Table of Contents
SAQ A-EP Status: An Easier Solution For PCI Compliance
New business owners likely haven’t experienced the headache of PCI compliance. However, if you’ve been in business for a while, you’ll likely relate to the stressful & confusing process of trying to demonstrate PCI compliance annually. It’s time to check “Achieve SAQ A-EP Status” off your list!
There is no “magic pill” to make yourself 100% immune to a data breach. As any good programmer will tell you, there is NO way to make your system completely immune to a hacker. If someone wants to attack a system, it’s just a matter of resources and determination. That is why we’d recommend limiting YOUR scope by upgrading to the newest API that eliminates your systems’ involvement in touching the credit card data.
Fees, Fines And Data Breaches
Recently, a merchant we work with experienced a data breach. A piece of malware was placed on their checkout page without them being aware. The fines from Visa/MC/Discover exceeded hundreds of thousands of dollars, not to mention the half a year of extensive work to repair the breach. The resolution process included expensive forensic scans and lost PR from having to alert their customer base to a data breach. This was not a low-volume mom and pop merchant, they had an experienced team running their tech. This data breach was an expensive lesson, one which many businesses would not survive.
SAQ A-EP: The Lowest And Easiest PCI Compliance Level
PCI Compliance overwhelms most merchants. The compliance questions are technically challenging, and if an incorrect answer is given at the start of the questionnaire, you are sent down a rabbit hole that no mortal can hope to escape.
As you probably know, there are several different liability levels for PCI Compliance. These levels include SAQ A, SAQ B, SAQ C, and SAQ D (SAQ stands for “Self Attestation Questionnaire”). Ideally, you want to get your SAQ level down to the lowest liability, SAQ A or SAQ A-EP. SAQ A-EP means you outsource your payment channels to validated third parties. As a merchant, this allows you to avoid storing, processing or transmitting cardholder data on any of your own systems. You’ll need to meet the following requirement to qualify according to Security Metrics:
- Only accept e-commerce transactions.
- Outsource all of the customer cardholder data to a third-party PCI DSS compliant processor.
- Make sure your website host is validated to PCI DSS requirements.
- Don’t electronically store, process or transmit any cardholder data on your systems or in-person location. You must rely entirely on a third party.
- Confirm that any third party you are using are actually PCI DSS compliant.
- Make sure your cardholder data is on paper and not electronically stored.
* Please note this list is NOT exhaustive.
In the old days, when your programmers first designed things, this was basically impossible to do. Websites would have to integrate to processors using a “direct post API” aka their “AIM” or “SIM” integration method. This automatically puts the merchant at a SAQ C or D level since your system is responsible for the data passing through it.
Recently, a new method of integration has come along which uses a javascript language to install an “I-frame” window on your checkout page. This Javascript acts *no* differently during the checkout experience as far as your customer is concerned. In fact, the customer will likely feel like they’re checking out directly on your website. For the merchant however, this means you’ll no longer have to complete the complicated and time-consuming SAQ C’s or SAQ D’s. This also reduces your data breach liability to a miniscule fraction of what it would be at a SAQ D level.
The Javascript Solution To PCI Compliance
No matter what shopping cart you use for your business, we highly recommend you use a javascript solution to limit your website’s data liability. Durango’s integrations feature a sophisticated javascript “iframe” on your own checkout page. This means your website doesn’t actually touch the credit card data and you can qualify for an SAQ A-EP, the lowest (and easiest) level obtainable for eCom merchants! This solution does vary depending on the processor and shopping cart you’re using, so make sure to reach out to your processors or one of your account managers to inquire.
If you’ve completed a PCI questionnaire in the past, check to see what version it was. Alternatively, if you remember there being 280 of the most complex questions you’ve ever seen in your life, that means you fell into the SAQ C or D. An SAQ A-EP on the other hand, only has around 28 questions to complete! SAQ D is a LOT of data liability, and it puts your systems at risk for a malware attack. Especially as you grow, your systems will become more “ripe” for an attack.
Many popular shopping carts including WooCommerce & Adobe Commerce (Formerly Magento) have javascript modules available to help obtain SAQ A-EP compliance.
Have your programmer take a look at your gateway’s Javascript options. You should be able to use the same checkout options you already do and it shouldn’t change your processing options with your processor. You can always contact the processor directly to ask about integration. The other option is to contact Durango Merchant Services. We have helped 1000s of merchants through this compliance process and can likely let you know the best way to approach your current system.
Working With Durango Merchant Services For Greater Peace Of Mind
Honestly, even if this takes work on your end, hiring a developer and changing your system, it’s totally worth it! A data breach could cost you and your business upwards of $180K in fines and fees. It’s scary, but avoidable. We always suggest being proactive, putting time, work and money in at the beginning so you can have peace of mind in the end.
Durango Merchant Services focuses on setting up all our new merchants with SAQ A-EP compliant solutions. We also help existing merchants migrate over if they are willing. We’ll help answer high-level questions about the how and why upgrading is needed, and our tech support can assist with the nitty gritty. Most merchants are excited to learn about this option as it solves many of the PCI Compliance issues of the past. Sleep better at night, reduce time spent on compliance, and safe harbor your company!
