Thanks: 4 times
Can you please tell us which PCI-DSS SAQ (self-assessment questionnaire) applies for companies who host AbleCommerce 9 for our clients? Your PCI documentation does not address this question as far as I can see. I originally thought that SAQ A-EP applied, because, on page 11 of the SAQ Instructions and Guidelines PDF
where the A-EP criteria are defined, it says:
- Your company accepts only e-commerce transactions;
- All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor;
But then, it continues to say:
"Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;"
The flowchart/decision tree on the last page (page 18) indicates that the SAQ A-EP would only apply if we "direct-post" the cardholder data to another system, from our own payment form. But AbleCommerce doesn't direct-post to merchant processors (like Authorize.net), right? In the code, I can see that the payment data is posted back to the AC IIS server first
, and then
(at least, in the Authorize.net case) it forwards that data along to the merchant processor, using the processor's SDK/API... so that means AC is technically "receiv[ing] cardholder data", right? And therefore, SAQ A-EP does not apply, right? So does that mean that companies who host AbleCommerce are subject to SAQ D? If so, that is just unfortunate, as I believe SAQ D is the most-stringent PCI-DSS SAQ available.
Maximillian R. Carper
Carper Business Automation
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.