The PCI DSS 3.0 SAQs are here!

March 17, 2014, Kenny Yau, Senior IT Security Consultant

The Payment Card Industry Security Standards Council (PCI SSC) released Data Security Standards (DSS) 3.0 in November 2013 and has just released the related Self-Assessment Questionnaires (SAQ). There are two new SAQs, SAQ A-EP and SAQ B-IP.

The SAQ A-EP is for e-commerce merchants that outsource all of their e-commerce payment channels to PCI DSS-validated third parties. These e-commerce merchants do not electronically store, process, or transmit any cardholder data on their systems or premises.

For example, if you own and maintain an e-commerce site such as “Customer’s Online Pet Shop”, and you decided to redirect all payment processing to a validated third-party payment processor, you would need to be able to answer “no” the following question to be eligible to fill out the SAQ A-EP.:

  • After a consumer decides to check out and they’re redirected to a third-party payment processor for transaction processing, is payment card information such as Primary Account Numbers (PAN), Card Validation Values (CVV) and expiration dates transmitted back to your systems?

It is also important to keep in mind that a redirect to a validated third-party payment processor does not mean you’re automatically PCI DSS compliant or exempt from all requirements on the originating web-server. There are risks that still exist within redirections such as:

  • An external or internal source decides to modify your webpage code to redirect all payments to their own merchant account.  A perfect example can be your Web Administrator going rogue and deciding to redirect all consumer payments to his own account.

Merchants need to be fully aware of how that web server is secured from such risks by implementing and maintaining the data security standards within the environment.

The SAQ B-IP is for merchants that use stand-alone Pin Transaction Security (PTS) approved Point-of-Interaction (POI) devices connected directly via Internet Protocol (IP) to payment processors and that do not store CHD electronically.

If you own a PTS-POI device that does not rely on any other devices such as a computer, POS application, mobile device, etc. to connect to the payment processor via IP to process transactions, then you may be eligible to fill out the SAQ B-IP.

The main difference between SAQ B and SAQ B-IP is dial-out vs. IP connectivity.

For all SAQ merchants, it’s very important to understand “what type of SAQ does my acquirer want me to file?”  If you have any questions about the new SAQ versions and how they could impact your validation, please feel free to reach out to your trusted advisor at Coalfire.


Kenny Yau


Kenny Yau — Senior IT Security Consultant

Recent Posts

Post Topics