… light at the end of SAQ A web server security tunnel…
As of April 24th, there are new SAQs for PCI DSS V3.1. This includes a new document titled “SAQ Instructions and Guidelines v3.1” and a revision to the May 2014 document titled: “Understanding SAQs for PCI DSS v3“.
A little more fuel for the SAQ A vs SAQ A-EP fire is included so I updated the list of supporting info in the “SAQ A vs A-EP – lots of links” post. SAQ A is good for iFrames and redirects, SAQ A-EP includes the controls for the webserver.
It looks like there might be a small mistake in the SAQ A-EP eligibility criteria. Although the council removed this from the table in the “Understanding the SAQs for PCI DSS v3″ doc, it was not removed from the criteria for SAQ A-EP v3.1:
“Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;”
When consumers are redirected, it appears to be clearly a SAQ A, so this criteria might be reworded. I can see more evolution coming here in the future and light at the end of the tunnel.
Ad below this line: