How do PCI DSS Requirements 2 and 8 apply to SAQ A merchants?
Merchants eligible to complete SAQ A are e-commerce or mail-order/telephone-order (MOTO) merchants that outsource all payment processing and do not store, process or transmit cardholder data on their premises or systems. E-commerce merchants eligible for SAQ A include those that completely outsource all website operations, as well as those using URL redirect or other mechanism that meets SAQ A criteria to redirect consumers to a compliant third party for payment processing.
To address the ongoing threats to merchant web servers that redirect customers to a third party for payment processing, some additional PCI DSS requirements were included in SAQ A for PCI DSS v3.2. The additional requirements include changing default passwords (Requirement 2) and implementing some basic authentication requirements, such as requiring a unique user ID and strong password (Requirement 8). These requirements are intended to help protect merchant websites from compromise and maintain the integrity of the redirection mechanism.
E-commerce merchants that redirect customers from their website to a third party for payment processing will need to validate these requirements for the webserver upon which the redirection mechanism is located.
MOTO or ecommerce merchants that have completely outsourced all operations may not have any systems in scope for SAQ A, and in these circumstances these requirements could be considered ?not applicable.? If a requirement is deemed not applicable, the merchant should select the ?N/A? option for that requirement, and complete the ?Explanation of Non-Applicability? worksheet in Appendix C for each ?N/A? entry.