PCI DSS 3.2 SAQ A and SAQ A-EP - 2 different web shops

Question

I did a pre-assessment of 2 web shops of one company today.

One web shop uses Direct Post based forms to insert and forward cardholder data. Doing this means the company is eligible for an SAQ A-EP. It's hosted in Azure, in a small environment, which is isolated from the rest.

The other one uses a hosted iFrame solution from a PCI compliant 3rd party. This could be done with an SAQ A. It's hosted in their own data-center though.

Does this mean that the company needs to follow the requirements from the SAQ A-EP globally, for both shops? Or can I scope the requirements per shop individually? And apply the SAQ A for the one shop and the A-EP for the other? At least based on the requirements that should be possible.

Answer 1

As I see, there are two web shops of the same company in scope where one has hosted its website in their own data center while other one has hosted on cloud (Azure). Since the first webshop uses iFrame to load pages of PCI-compliant 3rd party payment service provider, irrespective of where it has hosted its web it requires only SAQ A and quarterly ASV scans are absolutely optional. But in case of second webshop hosted in cloud that redirects card data to third party with https POST, not only SAQ-EP and quarterly ASV scans are required but also internal VA scans on quarterly basis and external penetration test at least annually are required as per the current PCI DSS standard v3.2. Since most of the leading cloud service providers are already complying to a number of international security standards you can ask for copy of their PCI certificate which is fair enough for SAQ-EP requirements.

Answer 2

Thats correct. Nothing more than SAQ A is needed for the app with the iframe solution as it is isolated from the cc data.