PCI-DSS SAQ A-EP v3.2.1 Assessment Template
This download includes the Self-Assessment Questionnaire A-EP and Attestation of Compliance for Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing v3.2.1.
SAQ A-EP has been developed to address requirements applicable to e-commerce merchants with a website(s) that does not itself receive cardholder data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data.
SAQ A-EP merchants are e-commerce merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises.
SAQ A-EP merchants confirm that, for this payment channel:
▪ Your company accepts only e-commerce transactions;
▪ All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor;
▪ Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;
▪ If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including PCI DSS Appendix A if the provider is a shared hosting provider);
▪ Each element of the payment page(s) delivered to the consumer’s browser originates from either the merchant’s website or a PCI DSS compliant service provider(s);
▪ Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;
▪ Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and
▪ Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically.
Completing the Self-Assessment Questionnaire:
For each question, there is a choice of responses to indicate your company’s status regarding that requirement. Only one response should be selected for each question. A description of the meaning for each response is provided below:
- Yes: The expected testing has been performed, and all elements of the requirement have been met as stated.
- Yes with CCW (Compensating Control Worksheet): The expected testing has been performed, and the requirement has been met with the assistance of a compensating control. All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of the SAQ.Information on the use of compensating controls and guidance on how to complete the worksheet is provided in the PCI DSS.
- No: Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before it will be known if they are in place.
- N/A (Not Applicable): The requirement does not apply to the organization’s environment. All responses in this column require a supporting explanation in Appendix C of the SAQ.
Getting StartedClick "Book a demo" and our team will provide you with an overview of our content library within the 6clicks GRC platform.