logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
MaximillianC  
#1 Posted : Tuesday, March 30, 2021 8:05:47 PM(UTC)
MaximillianC

Rank: Member

Groups: Developers
Joined: 6/4/2020(UTC)
Posts: 16

Thanks: 5 times
Hello,

Can you please tell us which PCI-DSS SAQ (self-assessment questionnaire) applies for companies who host AbleCommerce 9 for our clients? Your PCI documentation does not address this question as far as I can see. I originally thought that SAQ A-EP applied, because, on page 11 of the SAQ Instructions and Guidelines PDF where the A-EP criteria are defined, it says:

  • Your company accepts only e-commerce transactions;
  • All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor;

But then, it continues to say:

"Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;"

The flowchart/decision tree on the last page (page 18) indicates that the SAQ A-EP would only apply if we "direct-post" the cardholder data to another system, from our own payment form. But AbleCommerce doesn't direct-post to merchant processors (like Authorize.net), right? In the code, I can see that the payment data is posted back to the AC IIS server first, and then (at least, in the Authorize.net case) it forwards that data along to the merchant processor, using the processor's SDK/API... so that means AC is technically "receiv[ing] cardholder data", right? And therefore, SAQ A-EP does not apply, right? So does that mean that companies who host AbleCommerce are subject to SAQ D? If so, that is just unfortunate, as I believe SAQ D is the most-stringent PCI-DSS SAQ available.

Thank you,

Maximillian R. Carper
Carper Business Automation

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.