cancel
Showing results for 
Search instead for 
Did you mean: 

looking for advice on selecting my PCI Compliance SAQ

I use the Customer Information Manager for storing customer data and capturing charges.  I capture the customer credit card through a website and then pass it through to the CIM using John Conde's PHP class. It is not stored on my system.

 

I'm having a difficult time selecting the correct Self Assessment Questionairre for my annual PCI Compliance.  Last year I registered as an A but am thinking that the CIM in this manner is an A-EP. Below are the guidelines for A vs A-EP.

 

SAQ A:

  • Merchant website is entirely hosted and managed by a PCI-compliant, third-party payment processor, OR
  • Merchant website provides an iframe or URL that redirects a consumer to a PCI-compliant, third-party payment processor, where no elements of the page originate from the merchant website.

SAQ A-EP:

  • Merchant website creates a payment form and “direct posts” payment data to PCI-compliant, third-party payment processor, OR
  • Merchant website provides an iframe or URL that redirects a consumer to a PCI-compliant, third-party payment processor, BUT some elements of the payment page originate from the merchant website.  (Elements would be JavaScript, CSS or any functionality that supports how the payment page is created.)

Does anyone have any thoughts, comments or suggestion?

 

pberce
Contributor
3 REPLIES 3

Hello @pberce Hello

It doesn't look like anyone has responded yet, but someone still may have feedback on what you're looking for.

 

You might also consider checking with your QSA.  If you don't have one, you can checkwith our preferred partner TrustWave at http://www.authorize.net/qsa

 

I'd recommend subscribing to this topic so that you'll be alerted via email if anyone else from the community is able to respond with any comments. To subscribe, click Topic Options at the top of this thread and then select Subscribe. You'll then receive an email once anyone replies to your post.


Thanks,

Richard

RichardH
Administrator Administrator
Administrator

Richard,

 

Thank you for your reply.

 

Just wanted to pass this along, found it in my travels. It answered my question about which SAQ to select.  This is the clearest description I could find about the selection process.  It can be found here:

 

https://www.pcicomplianceguide.org/wp-content/uploads/2014/03/PCI-3.0-SAQ-Chart.jpg

 

According to this I need to select A-EP.

 

I wanted to post a follow-up on the subject.

 

Here's my scenario:

 

Website is hosted in a shared environment with a unique IP address. We capture the customers credit cards on a page encrypted with an SSL Certificate and then pass it through to the Authorize.net CIM system for storage and future charging.

 

I talked with a Qualified Security Assessor provided by my Merchant Provider(a service that most provide for free). According to them, given our method of capturing and storing the credit card number, we are classified as an SAQ-D. Even though we don't store the credit card number on our system, touching the card number puts us into this category. This is new with PCI DSS 3.0.  SAQ-D is the most restrictive classification for PCI-Compliance. 

 

The two options for me, at this moment, are to either move my site to a host that provides PCI Compliant hosting. Or I capture the credit card information using the CIM iFrame Hosted Form.