SAQ A-EP Status: An Easier Solution For PCI Compliance
New business owners likely haven’t experienced the headache of PCI compliance. However, if you’ve been in business for a while, you’ll likely relate to the stressful & confusing process of trying to demonstrate PCI compliance annually. It’s time to check “Achieve SAQ A-EP Status” off your list!
There is no “magic pill” to make yourself 100% immune to a data breach. As any good programmer will tell you, there is NO way to make your system completely immune to a hacker. If someone wants to attack a system, it’s just a matter of resources and determination. That is why we’d recommend limiting YOUR scope by upgrading to the newest API that eliminates your systems’ involvement in touching the credit card data.
Fees, Fines And Data Breaches
Recently, a merchant we work with experienced a data breach. A piece of malware was placed on their checkout page without them being aware. The fines from Visa/MC/Discover exceeded hundreds of thousands of dollars, not to mention the half a year of extensive work to repair the breach. The resolution process included expensive forensic scans and lost PR from having to alert their customer base to a data breach. This was not a low-volume mom and pop merchant, they had an experienced team running their tech. This data breach was an expensive lesson, one which many businesses would not survive.
SAQ A-EP: The Lowest And Easiest PCI Compliance Level
PCI Compliance overwhelms most merchants. The compliance questions are technically challenging, and if an incorrect answer is given at the start of the questionnaire, you are sent down a rabbit hole that no mortal can hope to escape.
As you probably know, there are several different liability levels for PCI Compliance. These levels include SAQ A, SAQ B, SAQ C, and SAQ D (SAQ stands for “Self Attestation Questionnaire”). Ideally, you want to get your SAQ level down to the lowest liability, SAQ A or SAQ A-EP. SAQ A-EP means you outsource your payment channels to validated third parties. As a merchant, this allows you to avoid storing, processing or transmitting cardholder data on any of your own systems. You’ll need to meet the following requirement to qualify according to Security Metrics:
- Only accept e-commerce transactions.
- Outsource all of the customer cardholder data to a third-party PCI DSS compliant processor.
- Make sure your website host is validated to PCI DSS requirements.
- Don’t electronically store, process or transmit any cardholder data on your systems or in-person location. You must rely entirely on a third party.
- Confirm that any third party you are using are actually PCI DSS compliant.
- Make sure your cardholder data is on paper and not electronically stored.
^ Please note this list is NOT exhaustive.
In the old days, when your programmers first designed things, this was basically impossible to do. Websites would have to integrate to processors using a “direct post API” aka their “AIM” or “SIM” integration method. This automatically puts the merchant at a SAQ C or D level since your system is responsible for the data passing through it.
Working With Durango Merchant Services For Greater Peace Of Mind
Honestly, even if this takes work on your end, hiring a developer and changing your system, it’s totally worth it! A data breach could cost you and your business upwards of $180K in fines and fees. It’s scary, but avoidable. We always suggest being proactive, putting time, work and money in at the beginning so you can have peace of mind in the end.
Durango Merchant Services focuses on setting up all our new merchants with SAQ A-EP compliant solutions. We also help existing merchants migrate over if they are willing. We’ll help answer high-level questions about the how and why upgrading is needed, and our tech support can assist with the nitty gritty. Most merchants are excited to learn about this option as it solves many of the PCI Compliance issues of the past. Sleep better at night, reduce time spent on compliance, and safe harbor your company!
Frequently Asked Questions About PCI Compliance
If you’ve completed a PCI questionnaire in the past, check to see what version it was. Alternatively, if you remember there being 280 of the most complex questions you’ve ever seen in your life, that means you fell into the SAQ C or D. An SAQ A-EP on the other hand, only has around 28 questions to complete! SAQ D is a LOT of data liability, and it puts your systems at risk for a malware attack. Especially as you grow, your systems will become more “ripe” for an attack.