A colleague of mine attended the PCI SSC QSA Update session at the ETA convention a couple of weeks back. One of the big discussion items was how the Council is being pilloried over SAQ A-EP. This SAQ was developed to address the recommendations that were documented in the information supplement titled ‘PCI DSS E-commerce Guidelines’ that was published in January 2013. Specifically, SAQ A-EP addresses the ecommerce sites that do redirects to a processor’s site that does the actual payment processing.
Based on the comments I have seen online and made in personal conversations, you would think that SAQ A-EP was heresy or a bad joke. All of these derogatory comments are being driven by merchants that were sold a bill of goods by slick, non-PCI informed, sales people pushing redirected ecommerce solutions by claiming that it put the merchant entirely out of scope. This was not the case and never was the case, particularly after the issuance of the information supplement. However, we still encounter outsourcing vendors that continue to claim a redirect approach puts the merchant entirely out of scope.
To understand the rationale of SAQ A-EP we need to understand the risk surrounding these redirect solutions. The risk is that an attacker modifies the redirect on the merchant’s server to now point to their own payment page, collects the customer’s cardholder data (CHD) on the attacker’s page and then, optionally, passes the customer on to the original payment page at the processor so the customer and merchant are none the wiser.
Under the PCI DSS and card brands’ security programs, redirect systems are still in-scope for PCI compliance because they are a key control in the payment process even though the merchant’s server issuing the redirect does not come into direct contact with CHD.
With all of that said, SAQ A-EP is not a full SAQ D, but it is not as short and simple as SAQ A either. There are a lot of requirements to be met with SAQ A-EP which is why merchants are up in arms. However, if you understand the aforementioned risk, you should understand why the requirements that have to be complied with in SAQ A-EP are there.
The requirement 1 requirements are all there to ensure that there is a firewall protecting the server that does the redirect. This is Security 101 and I would doubt that any merchant would not have a firewall protecting all of their Internet facing servers. Routers have always been optional and if the merchant does not have control of those devices, then they would not be included here.
Requirement 2 is all about making sure that all devices in the cardholder data environment (CDE) are properly configured and security hardened. Again, this is Security 101 stuff. If a merchant is not doing this for Internet facing devices, they are just begging to be attacked and compromised.
The requirements called out in SAQ A-EP for requirement 3 are there to confirm that the merchant is not storing cardholder data (CHD) or sensitive authentication data (SAD). A merchant using a redirect should be marking these as Not Applicable (NA) and documenting that they do not store CHD in their system(s) because they use a redirect that processes and transmits CHD directly between their processor and their customer. Any merchant that answers these requirements any other way should not be using SAQ A-EP. All of that said, merchants need to have proof that they examined logs, trace files, history files, databases, etc. and did not find any CHD or SAD in those files.
Requirement 4 is provided to ensure that secure communications are used. I would recommend documenting the SSL/TLS certificate information for your processor for the requirements in 4.1. But do not pass over requirement 4.2. A lot of ecommerce only merchants have call centers or take telephone calls and do order entry into the same Web site used by their customers. As a result, merchants need to make sure that email, instant messaging, etc. are never used for communicating CHD/SAD.
Requirement 10 is important for any forensic research should the redirect be manipulated so that it can be determined when that event occurred so that the scope of any compromise can be determined.
While one would think that the vulnerability scanning and penetration testing requirements in requirement 11 would be thought of Security 101 and self-explanatory, you would be surprised at how many merchants argue about that fact. Again, the driver of these redirect solutions was cost reduction and vulnerability scanning and penetration testing incur costs, sometimes significant costs depending on the number of servers, firewalls, load balancers, switches, etc. involved. If you do not do vulnerability scanning and penetration testing as required, how do you know that the redirect system(s) are properly secured and patched?
However, the key requirement that cannot be missed is requirement 11.5 regarding critical file monitoring. That is because the whole security of the redirect environment is pinned on detecting any modification of the redirect URL. All of the other requirements in SAQ A-EP are there to minimize the risk of compromising the redirect. 11.5 is there to ensure that, if the other controls fail, at least the merchant would be alerted to the fact that the redirect had been changed. If a modification to the redirect cannot be reliably detected by the critical file monitoring solution, then the security of the redirect cannot be assured.
The remaining requirements for 5, 6, 7, 8, 9 and 12 are all Security 101 items. If you are not following these requirements as part of best practices for security and IT operations in general, then you need to consider what exactly you are doing.
Hopefully everyone now understands SAQ A-EP and why it is not as simple as that slick sales person implied.
