PCI-DSS SAQ & Responsibility Matrix

PCI Compliance is a merchants responsibility. Some questions within your SAQ relate to infrastructure/server configuration, for which you can find the scope and appropriate answer below.

Physical Architecture

MageStack PCI Layout

SAQ Answers (Updated for v4)

Section Scope Response Condition
1.1.1 - 1.5.1 Sonassi Yes  
       
2.1.1 - 2.2.7 Sonassi Yes  
2.3.1 - 2.3.2 Sonassi N/A  
       
3.1.1 - 3.7.9 You Yes If using Magento Payment Bridge or 3rd Party for cardholder data storage. N/A if not using Magento Payment Bridge when storing cardholder data
       
4.1.1 - 4.2.2 You Yes/No If using HTTPS. No if not using HTTPS
       
5.1.1 - 5.4.1 Sonassi Yes  
       
6.1.1 - 6.1.2 Sonassi Yes
6.2.1 - 6.2.4 You   This depends on your own development practice
6.3.1 - 6.3.3 Both Sonassi is responsible for patching the operating system and services. You are responsible for patching any software you install, such as Magento or Node.
6.4.1 - 6.5.1 You This depends on your own development practice
6.5.2 - 6.5.2 Sonassi Yes
6.5.3 - 6.5.3 You Yes If using separate domain groups for your stores
6.5.4 - 6.5.6 You   This depends on your own development practice
       
7.1.1 - 7.3.3 Both Sonassi manages access to the stack platform, whereas you manage access to your Magento store and any other CMS platforms (e.g. WordPress)
       
8.1.1 - 8.6.3 Both Yes Provided you comply with the conditions that apply to you
       
9.1.1 - 9.3.9 Sonassi Yes  
9.4.7 - 9.5.1.3 You   This depends on your own cardholder data processing practice
       
10.1.1 - 10.4.3 Sonassi Yes  
10.5.1 - 10.5.1 Sonassi Yes If using our long term log storage facility
10.6.1 - 10.7.3 Sonassi Yes  
       
11.1.1 - 11.1.2 Sonassi Yes  
11.2.1 - 11.2.2 Sonassi N/A
11.3.1 - 11.4.6 Sonassi Yes
11.4.7 - 11.4.7 Sonassi N/A
11.5.1 - 11.5.1.1 Sonassi Yes Per our standard firewall policy
11.5.2 - 11.5.2 Sonassi Yes Per our vulnerability scanner and our audit log notifier
11.6.1 - 11.6.1 You Magento covers this with CSP and SRI configuration. Third parties such as Threatview also cover this
       
12.1.1 - 12.8.1 Both Yes Yes for Sonassi, but also depends on your own security
12.8.2 - 12.9.2 You   This depends on your own cardholder data storage practice
12.10.1 - 12.10.7 Both Yes Depending on your own incident response plan