What is a “payment page”? A simple question? Maybe not. I think a layperson would say that its the webpage where you input your payment details. A merchant completing an SAQ-A compliance assessment might disagree. Merchants load these pages with scripts to enable marketing analytics, conversion trackers and chatbots to increase conversion and help consumers complete…
Category: SAQ A
Assessments, SAQ A, Scoping, Vulnerability Management
Redirect But dont forget. And Patch.
by Ed • • 0 Comments
SAQ A for PCI DSS v3.2.1 includes requirement 6.2. So don’t forget that redirecting webserver! So, patch that webserver. How do you verify that patching is happening? Review policies and procedures. Examine system components. Compare list of security patches installed to recent vendor patch lists. Ad below this line:
ecommerce, PCI DSS, SAQ A, Service Providers, V3.2
Best Practices for Securing eCommerce Information Supplement
by Ed • • 0 Comments

Best Practices for Securing eCommerce Information Supplement is a great doc full of comprehensive info! The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013. Its a comprehensive 64 page document. Useful info for anyone who does or is considering e-commerce. A couple of the tidbits…
Assessments, ecommerce, SAQ A
More guidance for SAQ A Merchants
by Ed • • 0 Comments

If you are an SAQ-A merchant, or think you might be, there is some more guidance from the Council on your security requirements. Version 3.2 of SAQ A has introduced additional requirements “to help protect merchant websites from compromise and maintain the integrity of the redirection mechanism”. But this wont shock anyone who hasn’t descoped…
ecommerce, PCI DSS, SAQ A, V3.2
Redirect, but don’t forget
by Ed • • 0 Comments

Thanks to the PCI Guru for bringing this story to my attention with this post. In the continued vein of “Don’t descope your redirecting ecommerce web server!“, the The Foregenix Digital Forensics and Incident Response Team talks about some of the risks that remain in your ecommerce payment channel, even if you are redirecting, using…
Assessments, ecommerce, SAQ A
Don’t descope your redirecting ecommerce web server!
by Ed • • 0 Comments

Another fresh article regarding the risks to consider when implementing a fully redirected e-commerce solution. Benj Hosack writes about something the forensics team at Foregenix have seen. While it discusses a few variants that are not specifically of the SAQ A variety, it has a few relevant examples of risks. And don’t forget about the old paypaul.ca…
Assessments, ecommerce, PCI DSS, SAQ A, V3.1
If a website uses a hosted payment page redirect, is the web server in scope for PCI DSS v3.x?
by Ed • • 0 Comments
Assessments, ecommerce, PCI DSS, SAQ A, Service Providers, Small Business, V3.1
Who is a service provider for a SAQ A ecommerce only Merchant?
by Ed • • 0 Comments

The Scenario: Low volume ecommerce only merchant. Website does a full redirect to a PCI compliant provider payment page so payment processing is fully outsourced. The payment provider page is actually the Merchant’s acquirer (not a middleman). All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service provider (the acquirer!). Merchant does…
4.0, Assessments, ASV, PCI DSS, SAQ A, V3.1, V3.2.1, Vulnerability Management
Does an SAQ-A merchant need ASV scans?
by Ed • • 0 Comments

UPDATED FOR V4! If a merchant is eligible to complete a SAQ-A to report on the results of their compliance assessment, are they required to engage an ASV (approved scanning vendor) to complete external vulnerability scans? YES! V4 clearly includes PCI DSS requirement 11.3.2! (Note the new V4 numbering) Self-Assessment Questionnaire A and Attestation of…