Blog | G5 Cyber Security

SAQ A-EP with Non-PCI DSS Compliant Providers

G5 Cyber Security

TL;DR

Yes, a non-PCI DSS compliant service provider can be used while achieving SAQ A-EP compliance. However, you are responsible for validating their security practices against the requirements of SAQ A-EP and documenting this validation thoroughly. You’re essentially extending your PCI DSS scope to include their services.

Understanding the Situation

SAQ A-EP is a simplified Self-Assessment Questionnaire designed for merchants using third-party payment processors that handle all sensitive card data. It assumes minimal involvement with cardholder data on your end. However, it doesn’t mean you can ignore the security of those third parties.

Steps to Achieve SAQ A-EP Compliance with a Non-PCI DSS Provider

  1. Identify All Third-Party Services: List every service provider involved in processing payments or touching cardholder data, even indirectly. This includes payment gateways, hosting providers, analytics tools, and any other related services.
  2. Map SAQ A-EP Requirements to Provider Responsibilities: Carefully review the SAQ A-EP questionnaire (available from the PCI Security Standards Council website). For each requirement, determine if your provider is responsible for fulfilling it.
    • Example: Requirement 3.1 requires a firewall configuration. If your hosting provider manages the firewall, they are responsible.
    • Example: Requirement 6.3 requires regular vulnerability scans. If you handle any internal systems that interact with the payment process, *you* are responsible for this scan.
  3. Gather Evidence from Providers: Request documentation and evidence from each provider demonstrating how they meet their responsibilities under SAQ A-EP. This might include:
    • Security policies and procedures
    • Firewall configurations
    • Vulnerability scan reports (if applicable)
    • Penetration test results (if applicable)
    • SOC 2 Type II reports or other independent audits
    • Certifications (e.g., ISO 27001)
  4. Perform Your Own Validation: Don’t simply accept the provider’s documentation at face value. You need to validate their claims.
    • Review Documentation Thoroughly: Ensure policies are up-to-date and comprehensive.
    • Ask Questions: Clarify any ambiguities or gaps in their documentation.
    • Conduct Security Assessments (if feasible): If possible, perform your own limited security assessments of the provider’s environment (e.g., reviewing network configurations, checking for common vulnerabilities). This is more practical with cloud-based services where you have some level of access.
  5. Document Everything: Meticulous documentation is crucial.
    • Create a matrix mapping SAQ A-EP requirements to provider responsibilities and your validation efforts.
    • Keep copies of all documentation received from providers.
    • Record the results of your own assessments, including any findings and remediation steps taken.
    • Document any compensating controls you implement if a provider doesn’t fully meet a requirement (see step 6).
  6. Compensating Controls: If a provider cannot meet a specific SAQ A-EP requirement, consider implementing compensating controls to mitigate the risk. These are alternative security measures that achieve the same level of protection.
    • Example: If a provider doesn’t perform regular vulnerability scans, you might implement intrusion detection systems and log monitoring on your end to detect potential attacks.
    • Document the rationale for using compensating controls and how they address the original requirement.
  7. Regular Review: Security landscapes change. Regularly review provider documentation (at least annually, or more frequently if there are significant changes) to ensure their security practices remain adequate.

Important Considerations

Exit mobile version