PA-DSS Compliance

[inteldigital]

Hi,

I'm currently processing payments through WHMCS through the Stripe module. Stripe have asked me to verify my PCI-DSS compliance and now I have to fill out an SAQ A-EP 🙂

My question is, have I royally messed up by assuming WHMCS is PA-DSS compliant, or is there a way round this? I know Stripe is PA-DSS compliant but WHMCS doesn't appear to be listed.

[jster1324]

We went through the PCI pain as well. You are under SAQ A-EP when you have ANY element relating to taking payments presented in a page that has your domain in the URL. It doesnt matter if its an iframe to another processors form, doesnt matter if your never touching the field inputs on the server side, doesnt matter anything. The ONLY way to be SAQ A is if you link offsite to your payment processor completely out of your site. We use Authorize.net and none of the included gateways fell under SAQ A compliance so we had to build out own that pops up a new window to a payment form hosted entirely by Authorize.net.

If you use a webhost that claims to be PCI SAQ A-EP compliant then you might be good because you can just refer an auditor to your hosting provider to source all the proof of compliance. HOWEVER, I am not sure that SAQ A-EP has any requirements that fall under the individual that control the server OS so you may still be accountable even in this instance.