Hello,I'm hoping someone can help me to understand which PCI self-assessment questionnaire we need to complete. We have a site where we take payments in the site using the Paypal Pro gateway and Wordpress Woocommerce. This means the payment goes to our Paypal account but the user does not have to leave our site to make the payment. Our site is hosted by a third party company who is PCI compliant. We do not own the servers etc for our site. I'm not sure which self-assessment we need to complete in this example. I know we are either the SAQ A, or the SAQ EP, but I'm not sure which. (http://blog.securitymetrics.com/2014/07/which-saq-is-right-for-me.html) Thanks for your help, Graeme
If the payment page is hosted on your site, pretty sure you're SAQ A-EP. If there's any storage at all or anything beyond posting directly to the API, it kicks you instantly up to D. There may be other situations as well, I'd ask your QSA just to be sure.