor), they expect the process to be straightforward because they qualify for a shorter SAQ.
Then theyâre surprised when problems or challenges arise.
The redirect is in scope
Usually, if a system component stores, processes and/or transmits account data, itâs within the PCI DSS scope. However, for merchants whose website qualifies for SAQ A by using a redirect or an iframe, the PCI DSS has an exception.
Even though the website or web server that causes the userâs browser to redirect to the payment page, or load the iframe, doesnât directly touch card data, the website/web server is in scope.
So, how might that cause problems?
Scenario #1: The merchant uses a third party to host its website
Some organisations donât manage their own web server, but use a third party to host their website. Sometimes, that third party lacks an AoC (Attestation of Compliance) or other proof of their PCI DSS compliance.
Thatâs not necessarily a problem.
However, the service provider then comes into scope for the merchantâs own PCI DSS assessment and must provide evidence of compliance with some parts of the following:
- Requirement 2: Apply secure configurations to all system components.
- Requirement 6: Develop and maintain secure systems and software.
- Requirement 8: Identify users and authenticate access to system components.
Often, such service providers have limited knowledge of the PCI DSS. In fact, some protest that they donât store, process or transmit cardholder data, so arenât in scope.
When the merchant, or a QSA on its behalf, then explains the PCI DSS rules to them, some web hosts will be helpful and engage with the QSA to provide the evidence needed.
Others can be difficult, or slow to respond.
Iâve even had one company saying it wasnât âcompetentâ to meet the PCI DSS requirements! The merchant had to take down the store and find a new host. Fortunately, the store wasnât a large part of its overall business.
Scenario #2: The merchant outsources its entire e-commerce function
Other merchants outsource their entire e-commerce function to a third party specialising in hosted e-commerce applications. This external party usually provides this service using a SaaS (Software-as-a-Service) or PaaS (Platform-as-a-Service) model.
As service providers, they typically have PCI DSS certification.
So, merchants think: âGreat! Iâve outsourced both the payment handling and web hosting. All thatâs left for my PCI compliance are requirements 12.8.X around managing the service providers.â*
That may be the case.
Equally, it might not be that straightforward:
- Can the merchant customise the code on the payment page?
- If yes, whoâs responsible for new sub-requirements 6.4.3 and 11.6.1?
- Is the merchant responsible for updating the e-commerce application?
- Does the service provider take responsibility for ASV (Approved Scanning Vendor) scanning?
In a full SaaS model, the service provider will likely be responsible for all the above points.
But if the provider leaves much of the web page under the merchantâs control, the above could all be down to the merchant.
In other cases, the responsibility is shared between provider and customer. So, conduct your due diligence.
*Requirements 12.10.X, around responding to security incidents that could impact the CDE (cardholder data environment), might also remain the merchantâs responsibility. Itâs best to check this on a case-by-case basis.
Want to better understand the relationship between Cloud customers and providers?
Our free green paper, Cloud Security â Who is responsible?, explains in more detail:
- How the Cloud providerâcustomer relationship works
- Where your respective responsibilities lie
- Security challenges of using the Cloud
- And more!
Broad outline of security responsibilities in Cloud relationships
by security control and service type; taken from page 3.
How can a merchant address these challenges?
The answer is already in the PCI DSS. Specifically, sub-requirement 12.8.3 (emphasis added):
An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.
Often, merchants seek to achieve this âproper due diligenceâ through standard financial checks. They may also request to view the supplierâs AoC, if it claims to be PCI compliant.
But more is needed.
When seeking a new service provider, a merchant should consider the following:
- A contractual requirement for the service provider to have its own PCI DSS compliance certification, or at least that itâll meet all applicable PCI requirements.
- A contractual requirement for the TPSP to cooperate with any merchant audit or assessment, and provide evidence as requested for the merchantâs assessment.
- If the service provider does have its own PCI DSS compliance, check exactly which requirements are covered (sub-requirement 12.8.5). The AoC on its own doesnât have enough detail for this.
- Note: Some service providers may have a responsibility matrix, but even this doesnât always provide sufficient detail. Ask specifically about sub-requirements 6.4.3, 11.6.1 and 11.3.2 (ASV scans).
- Include within the contract (or obtain a separate statement) an acknowledgement from the service provider of their responsibility for the security of the merchantâs data (sub-requirement 12.8.2).
Doing this in advance avoids surprises at assessment time. It also ensures that much of the burden of compliance is shifted to the service provider.
Need help with your PCI DSS compliance?
Our team of PCI DSS advisors can help quickly determine your goals, and advise on a programme that meets your organisationâs needs and expectations.
We take a collaborative approach when delivering PCI DSS assessments. Our QSA consultants work closely with customers to understand their business, cardholder data flows, technologies and corporate culture.
We first published a version of this blog in March 2015.
