stack of papers flat lay photography

SAQ A-EP Completion Checklist

by

SAQ A-EP Completion Checklist: Your Complete Guide to Getting Compliant

Introduction

What You’ll Learn

In this guide, you’ll discover everything you need to know about completing the SAQ A-EP (Self-Assessment Questionnaire A for E-commerce Partially Outsourced). We’ll walk you through each requirement, explain what it means in plain English, and provide a practical checklist to ensure you don’t miss anything important.

Why This Matters

If you’re an online merchant who accepts credit cards but doesn’t store card data on your own systems, the SAQ A-EP is likely your path to PCI compliance. Getting this right protects your business from data breaches, hefty fines, and damaged reputation. More importantly, it shows your customers you take their payment security seriously.

Who This Guide Is For

This guide is perfect for:

  • Small to medium e-commerce business owners
  • Online merchants using third-party payment processors
  • Business managers responsible for compliance
  • Anyone new to PCI compliance who needs clear, actionable guidance

The Basics

Core Concepts Explained Simply

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card information. Think of it as a security checklist created by major credit card companies to ensure businesses handle payment data safely.

SAQ A-EP is a shortened version of the full PCI requirements, specifically designed for online merchants who:

  • Accept payments through a website
  • Redirect customers to a third-party payment processor (like PayPal or Stripe)
  • Never touch or store credit card data themselves

Key Terminology

  • Merchant: That’s you—the business accepting credit card payments
  • Service Provider: Companies that help process your payments
  • Cardholder Data: Credit card numbers and related information
  • Redirect: When your website sends customers to another site to complete payment
  • Compliance: Meeting all the security requirements

How It Relates to Your Business

If your e-commerce site uses a “Pay Now” button that takes customers to another website to enter their credit card details, SAQ A-EP is likely your compliance path. You’re still responsible for security because your website initiates the payment process, even though you never see the actual card numbers.

Why It Matters

Business Implications

PCI compliance isn’t just a box to tick—it directly impacts your business operations:

  • Customer Trust: Shoppers feel safer buying from compliant merchants
  • Payment Processing: Many processors require compliance to continue service
  • Competitive Advantage: Display compliance badges to stand out from competitors
  • Peace of Mind: Know you’re following industry best practices

Risk of Non-Compliance

Ignoring PCI compliance can lead to:

  • Fines ranging from $5,000 to $100,000 per month
  • Increased transaction fees
  • Loss of ability to accept credit cards
  • Legal liability if customer data is compromised
  • Damaged business reputation

Benefits of Compliance

When you achieve compliance, you:

  • Reduce risk of data breaches
  • Build customer confidence
  • Often qualify for lower payment processing rates
  • Create a security-conscious culture in your business
  • Sleep better knowing you’ve protected your customers

Step-by-Step Guide

Clear Actionable Steps

Follow this checklist to complete your SAQ A-EP:

Step 1: Confirm SAQ A-EP is Right for You

  • Verify you redirect all payment pages to a third party
  • Ensure you never touch, process, or store card data
  • Check that your payment processor supports this method

Step 2: Gather Required Information

  • Business information (legal name, DBA, address)
  • Payment processor details
  • Website URLs
  • Contact information for key personnel

Step 3: Review Your Website Security

  • Ensure your website uses HTTPS (look for the padlock icon)
  • Check all payment redirect pages are secure
  • Verify no card data is collected before redirect

Step 4: Complete the 22 Requirements
The SAQ A-EP contains 22 specific requirements. Here’s your checklist:

Requirement 2.3: Encrypt all non-console administrative access

  • Use strong encryption for any remote access to your website

Requirement 6.1: Establish a process to identify security vulnerabilities

  • Keep your website software updated
  • Monitor security alerts for your platform

Requirement 6.2: Ensure all system components are protected from known vulnerabilities

  • Install security patches promptly
  • Use automatic updates where possible

Requirement 6.5: Address common coding vulnerabilities

  • Work with your developer to ensure secure coding practices
  • Test for common web application vulnerabilities

Requirement 6.6: Ensure public-facing web applications are protected

  • Implement a web application firewall OR
  • Conduct regular vulnerability scans

Requirement 8.1-8.8: Implement strong access controls

  • Use unique usernames for each person
  • Require strong passwords
  • Change default passwords
  • Implement two-factor authentication where possible

Requirement 9.9: Protect devices that capture payment card data

  • While you don’t capture data, ensure any devices are tamper-evident

Requirement 11.2.2: Run quarterly external vulnerability scans

  • Use an Approved Scanning Vendor (ASV)
  • Fix any high-risk vulnerabilities found
  • Keep scan reports as proof

Requirement 12.1-12.10: Maintain an information security policy

  • Create basic security policies
  • Train staff on security procedures
  • Perform annual Risk assessments

What You Need to Get Started

  • Access to your website hosting account
  • Contact information for your payment processor
  • About 2-4 hours to complete the questionnaire
  • Documentation of your security measures

Timeline Expectations

  • Initial assessment: 1-2 hours
  • Implementing missing controls: 1-2 weeks
  • Quarterly scans: Ongoing requirement
  • Annual reassessment: Required to maintain compliance

Common Questions Beginners Have

“Is this really necessary for my small business?”

