Diff: FAQ #1439
How do PCI DSS Requirements 2 and 8 apply to SAQ A merchants?
Earlier Version
Later Version
Removed
Added
Merchants eligible to complete SAQ A are e-commerce or mail-order/telephone-order (MOTO) merchants that outsource all payment processing and do not store, process or transmit cardholder data on their premises or systems. E-commerce merchants eligible for SAQ A include those that completely outsource all website operations, as well as those using URL redirect or otheranother mechanism that meets SAQ A criteria to redirect consumers to a compliant third party for payment processing.
To address the ongoing threats to merchant web servers that redirect customers to a third party for payment processing, some additional PCI DSS requirements were included in SAQ A for PCI DSS v3.2. The additional requirements include changing default passwords (Requirement 2) and implementing some basic authentication requirements, such as requiring a unique user ID and strong password (Requirement 8). These requirements are intended to help protect merchant websites from compromise and maintain the integrity of the redirection mechanism.
E-commerce merchantsIn a simple e-commerce environment, the merchant webserver contains the mechanism that redirectredirects customers from their website to a third party for payment processingprocessing. In these environments, the merchant will need to validate these requirements for the webserver upon which the redirection mechanism is located.
It is also possible for a SAQ A merchant to have a more complex e-commerce environment, where additional system components (such as application servers, database servers, and web proxies) control or could impact the integrity of the redirection mechanism. In these scenarios, the requirements would apply to all system components comprising or managing the redirection mechanism.
MOTO orecommercee-commerce merchants that have completely outsourced all operations may not have any systems in scope for SAQ A,A and, in such circumstances, these requirements could be considered ?not applicable.? If a requirement is deemed not applicable, the merchant should select the ?N/A? option for that requirement, and complete the ?Explanation of Non-Applicability? worksheet in these circumstances these requirements could be considered ?not applicable.? If a requirement is deemed not applicable, the merchant should select theAppendix C for each ?N/A? option for that requirement, and complete the ?Explanation of Non-Applicability? worksheet in Appendix C for each ?N/A? entry.
To address the ongoing threats to merchant web servers that redirect customers to a third party for payment processing, some additional PCI DSS requirements were included in SAQ A for PCI DSS v3.2. The additional requirements include changing default passwords (Requirement 2) and implementing some basic authentication requirements, such as requiring a unique user ID and strong password (Requirement 8). These requirements are intended to help protect merchant websites from compromise and maintain the integrity of the redirection mechanism.
It is also possible for a SAQ A merchant to have a more complex e-commerce environment, where additional system components (such as application servers, database servers, and web proxies) control or could impact the integrity of the redirection mechanism. In these scenarios, the requirements would apply to all system components comprising or managing the redirection mechanism.
MOTO or
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.