Frequently Asked Questions

< Back to search page

How do PCI DSS Requirements 2, 6 and 8 apply to SAQ A merchants

FAQ Response

Merchants eligible to complete SAQ A are e-commerce or mail-order/telephone-order (MOTO) merchants that outsource all payment processing and do not store, process or transmit cardholder data on their premises or systems.  E-commerce merchants eligible for SAQ A include those that completely outsource all website operations, including those using URL redirect or another mechanism that meets SAQ A criteria to redirect consumers to a compliant third party for payment processing.

To address the ongoing threats to merchant web servers that redirect customers to a third party for payment processing, some additional PCI DSS requirements were included in SAQ A for PCI DSS v3.2.  The additional requirements include changing default passwords (Requirement 2) and implementing some basic authentication requirements, such as requiring a unique user ID and strong password (Requirement 8).  Additionally, for PCI DSS v3.2.1, a requirement was added for merchants to install applicable security patches and ensure critical patches are applied within one month of release (Requirement 6). These requirements are intended to help protect merchant websites from compromise and maintain the integrity of the redirection mechanism.

In a simple e-commerce environment, the merchant webserver contains the mechanism that redirects customers from their website to a third party for payment processing. In these environments, the merchant will need to validate these requirements for the webserver upon which the redirection mechanism is located.

It is also possible for a SAQ A merchant to have a more complex e-commerce environment, where additional system components (such as application servers, database servers, and web proxies) control or could impact the integrity of the redirection mechanism. In these scenarios, the requirements would apply to all system components comprising or managing the redirection mechanism.

MOTO or e-commerce merchants that have completely outsourced all operations may not have any systems in scope for SAQ A and, in such circumstances, these requirements could be considered “not applicable.” If a requirement is deemed not applicable, the merchant should select the “N/A” option for that requirement, and complete the “Explanation of Non-Applicability” worksheet in Appendix C for each “N/A” entry.

August 2018
Article Number 1439