What changes are applicable to SAQ A-EP?

SAQ A-EP: Merchants who partially outsource e-commerce payment channel to PCI DSS compliant third parties.

Similar to the SAQ A, changes have been made to clarify SAQ eligibility and applicability by:

  • Updating references to ‘cardholder data’ to ‘account data’
  • Requiring merchants to review AOCs for their third-party service provider(s) and confirm the third-party service provider(s) are PCI DSS compliant for the services used.
  • Including notes and completion guidance throughout the SAQ A-EP.

The greatest impact of new PCI DSS version 4.0 Requirements is in the SAQ A-EP. The majority of the new and additional Requirements are in Requirements 6 ‘Develop and Maintain Secure Systems and Software’ and 8: ‘Identify Users and Authenticate Access to System Components’. The version 4.0 SAQ A-EP includes:

  • 10 Requirements are new and effective immediately.
  • 22 Requirements are new but future dated.
  • While 8 consolidated, redundant, or no longer applicable v3.2.1 SAQ Requirements have been removed from SAQ A-EP: 1.1.4 a&b, 1.3.4, 1.3.5, 2.2.4 a, 9.6 a, 9.7, 12.5.3.

The most significant of the new or additional Requirements are highlighted below:

Effective Immediately:

  • Additional Requirements to ensure secure development of bespoke and custom software (6.2.1, 6.2.2) Only applicable to merchants with bespoke software (developed to the entity’s specifications by a third party) or custom software (developed by the entity)
  • Designated personnel to be available for 24*7 incident response (12.10.3)

Future-dated

  • Implement automated mechanisms to detect and protect against phishing attacks, include phishing and social engineering in security awareness training (5.4.1, 12.6.3.1)
  • Maintain an inventory of all bespoke software (developed to the entity’s specifications by a third party), custom software (developed by the entity), and third-party software components and include all such software in vulnerability and patch management processes (6.3.1, 6.3.2)
  • Manage payment page scripts to ensure each script is necessary, its use authorized, and its integrity assured (6.4.3)
    • Applicable to the payment page(s) provided from the e-commerce merchant’s website(s) to the customer’s browser.
  • Manage application and system accounts (7.2.5, 8.6.1, 8.6.2, 8.6.3)
  • Minimum of 12-character alphanumeric password length, if passwords/passphrases are used for authentication of users and administrators (8.3.6)
    • Or minimum 8 characters if the system does not support 12 characters.
    • Applicable to merchant webservers that host the payment page(s) provided from the merchant’s website to the customer’s browser.
    • Not applicable to application or system accounts.
  • Additional requirements for multi-factor authentication (MFA) (8.4.2, 8.5.1)
    • MFA to be implemented for all access into the CDE.
    • Configure MFA systems to ensure they are not susceptible to replay attacks, cannot be bypassed by any users without authorization, use at least two different types of authentication factors and grant access only after all authentication factors are successful.
  • Implement a change- and tamper-detection mechanism to detect and alert on unauthorized modification to the HTTP headers and the contents of payment pages as received by the consumer browser (11.6.1)
    • Applicable to merchant webservers that host the payment page(s) provided from the merchant’s website to the customer’s browser.
  • Perform targeted risk analyses to determine the frequency a requirement is performed (12.3.1)
    • Applicable to Requirements 5.2.3.1, 5.3.2.1, 8.6.3, 10.4.2.1, 11.6.1.

What changes are applicable to SAQ A-EP?

SAQ A-EP: Merchants who partially outsource e-commerce payment channel to PCI DSS compliant third parties.

Similar to the SAQ A, changes have been made to clarify SAQ eligibility and applicability by:

  • Updating references to ‘cardholder data’ to ‘account data’
  • Requiring merchants to review AOCs for their third-party service provider(s) and confirm the third-party service provider(s) are PCI DSS compliant for the services used.
  • Including notes and completion guidance throughout the SAQ A-EP.

The greatest impact of new PCI DSS version 4.0 Requirements is in the SAQ A-EP. The majority of the new and additional Requirements are in Requirements 6 ‘Develop and Maintain Secure Systems and Software’ and 8: ‘Identify Users and Authenticate Access to System Components’. The version 4.0 SAQ A-EP includes:

  • 10 Requirements are new and effective immediately.
  • 22 Requirements are new but future dated.
  • While 8 consolidated, redundant, or no longer applicable v3.2.1 SAQ Requirements have been removed from SAQ A-EP: 1.1.4 a&b, 1.3.4, 1.3.5, 2.2.4 a, 9.6 a, 9.7, 12.5.3.

The most significant of the new or additional Requirements are highlighted below:

Effective Immediately:

  • Additional Requirements to ensure secure development of bespoke and custom software (6.2.1, 6.2.2) Only applicable to merchants with bespoke software (developed to the entity’s specifications by a third party) or custom software (developed by the entity)
  • Designated personnel to be available for 24*7 incident response (12.10.3)

Future-dated

  • Implement automated mechanisms to detect and protect against phishing attacks, include phishing and social engineering in security awareness training (5.4.1, 12.6.3.1)
  • Maintain an inventory of all bespoke software (developed to the entity’s specifications by a third party), custom software (developed by the entity), and third-party software components and include all such software in vulnerability and patch management processes (6.3.1, 6.3.2)
  • Manage payment page scripts to ensure each script is necessary, its use authorized, and its integrity assured (6.4.3)
    • Applicable to the payment page(s) provided from the e-commerce merchant’s website(s) to the customer’s browser.
  • Manage application and system accounts (7.2.5, 8.6.1, 8.6.2, 8.6.3)
  • Minimum of 12-character alphanumeric password length, if passwords/passphrases are used for authentication of users and administrators (8.3.6)
    • Or minimum 8 characters if the system does not support 12 characters.
    • Applicable to merchant webservers that host the payment page(s) provided from the merchant’s website to the customer’s browser.
    • Not applicable to application or system accounts.
  • Additional requirements for multi-factor authentication (MFA) (8.4.2, 8.5.1)
    • MFA to be implemented for all access into the CDE.
    • Configure MFA systems to ensure they are not susceptible to replay attacks, cannot be bypassed by any users without authorization, use at least two different types of authentication factors and grant access only after all authentication factors are successful.
  • Implement a change- and tamper-detection mechanism to detect and alert on unauthorized modification to the HTTP headers and the contents of payment pages as received by the consumer browser (11.6.1)
    • Applicable to merchant webservers that host the payment page(s) provided from the merchant’s website to the customer’s browser.
  • Perform targeted risk analyses to determine the frequency a requirement is performed (12.3.1)
    • Applicable to Requirements 5.2.3.1, 5.3.2.1, 8.6.3, 10.4.2.1, 11.6.1.