Hello,

Can you please tell us which PCI-DSS SAQ (self-assessment questionnaire) applies for companies who host AbleCommerce 9 for our clients? Your PCI documentation does not address this question as far as I can see. I originally thought that SAQ A-EP applied, because, on page 11 of the SAQ Instructions and Guidelines PDF where the A-EP criteria are defined, it says:

• Your company accepts only e-commerce transactions;
  
• All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor;
  

But then, it continues to say:

"Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;"

The flowchart/decision tree on the last page (page 18) indicates that the SAQ A-EP would only apply if we "direct-post" the cardholder data to another system, from our own payment form. But AbleCommerce doesn't direct-post to merchant processors (like Authorize.net), right? In the code, I can see that the payment data is posted back to the AC IIS server first, and then (at least, in the Authorize.net case) it forwards that data along to the merchant processor, using the processor's SDK/API... so that means AC is technically "receiv[ing] cardholder data", right? And therefore, SAQ A-EP does not apply, right? So does that mean that companies who host AbleCommerce are subject to SAQ D? If so, that is just unfortunate, as I believe SAQ D is the most-stringent PCI-DSS SAQ available.

Thank you,

Maximillian R. Carper
Carper Business Automation