PCI-DSS SAQ & Responsibility Matrix
Table of Contents
PCI Compliance is a merchants responsibility. Some questions within your SAQ relate to infrastructure/server configuration, for which you can find the scope and appropriate answer below.
Physical Architecture
SAQ Answers
| Section | Scope | Response | Condition |
|---|---|---|---|
| 1.1.1 - 1.5 | Sonassi | Yes | |
| 2.1.a - 2.1.c | Sonassi | Yes | |
| 2.1.1.a - 2.1.1.e | Sonassi | N/A | |
| 2.2.a - 2.5 | Sonassi | Yes | |
| 3.1.a - 3.7 | You | Yes | If using Magento Payment Bridge or 3rd Party for cardholder data storage. No if not using Magento Payment Bridge when storing cardholder data |
| 4.1.a - 4.3 | You | Yes/No | If using HTTPS. No if not using HTTPS |
| 5.1 - 5.4 | Sonassi | Yes | |
| 6.2.a - 6.2.b | Both | Sonassi is responsible for patching the operating system and services. You are responsible for patching any software you install, such as Magento or Node. | |
| 6.3.a - 6.3.2 | You | This depends on your own development practice | |
| 6.3.a - 6.3.2 | You | This depends on your own development practice | |
| 6.4.1.a -6.4.1.b | You | Yes | If using separate domain groups for your stores |
| 6.4.2 - 6.5.b | You | This depends on your own development practice | |
| 6.5.1 - 6.5.10 | You | Yes | For a standard Magento installation, however, this does not include any untested 3rd party modules/code/template you may be using |
| 6.6 - 6.7 | Sonassi | Yes | |
| 7.1 - 7.3 | You | This depends on your own personel management | |
| 8.1.1 - 8.8 | Both | Yes | Provided you comply with the conditions that apply to you |
| 9.1 - 9.8.2 | Sonassi | Yes | |
| 9.9.a - 9.10 | You | This depends on your own cardholder data processing practice | |
| 10.1.a - 10.6.3.b | Sonassi | Yes | |
| 10.7.a - 10.7.c | Sonassi | Yes | If using our long term log storage facility |
| 10.8 | Sonassi | Yes | |
| 11.1 - 11.2 | Sonassi | N/A | |
| 11.3 - 11.3.4 | You | Yes | This depends on your PCI ASV |
| 11.4 | Sonassi | Yes | Per our standard firewall policy |
| 11.5 | Sonassi | Yes | Per our vulnerability scanner |
| 11.5.1 | Sonassi | Yes | Per our audit log notifier |
| 11.6 | Sonassi | Yes | Per documentation here |
| 12.1 - 12.7 | Both | Yes | Yes for Sonassi, but also depends on your own security |
| 12.8.1 - 12.8.5 | You | This depends on your own cardholder data storage practice | |
| 12.9 | Sonassi | Yes | This is embedded within the service contract from Sonassi |
| 12.10 - 12.10.1 | Both | Sonassi posses an incident response plan where you should also maintain your own | |
| 12.10.2 - 12.10.6 | You | This depends on your own cardholder data storage practice |