“Essentially, all merchant eCommerce sites that previously escaped mandatory security assessment can no longer be overlooked.”
We now anticipate that many small merchants will find their web sites in scope for PCI compliance under PCI DSS v3.
We wrote earlier this year concerning the potential for scope changes brought about by PCI DSS v3. Now that the official v3 SAQ documents have been published, it is becoming clearer what the impact of these scope changes will be.
If you were a self-assessment merchant validating under SAQ A, you now have two possible SAQ routes. Which SAQ is applicable hinges on the use of redirection, as opposed to third party hosting of the entire web payment solution.
- For e-commerce only merchants redirecting to a third party payment gateway, the new SAQ A-EP is now applicable. This puts previously out-of-scope web servers in-scope, along with a range of PCI requirements from all 12 sections.
- For card not present merchants using a third party hosted solution (i.e. you don’t redirect, and the entire payment and web solution is hosted by the compliant payment service provider) then SAQ A is applicable. This is largely the same as the v2, minimal SAQ A.
The upshot is, if you redirect to a payment page, your source web servers (and any other applicable components) are in scope for a wide range of PCI DSS requirements. If you want to avoid this, then your entire payment web site/solution (not just the payment page) needs to be hosted by a compliant payment service provider.
Any other combination of payment channels that include eCommerce will simply default to SAQ D.
Essentially, all merchant eCommerce sites that previously escaped mandatory security assessment can no longer be overlooked.
Download our SAQ v3 applicability summary here.