FAQ #1293 Diff

If a merchant?s e-commerce implementation meets the criteria that all elements of payment pages originate from a PCI DSS compliant service provider, is the merchant eligible to complete SAQ A or SAQ A-EP?

Earlier Version
2014-06-11T00:00:00+00:00

Later Version
2014-06-12T00:47:00+00:00

Removed

Added

To be eligible for SAQ A, all elements of the payment pages must only originate from PCI DSS compliant service provider(s), and no single element of a payment page can originate from the merchant?s website.

Tomerchant's website.To be eligible for SAQ A-EP, each individual element of the payment page must originate from either the merchant website or from a PCI DSS compliant service provider. If any element of the payment page originates from a source other than the merchant website or the PCI DSS compliant service provider, then the implementation is not eligible for SAQ A-EP.

It should be noted that all eligibility criteria for a particular SAQ must be met in order to use that SAQ. For example, a merchant could have a website where all payment page elements originate from a PCI DSS compliant service provider; however, if the merchant does not also meet all the other eligibility criteria for SAQ A or for SAQ A-EP, then they would not be eligible for either SAQ.

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.