The Payment Card Industry Security Standards Council (PCI SSC) has introduced significant updates to the Self-Assessment Questionnaire A (SAQ-A), effective March 31, 2025. These updates significantly change merchant eligibility requirements and compliance obligations, particularly for e-commerce businesses that outsource cardholder data processing. While the removal of two specific compliance requirements, 6.4.3 and 11.6.1, might initially appear to simplify the compliance process, a closer examination reveals a more complex reality. The updates shift the focus from explicit controls to broader, high-standard obligations, raising the bar for merchants seeking to qualify for SAQ-A.
This blog post delves into the key changes to SAQ-A, their implications for merchants, service providers, and Qualified Security Assessors (QSAs), and actionable steps stakeholders can take to navigate this evolving compliance landscape.
Understanding the Changes to SAQ-A
The updated SAQ-A introduces two major changes: specific compliance requirements (6.4.3 and 11.6.1) are removed, and new eligibility criteria are added. Let’s examine these changes in more detail.
1. Removal of Requirements 6.4.3 and 11.6.1
Previously, SAQ-A merchants needed to comply with the following requirements:
- Requirement 6.4.3: Mandated the inventory, justification, and control of all scripts on payment pages, ensuring that each script was authorized and its integrity assured.
- Requirement 11.6.1: Merchants must monitor payment pages for unauthorized modifications, including changes, additions, and deletions to scripts or security-impacting HTTP headers.
These controls were designed to protect against malicious script-based attacks, such as eSkimming or Magecart, which target e-commerce systems to compromise sensitive data.
However, with the latest SAQ-A update, these requirements are no longer explicitly mandated for SAQ-A merchants. This does not mean that the underlying security objectives have been abandoned.
2. New Eligibility Criteria
While removing 6.4.3 and 11.6.1 might seem like a relaxation of obligations, introducing a new eligibility criterion significantly raises the compliance threshold. To qualify for SAQ-A, merchants must now confirm that their entire e-commerce site—not just the payment page—is secure and not susceptible to attacks from malicious scripts. This includes:
- Protection against first-party, third-party, and external scripts that could compromise e-commerce systems.
- Comprehensive security measures to prevent vulnerabilities across the entire website beyond the scope of the payment page.
This shift in focus creates a circular compliance challenge: even though 6.4.3 and 11.6.1 are no longer required, the new eligibility requirement effectively necessitates adherence to the principles of these controls. Merchants must still implement robust protections, such as script monitoring and integrity checks, to secure their e-commerce environments and maintain compliance.
Guidance and Clarifications
On February 28, 2025, the PCI SSC released FAQ 1588, further clarifying the updated SAQ-A requirements. Key takeaways include:
1. Scope:
- The new eligibility criteria apply only to merchant sites hosting embedded payment forms (e.g., iFrames). Redirects or links to payment pages are excluded.
- Third-party scripts unrelated to payment processing and incapable of compromising account data security are not considered third-party service providers.
2. Eligibility Options:
- Implementing requirements 6.4.3 and 11.6.1 remains sufficient to meet the new eligibility criteria.
- Alternative solutions, such as penetration testing, web application firewalls (WAFs), or processor attestations, may also fulfill the criteria, subject to QSA discretion.
- Provided merchants adhere to implementation guidelines, payment processors can provide written confirmation that their iFrame solutions include necessary protection against script-based attacks.
What Hasn’t Changed?
Despite the updates to SAQ-A, several key elements remain unchanged:
1. Compliance Deadlines: The deadline for compliance with PCI DSS v4.0.1, including the requirements for 6.4.3 and 11.6.1, remains March 31, 2025, for all merchants not eligible for SAQ-A.
2. Requirements for Service Providers: Service providers must still comply with 6.4.3 and 11.6.1, ensuring comprehensive script inventory, monitoring, and security of payment flows.
3. Security Expectations for SAQ-A Merchants: While the compliance process may appear streamlined, SAQ-A merchants are still expected to implement robust protections against vulnerabilities, particularly those related to script-based attacks.
Implications for Stakeholders
The changes to SAQ-A have far-reaching implications for merchants, service providers, and QSAs. Here’s what each group needs to know:
1. For SAQ-A Merchants
The new eligibility criteria are likely to pose significant challenges for merchants:
- Eligibility Hurdles: To qualify for SAQ-A, merchants must now secure their entire e-commerce site against script-based attacks. This requires implementing robust script controls and monitoring solutions, even though 6.4.3 and 11.6.1 are no longer explicitly required.
