PCI-DSS SAQ & Responsibility Matrix
Table of Contents
PCI Compliance is a merchants responsibility. Some questions within your SAQ relate to infrastructure/server configuration, for which you can find the scope and appropriate answer below.
Physical Architecture
SAQ Answers (Updated for v4)
| Section | Scope | Response | Condition |
|---|---|---|---|
| 1.1.1 - 1.5.1 | Sonassi | Yes | |
| 2.1.1 - 2.2.7 | Sonassi | Yes | |
| 2.3.1 - 2.3.2 | Sonassi | N/A | |
| 3.1.1 - 3.7.9 | You | Yes | If using Magento Payment Bridge or 3rd Party for cardholder data storage. N/A if not using Magento Payment Bridge when storing cardholder data |
| 4.1.1 - 4.2.2 | You | Yes/No | If using HTTPS. No if not using HTTPS |
| 5.1.1 - 5.4.1 | Sonassi | Yes | |
| 6.1.1 - 6.1.2 | Sonassi | Yes | |
| 6.2.1 - 6.2.4 | You | This depends on your own development practice | |
| 6.3.1 - 6.3.3 | Both | Sonassi is responsible for patching the operating system and services. You are responsible for patching any software you install, such as Magento or Node. | |
| 6.4.1 - 6.5.1 | You | This depends on your own development practice | |
| 6.5.2 - 6.5.2 | Sonassi | Yes | |
| 6.5.3 - 6.5.3 | You | Yes | If using separate domain groups for your stores |
| 6.5.4 - 6.5.6 | You | This depends on your own development practice | |
| 7.1.1 - 7.3.3 | Both | Sonassi manages access to the stack platform, whereas you manage access to your Magento store and any other CMS platforms (e.g. WordPress) | |
| 8.1.1 - 8.6.3 | Both | Yes | Provided you comply with the conditions that apply to you |
| 9.1.1 - 9.3.9 | Sonassi | Yes | |
| 9.4.7 - 9.5.1.3 | You | This depends on your own cardholder data processing practice | |
| 10.1.1 - 10.4.3 | Sonassi | Yes | |
| 10.5.1 - 10.5.1 | Sonassi | Yes | If using our long term log storage facility |
| 10.6.1 - 10.7.3 | Sonassi | Yes | |
| 11.1.1 - 11.1.2 | Sonassi | Yes | |
| 11.2.1 - 11.2.2 | Sonassi | N/A | |
| 11.3.1 - 11.4.6 | Sonassi | Yes | |
| 11.4.7 - 11.4.7 | Sonassi | N/A | |
| 11.5.1 - 11.5.1.1 | Sonassi | Yes | Per our standard firewall policy |
| 11.5.2 - 11.5.2 | Sonassi | Yes | Per our vulnerability scanner and our audit log notifier |
| 11.6.1 - 11.6.1 | You | Magento covers this with CSP and SRI configuration. Third parties such as Threatview also cover this | |
| 12.1.1 - 12.8.1 | Both | Yes | Yes for Sonassi, but also depends on your own security |
| 12.8.2 - 12.9.2 | You | This depends on your own cardholder data storage practice | |
| 12.10.1 - 12.10.7 | Both | Yes | Depending on your own incident response plan |