The PCI Council just announced a big change for merchants that use SAQ A, regarding specific PCI requirements.
The PCI Council just announced a big change for merchants that use SAQ A, regarding specific PCI requirements.
In an article published on January 30, 2025, the PCI SSC stated, “In response to stakeholder feedback regarding the complexity of implementing the new e-commerce security Requirements 6.4.3 and 11.6.1 in PCI Data Security Standard (PCI DSS) v4.0.1, the PCI Security Standards Council (PCI SSC) has announced important modifications for merchants validating to Self-Assessment Questionnaire A (SAQ A).”
If you are an SAQ A merchant or an acquirer with merchants using SAQ A, this is vital information with crucial deadlines and updates you need to be aware of.
In this blog post, we’ll explore what is changing, who is impacted, and what you need to do if you are impacted.
Based on feedback received from industry stakeholders, the PCI SSC made the following changes to PCI requirements to SAQ A:
What this ultimately means is that if you are a merchant that uses SAQ A, you are no longer required to implement requirements 11.6.1, 6.4.3, and 12.3.1, all of which are focused on protecting your payment pages and checkout process.
However, the PCI Council has added more “eligibility criteria” that need to be met in order for a merchant to qualify for using the SAQ A form to validate their PCI DSS compliance.
These criteria are related to the source of any iFrame contents used to collect card data and how the merchant site protects the iFrame contents from malicious script attacks.
The two new eligibility criteria for e-commerce systems are as follows:
The first bullet is fairly easy to understand, it means that any web elements delivered to the merchant website must come from a validated PCI DSS compliant third party service provider (TPSP). So that would be iframe elements, javascript, iframe contents, etc. The second bullet is a bit harder to understand but means that the merchant is in charge of making sure their website is protected in such a way that malicious scripts can't be added to the site that could be used to attack the TPSP elements or contents of iframes or other systems delivered to the merchant from the TPSP.
So, for a merchant to still be eligible for SAQ A then both of these criteria must be met and evidence available for defense if ever needed. The first point is just getting an AOC from a TPSP, which is not hard…unless you are not using a PCI DSS validated TPSP. The second one is to "confirm that their site is not susceptible to attacks from scripts that can affect the e-commerce systems,” meaning iframe skimming for sure, iframe overlays, etc.
Since scripts can be added by bad guys dynamically into the DOM at any time during the payment process, that means just saying "our site does not currently use scripts" is not good enough to meet the eligibility criteria.
Scripts might be added and then they could attack the e-commerce systems, so there has to be some confirmation from the merchant that they are looking after any malicious script that may get on their site.
As is stated above, this impacts merchants using SAQ A, which the PCI councils defines as follows, “SAQ A includes only those PCI DSS requirements applicable to merchants with account data functions completely outsourced to PCI DSS validated and compliant third parties, where the merchant retains only paper reports or receipts with account data. SAQ A merchants may be either e-commerce or mail/telephone-order merchants (card-not-present) and do not store, process, or transmit any account data in electronic form on their systems or premises.”
If a merchant cannot meet the new eligibility requirements for SAQ A, then SAQ A-EP would apply to that e-commerce process. Since SAQ A-EP has significantly more requirements, it would be much better to come up with a solution for meeting the new criteria for making your website hardened against malicious script attacks on TPSP provided e-commerce elements.
If you find yourself impacted and want to know what’s required and what’s next, SecurityMetrics has everything you need to navigate this new change. Our Shopping Cart Monitor can help a merchant quickly meet the second new eligibility requirement.
The Shopping Cart Monitor Basic product when used on a periodic basis can confirm that your website is clear from malicious scripts (or detect them if they have been added) that might be used to attack any TPSP provided payment elements.
This would clearly meet the new SAQ A eligibility requirement. Problem solved!
With this change, the PCI SSC have outlined a timeframe and guidance for updating your compliance practices.
“Two versions of SAQ A are currently available on our website: one published in October 2024 and this new one published in January 2025. The SAQ A version that was published in October 2024 will be retired on 31 March 2025. The SAQ A version published in January 2025 is available now for review, but it does not take effect until 31 March 2025 (which is when the new PCI DSS v4.0.1 requirements will also take effect).”
“PCI DSS v4.0.1 Requirements 6.4.3, 11.6.1, and 12.3.1 become effective as of 31 March 2025. While these modifications to SAQ A will affect how merchants approach compliance reporting for these requirements, it’s important to note that they do not remove or diminish the underlying requirements within PCI DSS.”
If you are impacted by the change to SAQ A, make sure you or your merchants have reviewed and meet the criteria outlined in the new SAQ A before the deadline in March.
The good news is there is a solution from SecurityMetrics that can be used to meet the site protection criteria.
Clearly, their focus is making things simpler, more efficient, and more affordable for merchants everywhere.
If you’d like a full breakdown of the why’s and what’s of this change, explore the direct blog post for all the insights.
If you are a merchant or acquirer impacted by this, or simply just want to know more about these updates, contact SecurityMetrics today. We can help you navigate this change with ease and ensure there are no interruptions to your business.
Learn more about Shopping Cart Monitor and how it’s protecting businesses everywhere.
.svg)
