SAQ-A Compliance

Merchants and payment service providers use Self Assessment Questionnaires (SAQs) to assess their PCI compliance requirements. For more information on SAQs, see Understanding the SAQs for PCI DSS version 3.

SAQ-A imposes the lowest level of obligation for PCI compliance on the merchant as the management of the PCI sensitive data is handled by a third party such as the CommWeb payment gateway. As stated by PCI, SAQ-A merchants may be either e-commerce or mail/telephone order (MOTO) merchants (card-not-present), and do not store, process, or transmit any cardholder data in electronic format on their systems or premises.

Gateway Support for SAQ-A Compliance

The gateway does not enforce you to be SAQ-A compliant; however, it provides functionality to support you to meet your SAQ-A obligation. The support is available for both API integrations and merchant UI (Merchant Administration application).

As a prerequisite, your payment service provider must enable you for SAQ-A compliance (either through the UI, API, or both).

SAQ-A Compliance Through Merchant UI

If you choose to be SAQ-A compliant through the UI, the gateway will prevent you from creating MOTO (mail/telephone) orders by entering card details in order entry screens — the order entry screens will be disabled.

To support SAQ-A compliance, the "View Unmasked Account Identifiers" privilege should NOT be enabled for the UI user.

SAQ-A Compliance Through API

If you choose to be SAQ-A compliant through the API, the gateway will reject transactions that directly include PCI-sensitive cardholder data such as the card number. You can instead include a container for cardholder data such as a payment session or a token in place of card details.

A payment session when used with the Hosted Session integration supports SAQ-A compliance. You can also choose to integrate using Hosted Checkout where the gateway handles the cardholder data for you.

If you are integrating using Batch, then batches containing unmasked PANs will be rejected.

The gateway will also mask PANs in the transaction response. If you request for unmasked PANs to be returned in the response, the gateway will return an error to support SAQ-A compliance.

Copyright © 2020 Commonwealth Bank of Australia