- Expanded Compliance Obligations: Merchants who cannot meet the new eligibility criteria will need to complete other, more comprehensive Self-Assessment Questionnaires (SAQs), such as SAQ A-EP. This represents a significant compliance uplift, as SAQ A-EP includes 151 requirements compared to the 19 in SAQ-A.
2. For Service Providers
Service providers play a crucial role in helping merchants navigate these changes:
- Educating Merchants: Small merchants must be educated about the importance of script controls and the implications of the new eligibility criteria. Misinterpreting the updates as a relaxation of obligations could leave merchants vulnerable to attacks.
- Offering Solutions: Service providers can generate additional revenue by offering value-added services that simplify compliance for merchants while enhancing their security posture. For example, solutions that monitor and secure scripts can help merchants meet the new eligibility criteria.
3. For QSAs
Qualified Security Assessors must adapt their approach to reflect the new SAQ-A requirements:
- Clarifying Misconceptions: QSAs must emphasize that removing 6.4.3 and 11.6.1 does not reduce security obligations. Under the new eligibility criteria, the expectation to secure e-commerce environments remains unchanged.
- Providing Guidance: QSAs should recommend proven tools and solutions, such as Content Security Policies (CSP) and Subresource Integrity (SRI), or third-party platforms, such as Human Security, Source Defense’s platform, or Jscrambler, to help merchants secure their websites and achieve compliance.
Addressing the Compliance Challenge
Merchants facing the new SAQ-A eligibility criteria have several options to ensure compliance:
1. Conduct Web Application Testing
Merchants can take a proactive approach by conducting web application assessments to demonstrate that their e-commerce site is not susceptible to malicious script-based attacks. This approach empowers merchants to provide the evidence needed to satisfy the new eligibility requirements, giving them a sense of control over their compliance.
2. Implement 6.4.3 and 11.6.1 Across the Entire Site
Although these requirements are no longer explicitly mandated for SAQ-A merchants, implementing them across the entire e-commerce site can effectively address the risks associated with malicious scripts. Key controls include:
- Script Authorization and Integrity: Use tools like CSP to confirm that all scripts are authorized and their integrity is assured.
- Monitoring and Alerts: Implement mechanisms to detect unauthorized modifications to scripts or HTTP headers.
3. Outsource Compliance
Merchants who struggle to meet the new criteria may consider outsourcing their entire e-commerce site to a third-party provider. In this scenario, the responsibility for compliance shifts to the service provider, simplifying the merchant’s obligations.
Why These Changes Matter
The updated SAQ-A reflects the PCI SSC’s ongoing efforts to address the evolving threat landscape, particularly the rise of eSkimming and other script-based attacks. While the removal of explicit requirements might initially appear to ease compliance burdens, the new eligibility criteria underscore the importance of understanding the implications of these changes.
Failure to meet these criteria could result in significant compliance challenges, including completing more comprehensive SAQs or implementing additional PCI DSS controls. Merchants must act now to understand the implications of these changes and develop a strategy for meeting the new requirements, which will make them feel informed and prepared.
Next Steps for Stakeholders
The March 31, 2025, compliance deadline is fast approaching. To stay ahead of the curve:
- Merchants: Work with a QSA to assess your eligibility for SAQ-A and implement necessary safeguards to secure your e-commerce site.
- Service Providers: Leverage this opportunity to educate merchants and offer solutions that simplify compliance.
- QSAs: Provide clear guidance and actionable recommendations to help merchants navigate the new requirements.
At AccessIT Group, we recognize how overwhelming the new SAQ-A changes can be, especially with the added complexity of securing your entire e-commerce site against evolving threats like malicious scripts. That’s why we’re here to assist you. Our expert QSAs not only have a deep understanding of the updated eligibility criteria but also keep up with the latest script-based attack techniques targeting merchant websites.
By partnering with us, you can feel confident knowing that you’re working with a team that will guide you every step of the way, helping you address risks, implement proactive solutions, and achieve compliance seamlessly. Don’t wait until the compliance deadline or, worse, a breach investigation to uncover gaps in your security. Let AccessIT Group help you turn these challenges into opportunities to strengthen your e-commerce defenses and maintain your eligibility for SAQ-A. Contact us today to ensure you’re ready for what’s ahead.
You can find the full article on the change on the PCI Council website here.
By: Chad Barr – Director of Governance, Risk & Compliance – CISSP | CCSP | CISA | CDPSE | QSA