Jump to content

Recommended Posts


I'm currently processing payments through WHMCS through the Stripe module. Stripe have asked me to verify my PCI-DSS compliance and now I have to fill out an SAQ A-EP 🙂

My question is, have I royally messed up by assuming WHMCS is PA-DSS compliant, or is there a way round this? I know Stripe is PA-DSS compliant but WHMCS doesn't appear to be listed.

Share this post

Link to post
Share on other sites

We went through the PCI pain as well. You are under SAQ A-EP when you have ANY element relating to taking payments presented in a page that has your domain in the URL. It doesnt matter if its an iframe to another processors form, doesnt matter if your never touching the field inputs on the server side, doesnt matter anything. The ONLY way to be SAQ A is if you link offsite to your payment processor completely out of your site. We use Authorize.net and none of the included gateways fell under SAQ A compliance so we had to build out own that pops up a new window to a payment form hosted entirely by Authorize.net.

If you use a webhost that claims to be PCI SAQ A-EP compliant then you might be good because you can just refer an auditor to your hosting provider to source all the proof of compliance. HOWEVER, I am not sure that SAQ A-EP has any requirements that fall under the individual that control the server OS so you may still be accountable even in this instance.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.


Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated