PCI-DSS SAQ & Responsibility Matrix

PCI Compliance is a merchants responsibility. Some questions within your SAQ relate to infrastructure/server configuration, for which you can find the scope and appropriate answer below.

Physical Architecture

MageStack PCI Layout

SAQ Answers

Section Scope Response Condition
1.1.1 - 1.5 Sonassi Yes  
       
2.1(a) - 2.1(c) Sonassi Yes  
2.1.1(a) - 2.1.1(e) Sonassi N/A  
2.2(a) - 2.5 Sonassi Yes  
       
3.1(a) - 3.7 You Yes If using Magento Payment Bridge or 3rd Party for cardholder data storage. No if not using Magento Payment Bridge when storing cardholder data
       
4.1(a) - 4.3 You Yes/No If using HTTPS. No if not using HTTPS
       
5.1 - 5.4 Sonassi Yes  
       
6.2(a) - 6.2(b) Both   Sonassi is responsible for patching the operating system and services. You are responsible for patching any software you install, such as Magento or Node.
6.3(a) - 6.3.2 You   This depends on your own development practice
6.3(a) - 6.3.2 You   This depends on your own development practice
6.4.1(a) - 6.4.1(b) You Yes If using separate domain groups for your stores
6.4.2 - 6.5(b) You   This depends on your own development practice
6.5.1 - 6.5.10 You Yes For a standard Magento installation, however, this does not include any untested 3rd party modules/code/template you may be using
6.6 - 6.7 Sonassi Yes  
       
7.1 - 7.3 You   This depends on your own personel management
       
8.1.1 - 8.8 Both Yes Provided you comply with the conditions that apply to you
       
9.1 - 9.8.2 Sonassi Yes  
9.9(a) - 9.10 You   This depends on your own cardholder data processing practice
       
10.1(a) - 10.6.3(b) Sonassi Yes  
10.7(a) - 10.7(c) Sonassi Yes If using our long term log storage facility
10.8 Sonassi Yes  
       
11.1 - 11.2 Sonassi N/A  
11.3 - 11.3.4 You Yes This depends on your PCI ASV
11.4 Sonassi Yes Per our standard firewall policy
11.5 Sonassi Yes Per our vulnerability scanner
11.5.1 Sonassi Yes Per our audit log notifier
11.6 Sonassi Yes Per documentation here
       
12.1 - 12.7 Both Yes Yes for Sonassi, but also depends on your own security
12.8.1 - 12.8.5 You   This depends on your own cardholder data storage practice
12.9 Sonassi Yes This is embedded within the service contract from Sonassi
12.10 - 12.10.1 Both   Sonassi posses an incident response plan where you should also maintain your own
12.10.2 - 12.10.6 You   This depends on your own cardholder data storage practice