SAQ-A-EP: A big shakeup for online merchants

EDIT: This post was originally made in March 2014. In April 2014 an “Understanding guidelines” doc was issued that indicated that iFrame pages would be treated more favorably than direct post/redirect approaches. Read our most recent post here: 


The new PCI DSS 3.0 Self Assessment Questionnaires (SAQ) were released recently but will not go into effect until January 2015. However, as the new requirements stand, the impact for merchants transacting online seems to be potentially very significant.

Up until now, many payment gateways (or PSP’s) have offered a hosted payment page for smaller merchants. In return for using a hosted payment page the merchant was only required to complete a SAQ-A (about 13 questions in length). It now looks like merchants who use hosted payment pages will be required to fill out a SAQ-A-EP. This is 139 questions long or 10x the length of the old form! It looks like there will be more than 100+ technical controls for any merchant to validate. They’ll also have to do a quarterly scan and an annual penetration test against their site. For smaller merchants that’s a significant jump in both time and cost.

To be clear, this applies to merchant who host (or use a third party) to host their site and then hand their customers off to a hosted payment page (HPP) for completion of the order. What the PCI SSC is effectively saying here is that bad guys can take over that hosted site and redirect the HPP to a location of their choosing and therefore capture the card details. So your hosted site is really *in* scope. At the very least, it needs to be more secure than a SAQ-A requires.

It should be stressed that it is still early in the adoption process and the new requirement won’t be enforced until January 2015. There is still the possibility that the PCI SSC will tone down it’s approach over the course of the year and the final requirement could be significantly different to the current proposal. However, *assuming* it doesn’t change significantly there are going to be some clear winners and losers:


i) The scanning companies. There are  literally millions of merchants that will now need quarterly scans and annual penetration tests

ii) Completely hosted platforms: thinking of hosting your own Magento instance on Heroku or using Shopify? We suspect that Shopify now becomes much more compelling due to the fact that the entire store is in their PCI compliant environment. That’s most likely still a SAQ-A for the merchant. Hosting your own instance of Magento (or any other shopping cart) on Heroku will require the SAQ-A-EP.


i) Cloud billing and booking platforms that themselves are not PCI compliant and have relied on hosted payment pages from PSP’s/payment gateways to “offload” PCI compliance. If your competitor is fully PCI compliant they’re going to drive home the message that merchants using your platform need a SAQ-A-EP while merchants on their platform need the simple SAQ-A

ii) Per the above any SaaS service that is in itself not PCI compliant will be at a competitive disadvantage to those that are. Imagine Heroku vs raw AWS where the latter environment is already PCI compliant.

At the highest level, it appears that the PCI SCC is trying to close a loophole – they probably never envisioned so many merchants being able to use HPP’s and thus only needing a SAQ-A.  Clearly they want these merchants to have a much better understanding of what is required to ensure they have a secure site and as part of that are mandating checks by an outside third party on a regular basis. However, this is a significant change that affects a very wide audience. It’s hard to comprehend what will happen if/when this comes into contact with the real world and how many merchants will be adequately prepared for the heightened compliance requirements.

The next few months will be interesting. Like many, we’ll be waiting to hear more as the situation evolves.