PCI-DSS SAQ Information

PCI Compliance is a merchants responsibility. Some questions within your SAQ relate to infrastructure/server configuration, for which you can find the scope and appropriate answer below.

Physical Architecture

SAQ Answers

Section	Scope	Response	Condition
1.1.1 - 1.5	Sonassi	Yes
2.1.a - 2.1.c	Sonassi	Yes
2.1.1.a - 2.1.1.e	Sonassi	N/A
2.2.a - 2.5	Sonassi	Yes
3.1.a - 3.7	You	Yes	If using Magento Payment Bridge or 3rd Party for cardholder data storage. No if not using Magento Payment Bridge when storing cardholder data
4.1.a - 4.3	You	Yes/No	If using HTTPS. No if not using HTTPS
5.1 - 5.4	Sonassi	Yes
6.3.a - 6.3.2	You		This depends on your own development practice
6.4.1.a -6.4.1.b	You	Yes	If using separate domain groups for your stores
6.4.2 - 6.5.b	You		This depends on your own development practice
6.5.1 - 6.5.10	You	Yes	For a standard Magento installation, however, this does not include any untested 3rd party modules/code/template you may be using
6.6 - 6.7	Sonassi	Yes
7.1 - 7.3	You		This depends on your own personel management
8.1.1 - 8.8	Both	Yes	Provided you comply with the conditions that apply to you
9.1 - 9.8.2	Sonassi	Yes
9.9.a - 9.10	You		This depends on your own cardholder data processing practice
10.1.a - 10.6.3.b	Sonassi	Yes
10.7.a - 10.7.c	Sonassi	Yes	If using our long term log storage facility
10.8	Sonassi	Yes
11.1 - 11.2	Sonassi	N/A
11.3 - 11.3.4	You	Yes	This depends on your PCI ASV
11.4	Sonassi	Yes	Per our standard firewall policy
11.5	Sonassi	Yes	Per our vulnerability scanner
11.5.1	Sonassi	Yes	Per our audit log notifier
11.6	Sonassi	Yes	Per documentation here
12.1 - 12.7	Both	Yes	Yes for Sonassi, but also depends on your own security
12.8.1 - 12.8.5	You		This depends on your own cardholder data storage practice
12.9	Sonassi	Yes	This is embedded within the service contract from Sonassi
12.10 - 12.10.1	Both		Sonassi posses an incident response plan where you should also maintain your own
12.10.2 - 12.10.6	You		This depends on your own cardholder data storage practice