SAQ C not for e-commerce channels?

[crazymonk]

The whitepaper mentions that SAQ C is an option for situations where card numbers are posted to Drupal, but PCI DSS v3.0 states clearly that SAQ C is not applicable to e-commerce channels: https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf

"C: Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels"

So my understanding is that those would have to use SAQ D, not C. This language wasn't in v2.0 so it looks like it's either new or they're just clarifying something that's been true in the past.

-marco

[rickmanelius]

Hi Crazymonk. You are correct. And thankfully this was also already caught by one of the co-authors. https://github.com/rickmanelius/drupalpcicompliance/pull/23#discussion-diff-13545696. The importance of this is huge, and further underscores the importance of using shared-management solutions against the even more costly SAQ D scenario.

[crazymonk]

Ah yep I see the comment on that commit. Thanks!