Cybersource Developer Community Cybersource Developer Community

Based on the guidance provided I don't see how SIM and CIM could be SAQ A.  On page 17 of the e-commerce guidelines it clearly states that in a wholly outsourced e-commerce implementation "the merchant may be able to complete a SAQ A.”

A wholly outsourced implementation "consists of e-commerce application, hosted servers, and hosted infrastructure, which are all provided and managed by the third party".  The note on that page is particularly clear:  "Note that if the merchant has to install an application or code on a server, configure a server file, etc. for their e-commerce implementation, they should refer to Section 3.4.3, “Shared-management E-commerce Implementations,” above.”

Based on that statement I don’t see how any Authorize.net API or from any other vendor for that matter can qualify for an SAQ A.  I’d love to be wrong on this, but after reading and rereading this document several times I just don’t see any other way to interpret this.

Without a doubt the API solutions provided by Authorize.net and others greatly reduces the scope of PCI, but I don’t think to the level that many people assume. 

Can you get away with a SAQ C?  I can’t say I’ve seen any definitive documentation to prove or disprove that assertion.  If someone has something more substantive than a blog post I’d love to see it.

Also, transaction volume determines if you can fill out a SAQ or if you have to have a ROC completed by a QSA.  It has nothing to do with the type of SAQ you are required to fill out.  If you are dealing with less than 6 million transactions in a year then you can fill out a SAQ, otherwise it is a ROC.

Agreed with both solutions the merchant has zero visibility of the cardholder data.  However, the merchant plays a role in ensuring that data is securely transmitted to Authorize.net.  For example:

• a merchant is utilizing SIM ,
• their systems are compromised
• the code used to perform the redirect to Authorize.net is modified
• instead the customer and/or their data is sent to a nefarious site

In my mind that equates to a breach caused by some weakness in the merchant’s e-commerce infrastructure. 

Based on how I’m reading the e-commerce guidelines, if you manage code or systems involved in the transmission of credit card data it is under scope for PCI, and you cannot  get by with a SAQ A.  I agree with the statement above that a shopping cart does not equate to an e-commerce solution, but I think it is clear that is a component of that solution and therefore whoever is managing it is responsible for addressing PCI requirements.

Not sure what would qualify as SAQ-A if you are correct - would you have to offload your entire catalog to a third-party service?

Yes, that is exactly what the e-commerce guideline is saying.  From page 17 of the PCI DSS e-commerce guidlines:

“Many merchants are interested in managing their PCI DSS responsibility by outsourcing all cardholder data storage, processing, and transmission to a third party hosting provider or e-commerce payment processor. In this case, merchants may elect to use a solution provided and hosted by a third party, which is wholly under the control and responsibility of the third party. This type of solution could consist of an e-commerce application, hosted servers, and hosted infrastructure, which are all provided and managed by the third party. A web interface is provided for the merchant to access the third-party site, and to manage the e-commerce store and customers.”

“PCI DSS Scoping Guidance: In this scenario, the merchant may be eligible for the PCI DSS Self-Assessment Questionnaire (SAQ) A. SAQ A reduces the number of applicable PCI DSS requirements for merchants that outsource all storing, processing, and transmitting of cardholder data to an e-commerce payment processor. More information about SAQ A can be found below under “Outsourced e-commerce Implementations and SAQ A.”

If you do that, why bother with SAQ at all? What is the purpose of SAQ-A?

Actually if you look at the requirements the merchant is being asked to attest to in a SAQ A (for reference at the bottom of this post), it totally lines up with a “wholly outsourced implementation”.  Basically the merchant is validating  3 areas:

     1.     They are eligible to complete a SAQ A because wholly outsource the handling, storage,        

             processing, and/or transmission of cardholder data.

     2.     There are physical controls to protect credit card data that is on paper media received by

             the merchant from the vendor.

     3.     The merchant has the appropriate contractual and policy pieces in place to spell out the

             vendor’s responsibility in protecting cardholder data and ensure the vendor’s adherence to 

             PCI DSS.

Nothing in SAQ A references technical controls on the merchant’s part.  It does not make sense that if you are using one of the APIs that you would not have to attest to some technical or process controls, because at a minimum it is your responsibility to ensure that the code that specifies where the cardholder data is posted is protected from unauthorized changes.

So we get back to my original question which SAQ or subsections of an SAQ make sense for a particular API?

SAQ A Validation Questions :

Requirement 9:  Restrict physical access to cardholder data

Requirement 12:  Maintain a policy that addresses information security for employees and contractors