Which SAQ is applicable to an e commerce service provider providing they are eligible?

Which SAQ is applicable to an e commerce service provider providing they are eligible?

SAQ D
SAQ D applies to SAQ eligible ecommerce merchants where the merchant website is involved in both the acceptance and processing of the cardholder data. SAQ D applies to SAQ eligible merchants that are unable to meet the eligibility criteria of the other SAQ types.

What does SAQ D stand for?

Self-Assessment Questionnaire
Payment Card Industry (PCI) Self-Assessment Questionnaire (SAQ) D is the longest SAQ mostly because it deals with securing electronic card data that businesses process, store, and transmit. It’s vital that businesses secure this data, which is why the process for filling out this SAQ is fairly extensive.

What is an SAQ in English?

Seldom Asked Question. SAQ. Sensibly Asked Question. SAQ. Speed, Agility & Quickness (UK based movement training company)

When do I need to use SAQ a-EP?

E-commerce merchants who use other technologies or processes, such as JavaScript or direct post methods, to direct the flow of cardholder data from the customer directly to the compliant third-party payment gateway would need to validate using the SAQ A-EP. The SAQ A-EP touches base with all the requirements in the PCI DSS.

Can A SAQ a-EP card be redirected to a third party?

This observation was based on the following eligibility statement for SAQ A-EP: “Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor” (Source: SAQ A-EP, p. iii)

What is a SAQ D merchant in e-commerce?

SAQ D-Merchant: E-commerce merchant that cannot meet the criteria for SAQ A or SAQ A-EP, OR. E-commerce merchant that stores credit card data, OR. Payment pages are delivered from the merchant’s website.

Is the SAQ a in conflict with the a-EP?

Therefore, the statements in the SAQ A-EP requirements and the examples in the Guidance document appear to be in direct conflict with each other. This is a meaningful change of position because the Council is saying that SOME types of redirection are OK, but most security experts will tell you that ANY redirection is risky.