The PCI DSS 3.0 SAQs are here!

Kenny Yau, Senior IT Security Consultant

The Payment Card Industry Security Standards Council (PCI SSC) released Data Security Standards (DSS) 3.0 in November 2013 and has just released the related Self-Assessment Questionnaires (SAQ). There are two new SAQs, SAQ A-EP and SAQ B-IP.

The SAQ A-EP is for e-commerce merchants that outsource all of their e-commerce payment channels to PCI DSS-validated third parties. These e-commerce merchants do not electronically store, process, or transmit any cardholder data on their systems or premises.

For example, if you own and maintain an e-commerce site such as “Customer’s Online Pet Shop”, and you decided to redirect all payment processing to a validated third-party payment processor, you would need to be able to answer “no” the following question to be eligible to fill out the SAQ A-EP.:

  • After a consumer decides to check out and they’re redirected to a third-party payment processor for transaction processing, is payment card information such as Primary Account Numbers (PAN), Card Validation Values (CVV) and expiration dates transmitted back to your systems?

It is also important to keep in mind that a redirect to a validated third-party payment processor does not mean you’re automatically PCI DSS compliant or exempt from all requirements on the originating web-server. There are risks that still exist within redirections such as:

  • An external or internal source decides to modify your webpage code to redirect all payments to their own merchant account.  A perfect example can be your Web Administrator going rogue and deciding to redirect all consumer payments to his own account.

Merchants need to be fully aware of how that web server is secured from such risks by implementing and maintaining the data security standards within the environment.

The SAQ B-IP is for merchants that use stand-alone Pin Transaction Security (PTS) approved Point-of-Interaction (POI) devices connected directly via Internet Protocol (IP) to payment processors and that do not store CHD electronically.

If you own a PTS-POI device that does not rely on any other devices such as a computer, POS application, mobile device, etc. to connect to the payment processor via IP to process transactions, then you may be eligible to fill out the SAQ B-IP.

The main difference between SAQ B and SAQ B-IP is dial-out vs. IP connectivity.

For all SAQ merchants, it’s very important to understand “what type of SAQ does my acquirer want me to file?”  If you have any questions about the new SAQ versions and how they could impact your validation, please feel free to reach out to your trusted advisor at Coalfire.


Kenny Yau


Kenny Yau — Senior IT Security Consultant

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS