PCI-DSS SAQ & Responsibility Matrix
Table of Contents
PCI Compliance is a merchants responsibility. Some questions within your SAQ relate to infrastructure/server configuration, for which you can find the scope and appropriate answer below.
Physical Architecture
SAQ Answers
Section | Scope | Response | Condition |
---|---|---|---|
1.1.1 - 1.5 | Sonassi | Yes | |
2.1(a) - 2.1(c) | Sonassi | Yes | |
2.1.1(a) - 2.1.1(e) | Sonassi | N/A | |
2.2(a) - 2.5 | Sonassi | Yes | |
3.1(a) - 3.7 | You | Yes | If using Magento Payment Bridge or 3rd Party for cardholder data storage. No if not using Magento Payment Bridge when storing cardholder data |
4.1(a) - 4.3 | You | Yes/No | If using HTTPS. No if not using HTTPS |
5.1 - 5.4 | Sonassi | Yes | |
6.2(a) - 6.2(b) | Both | Sonassi is responsible for patching the operating system and services. You are responsible for patching any software you install, such as Magento or Node. | |
6.3(a) - 6.3.2 | You | This depends on your own development practice | |
6.3(a) - 6.3.2 | You | This depends on your own development practice | |
6.4.1(a) - 6.4.1(b) | You | Yes | If using separate domain groups for your stores |
6.4.2 - 6.5(b) | You | This depends on your own development practice | |
6.5.1 - 6.5.10 | You | Yes | For a standard Magento installation, however, this does not include any untested 3rd party modules/code/template you may be using |
6.6 - 6.7 | Sonassi | Yes | |
7.1 - 7.3 | You | This depends on your own personel management | |
8.1.1 - 8.8 | Both | Yes | Provided you comply with the conditions that apply to you |
9.1 - 9.8.2 | Sonassi | Yes | |
9.9(a) - 9.10 | You | This depends on your own cardholder data processing practice | |
10.1(a) - 10.6.3(b) | Sonassi | Yes | |
10.7(a) - 10.7(c) | Sonassi | Yes | If using our long term log storage facility |
10.8 | Sonassi | Yes | |
11.1 - 11.2 | Sonassi | N/A | |
11.3 - 11.3.4 | You | Yes | This depends on your PCI ASV |
11.4 | Sonassi | Yes | Per our standard firewall policy |
11.5 | Sonassi | Yes | Per our vulnerability scanner |
11.5.1 | Sonassi | Yes | Per our audit log notifier |
11.6 | Sonassi | Yes | Per documentation here |
12.1 - 12.7 | Both | Yes | Yes for Sonassi, but also depends on your own security |
12.8.1 - 12.8.5 | You | This depends on your own cardholder data storage practice | |
12.9 | Sonassi | Yes | This is embedded within the service contract from Sonassi |
12.10 - 12.10.1 | Both | Sonassi posses an incident response plan where you should also maintain your own | |
12.10.2 - 12.10.6 | You | This depends on your own cardholder data storage practice |