Are you an e-commerce merchant that doesn’t store any cardholder data? You may need a penetration test.

Among the numerous changes introduced by the PCI DSS v3, two new self-assessment questionnaires (SAQs) have seen the light in 2014: B-IP and A-EP.

B-IP is aimed at small- and medium-sized merchants that use standalone, IP-connected terminals (rather than a phone line), even though the merchant does not store electronic cardholder data.

The other SAQ – and the one on which this article will focus – is A-EP, which is aimed at e-commerce merchants that redirect to a third-party website for payment processing (no electronic cardholder data storage).Its full title is perhaps more descriptive: Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing.

Many e-commerce merchants believe that using a hosted payment solution will ensure the security of their online payment transactions, thereby eliminating their own web infrastructure from the PCI DSS compliance requirements (in other words, reducing the scope of the cardholder data environment). Although these e-commerce merchants themselves do not store, process or transmit any cardholder data on their systems or premises, the PCI Security Standards Council argues that the merchant is still able to influence the security of the payment transaction and/or the integrity of the page. These merchants are believed to have become common targets for attackers who wish to obtain cardholder data, due to a lack of effective security controls on their web servers.

Prior to the introduction of version 3.0, e-commerce merchants were simply required to complete SAQ A to validate their compliance (SAQ A features 14 questions). The introduction of SAQ A-EP is a major departure from the prior compliance requirements for e-commerce merchants, with no less than 139 questions/requirements, including a compulsory quarterly ASV scan and an annual external penetration test. SAQ A required neither an ASV scan nor a penetration test.

SAQ A-EP is intended to identify the controls needed to secure these e-commerce web sites that control or manage the payment transaction, and reduce the likelihood of a breach that maycompromise cardholder data.

The council has said that “SAQ A-EP has been developed to differentiate between merchants that have partially outsourced management of their e-commerce transactions, and merchants that have completely outsourced all management of their e-commerce environment (SAQ A merchants)”.

More detailed guidance regarding SAQs has now been made available by the Council in an attempt to enable merchants to assess whether they should complete SAQ A or SAQ-EP. You can read more about this here.

IT Governance is a registered PCI QSA, and offers a host of products and services for PCI compliance, such as penetration testing, PCI compliance documentation toolkit and several publications and guides on the PCI DSS.