Yes! Size doesn’t matter when it comes to data security. Hackers often target smaller businesses because they typically have weaker security. Plus, your payment processor likely requires it.

“What if I don’t understand a requirement?”

That’s normal! Start with what you do understand, and seek help for the rest. Many requirements sound more complex than they are in practice.

“How much will this cost?”

Basic compliance can be quite affordable:

  • Quarterly scans: $200-$500 per year
  • SSL certificate: Often free with hosting
  • Your time: The biggest investment

“What happens after I submit the SAQ?”

You’ll receive confirmation of your compliance status. Keep this documentation—you may need to provide it to your payment processor or business partners.

Mistakes to Avoid

Common Beginner Errors

Choosing the Wrong SAQ
Many merchants mistakenly choose SAQ A when they need SAQ A-EP. The key difference: SAQ A-EP is for merchants whose websites redirect to a payment processor, while SAQ A is for those using entirely separate payment channels.

Ignoring Quarterly Scans
These aren’t optional! Missing scans can invalidate your compliance. Set calendar reminders or use automatic scan scheduling.

Poor Password Management
Using weak passwords or sharing login credentials is a common vulnerability. Implement a password manager and enforce strong password policies.

Incomplete Documentation
Keep records of all security measures, scan results, and policy documents. You’ll need these for validation.

How to Prevent Them

  • Double-check SAQ eligibility before starting
  • Set up automated reminders for recurring tasks
  • Use tools to enforce security policies
  • Create a compliance folder to organize all documentation

What to Do If You Make Them

Don’t panic! Most mistakes are fixable:

  • Wrong SAQ? Complete the correct one
  • Missed scans? Run them immediately and document the gap
  • Security issue found? Fix it and document the remediation

Getting Help

When to DIY vs. Seek Help

DIY is fine when:

  • You’re tech-savvy and understand web security basics
  • Your setup is straightforward
  • You have time to learn and implement

Seek help when:

  • Technical requirements confuse you
  • You’re unsure about your SAQ type
  • You need to be compliant quickly
  • Your business is growing rapidly

Types of Services Available

Compliance Tools and Software

  • Automated SAQ completion tools
  • Vulnerability scanning services
  • Policy template libraries

Professional Services

  • PCI consultants for personalized guidance
  • Managed security service providers
  • Compliance-as-a-Service platforms

How to Evaluate Providers

Look for:

  • Experience with businesses like yours
  • Clear pricing and service descriptions
  • Good customer support
  • Positive reviews from similar merchants
  • Ongoing support, not just one-time assistance

Next Steps

What to Do After Reading

1. Confirm your SAQ type using our free tool
2. Download the official SAQ A-EP from the PCI Security Standards Council
3. Review each requirement against your current setup
4. Create an action plan for any gaps
5. Schedule your quarterly scans
6. Complete and submit your SAQ

Related Topics to Explore

  • Understanding vulnerability scanning
  • Web application security basics
  • Creating security policies
  • Training employees on PCI compliance
  • Preparing for compliance validation

Resources for Deeper Learning

  • PCI Security Standards Council website
  • Your payment processor’s compliance resources
  • Industry-specific compliance guides
  • Security awareness training programs

FAQ

Q: How long does SAQ A-EP compliance last?
A: Compliance must be renewed annually. You’ll need to complete a new SAQ each year and maintain quarterly vulnerability scans throughout the year.

Q: Can I switch from SAQ A-EP to another SAQ type?
A: Yes, if your payment processing method changes. However, you’ll need to meet the requirements of the new SAQ type and may face additional obligations.

Q: Do I need to hire a QSA (Qualified Security Assessor)?
A: Not for SAQ A-EP. This is a self-assessment questionnaire, meaning you can complete it yourself. QSAs are typically only required for larger merchants.

Q: What’s the difference between SAQ A and SAQ A-EP?
A: SAQ A is for merchants who completely outsource all cardholder functions (like mail/telephone order using a third party). SAQ A-EP is for e-commerce merchants whose websites redirect customers to a third-party payment processor.

Q: How do I prove I’m compliant?
A: Keep your completed SAQ, attestation of compliance, and passing scan reports. Some payment processors have online portals where you upload these documents.

Q: What if my payment processor hasn’t asked for PCI compliance?
A: You’re still required to be compliant! It’s a requirement from the card brands (Visa, Mastercard, etc.), not just your processor. Being proactive protects your business.

Conclusion

Completing your SAQ A-EP might seem daunting at first, but breaking it down into manageable steps makes it achievable for any business. Remember, PCI compliance isn’t just about checking boxes—it’s about protecting your customers and your business from very real security threats.

The good news is that SAQ A-EP is one of the simpler compliance paths, designed specifically for businesses like yours that use secure, third-party payment processors. By following this checklist and taking it one requirement at a time, you’ll build a stronger, more secure business.

Ready to start your compliance journey? Try our free PCI SAQ Wizard tool at PCICompliance.com to confirm which SAQ you need and get personalized guidance for your specific situation. Join thousands of businesses who trust PCICompliance.com for affordable tools, expert guidance, and ongoing support in achieving and maintaining PCI DSS compliance.

Your customers trust you with their payment information—now you have the roadmap to honor that trust through proper PCI compliance.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP