Elements SAQ Guide
This guide is for merchants and integrators using CityPay Elements, where cardholder data is entered into payment fields or components provided directly by CityPay.
Elements usually supports SAQ A where the merchant's own systems do not electronically store, process or transmit PAN or sensitive authentication data.
SAQ A is only suitable where account data processing is completely outsourced to PCI DSS compliant third parties, the merchant does not electronically store, process or transmit account data, and the merchant confirms that payment pages are not susceptible to script attacks that affect the e-commerce systems. Confirm eligibility with your acquirer or QSA.
Part 2a - Merchant business payment channels
Tick:
E-Commerce
Do not include card-present unless that channel is separately assessed.
Part 2b - Description of role with payment cards
The merchant accepts e-commerce card-not-present transactions using CityPay Elements. Cardholder data is entered into payment fields/forms supplied directly by CityPay. The merchant website initiates the checkout/payment journey but does not store, process, or transmit cardholder data or sensitive authentication data electronically. Payment processing, authorisation and handling of account data are outsourced to CityPay Limited.
Part 2c - Description of payment card environment
The assessed environment consists of the merchant e-commerce website pages that load or redirect to CityPay Elements for payment acceptance. The merchant website does not receive PAN, CVV, track data, or other sensitive authentication data. CityPay provides the payment components that collect and process cardholder data. The merchant's in-scope systems are limited to the web pages, scripts, hosting, deployment pipeline and administrative access that could affect the payment page integration.
Include:
The merchant maintains controls over website changes, script management, access control, patching and vulnerability management for the website pages that host or invoke CityPay Elements.
Part 2f - Third-party service providers
| Service provider | Description |
|---|---|
| CityPay Limited | CityPay PSP and TPSP operating its own gateway, providing CityPay Elements, payment data capture, authorisation, processing and related payment services. |
Also list hosting providers, CDN providers, web developers or other third parties if they can affect the checkout or payment page.
Part 2h - Eligibility to complete SAQ A
Only tick eligibility statements that are true:
- the assessed channel accepts only card-not-present transactions
- all account-data processing is outsourced to CityPay Limited or another compliant TPSP
- no electronic storage, processing or transmission of account data occurs on merchant systems
- CityPay's PCI DSS compliance has been confirmed for the services used
- all payment form elements delivered to the browser originate directly from CityPay
- the merchant has assessed its site against script-based attacks
Requirement 2 - Secure configurations
Applies to the merchant web server or page that hosts or invokes Elements. Evidence should cover secure configuration, removal or change of vendor default accounts, hardened hosting/admin panels, and secure CMS/plugin settings.
Requirement 3 - Stored account data
Usually not applicable if the merchant does not print or store paper records containing account data.
Appendix C wording:
The merchant does not store paper records containing account data for CityPay Elements transactions.
Requirement 6 - Secure systems and software
Applies to merchant servers and pages that redirect to or embed the TPSP/payment processor payment form. Evidence should cover vulnerability monitoring for the website/CMS/framework/plugins, critical patching within one month, change control for checkout/payment pages, and review of scripts loaded on payment pages.
Requirement 8 - User access
Applies to admin access to merchant systems that can affect the Elements integration. Evidence should include unique user IDs, no shared admin accounts, leaver access removal, MFA where used, and password standards.
Requirement 9 - Physical access to cardholder data
Usually not applicable unless the merchant stores paper receipts or reports containing account data.
Appendix C wording:
The merchant does not store, distribute, or destroy paper media containing account data for this payment channel.
Requirement 11 - Vulnerability scanning
Applies to merchant servers/pages that redirect to or embed the payment form. Include quarterly passing ASV scan reports for public-facing in-scope systems, post-change scan evidence for significant changes, and remediation records for any findings.
Requirement 12 - TPSP management and incident response
Maintain a TPSP list including CityPay Limited, written agreement or terms with CityPay, evidence of CityPay PCI DSS compliance for the services used, annual TPSP review, and an incident response plan that includes CityPay, acquirer and payment-brand escalation.
Retain:
- CityPay AOC or PCI DSS compliance confirmation
- CityPay Elements integration documentation
- TPSP list and annual review
- hosting and web platform patching records
- admin access list and leaver review
- ASV scan reports where applicable
- change records for checkout/payment pages
- incident response plan
- Appendix C explanations for Not Applicable requirements