Navigating the New PCI DSS SAQ-A Updates: What Merchants Need to Know
The Payment Card Industry Security Standards Council (PCI SSC) has introduced significant updates to the Self-Assessment Questionnaire A (SAQ-A), effective March 31, 2025. These updates significantly change merchant eligibility requirements and compliance obligations, particularly for e-commerce businesses that outsource cardholder data processing. While the removal of two specific compliance requirements, 6.4.3 and 11.6.1, might initially appear to simplify the compliance process, a closer examination reveals a more complex reality. The updates shift the focus from explicit controls to broader, high-standard obligations, raising the bar for merchants seeking to qualify for SAQ-A. This blog post delves into the key changes to SAQ-A, their implications for merchants, service providers, and Qualified Security Assessors (QSAs), and actionable steps stakeholders can take to navigate this evolving compliance landscape. Understanding the Changes to SAQ-A The updated SAQ-A introduces two major changes: specific compliance requirements (6.4.3 and 11.6.1) are removed, and new eligibility criteria are added. Let’s examine these changes in more detail. 1. Removal of Requirements 6.4.3 and 11.6.1 Previously, SAQ-A merchants needed to comply with the following requirements: Requirement 6.4.3: Mandated the inventory, justification, and control of all scripts on payment pages, ensuring that each script was authorized and its integrity assured. Requirement 11.6.1: Merchants must monitor payment pages for unauthorized modifications, including changes, additions, and deletions to scripts or security-impacting HTTP headers. These controls were designed to protect against malicious script-based attacks, such as eSkimming or Magecart, which target e-commerce systems to compromise sensitive data. However, with the latest SAQ-A update, these requirements are no longer explicitly mandated for SAQ-A merchants. This does not mean that the underlying security objectives have been abandoned. 2. New Eligibility Criteria While removing 6.4.3 and 11.6.1 might seem like a relaxation of obligations, introducing a new eligibility criterion significantly raises the compliance threshold. To qualify for SAQ-A, merchants must now confirm that their entire e-commerce site—not just the payment page—is secure and not susceptible to attacks from malicious scripts. This includes: Protection against first-party, third-party, and external scripts that could compromise e-commerce systems. Comprehensive security measures to prevent vulnerabilities across the entire website beyond the scope of the payment page. This shift in focus creates a circular compliance challenge: even though 6.4.3 and 11.6.1 are no longer required, the new eligibility requirement effectively necessitates adherence to the principles of these controls. Merchants must still implement robust protections, such as script monitoring and integrity checks, to secure their e-commerce environments and maintain compliance. Guidance and Clarifications On February 28, 2025, the PCI SSC released FAQ 1588, further clarifying the updated SAQ-A requirements. Key takeaways include: 1. Scope: The new eligibility criteria apply only to merchant sites hosting embedded payment forms (e.g., iFrames). Redirects or links to payment pages are excluded. Third-party scripts unrelated to payment processing and incapable of compromising account data security are not considered third-party service providers. 2. Eligibility Options: Implementing requirements 6.4.3 and 11.6.1 remains sufficient to meet the new eligibility criteria. Alternative solutions, such as penetration testing, web application firewalls (WAFs), or processor attestations, may also fulfill the criteria, subject to QSA discretion. Provided merchants adhere to implementation guidelines, payment processors can provide written confirmation that their iFrame solutions include necessary protection against script-based attacks. What Hasn’t Changed? Despite the updates to SAQ-A, several key elements remain unchanged: 1. Compliance Deadlines: The deadline for compliance with PCI DSS v4.0.1, including the requirements for 6.4.3 and 11.6.1, remains March 31, 2025, for all merchants not eligible for SAQ-A. 2. Requirements for Service Providers: Service providers must still comply with 6.4.3 and 11.6.1, ensuring comprehensive script inventory, monitoring, and security of payment flows. 3. Security Expectations for SAQ-A Merchants: While the compliance process may appear streamlined, SAQ-A merchants are still expected to implement robust protections against vulnerabilities, particularly those related to script-based attacks. Implications for Stakeholders The changes to SAQ-A have far-reaching implications for merchants, service providers, and QSAs. Here’s what each group needs to know: 1. For SAQ-A Merchants The new eligibility criteria are likely to pose significant challenges for merchants: Eligibility Hurdles: To qualify for SAQ-A, merchants must now secure their entire e-commerce site against script-based attacks. This requires implementing robust script controls and monitoring solutions, even though 6.4.3 and 11.6.1 are no longer explicitly required. Expanded Compliance Obligations: Merchants who cannot meet the new eligibility criteria will need to complete other, more comprehensive Self-Assessment Questionnaires (SAQs), such as SAQ A-EP. This represents a significant compliance uplift, as SAQ A-EP includes 151 requirements compared to the 19 in SAQ-A. 2. For Service Providers Service providers play a crucial role in helping merchants navigate these changes: Educating Merchants: Small merchants must be educated about the importance of script controls and the implications of the new eligibility criteria. Misinterpreting the updates as a relaxation of obligations could leave merchants vulnerable to attacks. Offering Solutions: Service providers can generate additional revenue by offering value-added services that simplify compliance for merchants while enhancing their security posture. For example, solutions that monitor and secure scripts can help merchants meet the new eligibility criteria. 3. For QSAs Qualified Security Assessors must adapt their approach to reflect the new SAQ-A requirements: Clarifying Misconceptions: QSAs must emphasize that removing 6.4.3 and 11.6.1 does not reduce security obligations. Under the new eligibility criteria, the expectation to secure e-commerce environments remains unchanged. Providing Guidance: QSAs should recommend proven tools and solutions, such as Content Security Policies (CSP) and Subresource Integrity (SRI), or third-party platforms, such as Human Security, Source Defense’s platform, or Jscrambler, to help merchants secure their websites and achieve compliance. Addressing the Compliance Challenge Merchants facing the new SAQ-A eligibility criteria have several options to ensure compliance: 1. Conduct Web Application Testing Merchants can take a proactive approach by conducting web application assessments to demonstrate that their e-commerce site is not susceptible to malicious script-based attacks. This approach empowers merchants to provide the evidence needed to satisfy the new eligibility requirements, giving them a sense of control over their compliance. 2. Implement 6.4.3 and 11.6.1 Across the Entire Site Although these