|

Important Updates to SAQ-A Merchant Compliance Requirements

ByChad

The PCI Security Standards Council (PCI SSC) has introduced significant changes to the Self-Assessment Questionnaire A (SAQ-A), effective March 31, 2025. These updates redefine merchant eligibility criteria and compliance expectations, prompting important discussions within the PCI community about their implications for merchants, service providers (SPs), and qualified security assessors (QSAs).

Overview of Changes

The updates to SAQ-A primarily affect e-commerce businesses that outsource cardholder data processing. Key changes include:

  1. Removal of Explicit Requirements:
    • PCI DSS requirements 6.4.3 and 11.6.1, which mandate inventory, justification, and script control on payment pages, as well as weekly HTTP header monitoring, are no longer explicitly required for SAQ-A merchants.
    • Requirement 12.3.1, which involves a Targeted Risk Analysis to support Requirement 11.6.1, has also been removed.
  2. New Eligibility Criteria:
    • Merchants must now ensure their entire e-commerce site (not just the payment page) is secure and free from vulnerabilities, including threats from malicious scripts (e.g., eSkimming) originating from first-party, third-party, or external scripts.
    • This introduces a broader obligation for merchants to maintain high-security standards, even without the specific steps outlined in 6.4.3 and 11.6.1.
  3. Two Versions of SAQ-A:
    • The October 2024 version will remain valid until March 31, 2025.
    • A new version, released in January 2025, reflecting these updates, becomes mandatory from March 31, 2025.

According to Gareth Bowker (Jscrambler):
“Merchants planning to continue using SAQ-A must now secure the entire site against script-originated attacks. Failure to do so will make them ineligible for SAQ-A, requiring them to complete SAQ A-EP instead. This shift represents a significant increase in compliance obligations, from 27 applicable requirements in SAQ-A to 151 in SAQ A-EP.”

Guidance and Clarifications

On February 28, 2025, the PCI SSC released FAQ 1588, further clarifying the updated SAQ-A requirements. Key takeaways include:

  1. Scope:
    • The new eligibility criteria apply only to merchant sites hosting embedded payment forms (e.g., iFrames). Redirects or links to payment pages are excluded.
    • Third-party scripts unrelated to payment processing and incapable of compromising account data security are not considered third-party service providers.
  2. Eligibility Options:
    • Implementing requirements 6.4.3 and 11.6.1 remains sufficient to meet the new eligibility criteria.
    • Alternative solutions, such as penetration testing, web application firewalls (WAFs), or processor attestations, may also fulfill the criteria, subject to QSA discretion.
    • Payment processors can provide written confirmation that their iFrame solutions include necessary protection against script-based attacks, provided merchants adhere to implementation guidelines.

Key Implications of the Changes

While the removal of explicit requirements may appear to reduce compliance obligations, the underlying security expectations remain stringent. Merchants must still implement robust protections to meet the new eligibility criteria.

What Has Changed:

  • Eligibility Is Limited: Only a narrow group of merchants—those fully outsourcing cardholder data processing—qualify for SAQ-A. Most merchants (Levels 1-4) must retain compliance with 6.4.3 and 11.6.1.
  • Circular Compliance:
    SAQ-A merchants must still inventory, monitor, and control scripts to secure their sites, effectively requiring adherence to the principles of 6.4.3 and 11.6.1.

What Hasn’t Changed:

  • Compliance Deadlines:
    For all merchants not eligible for SAQ-A, the deadline for compliance with PCI DSS v4.0.1, including requirements 6.4.3 and 11.6.1, remains March 31, 2025.
  • Service Providers:
    Service providers must still comply with 6.4.3 and 11.6.1 to ensure secure payment flows.
  • Robust Protections Required:
    SAQ-A merchants must implement strong eSkimming defenses despite the removal of explicit requirements.

Implications for Stakeholders

For SAQ-A Merchants:

  • Eligibility Challenges:
    Merchants must demonstrate that their sites are protected against script-based attacks. Those unable to meet this requirement must transition to other SAQs, such as SAQ A-EP, which involves significantly more compliance obligations.
  • Security Expectations:
    The removal of explicit requirements does not reduce the obligation to secure e-commerce systems. Robust protections against eSkimming and other vulnerabilities remain essential.

For Service Providers:

  • Support for Merchants:
    Educate merchants on the importance of script controls and provide solutions to simplify compliance. Misinterpreting these updates as a relaxation of obligations could leave merchants vulnerable.
  • Expand Offerings:
    Introduce value-added services to help merchants secure their environments while achieving compliance.

For QSAs:

  • Education and Clarity:
    QSAs must emphasize that the removal of explicit requirements does not eliminate the need for robust security measures. Merchants must still secure their sites to meet SAQ-A eligibility criteria.
  • Actionable Solutions:
    Recommend trusted tools—such as Human Security, Source Defense, or Jscrambler—to help merchants implement eSkimming controls efficiently.

Solutions and Recommendations

Merchants can continue implementing 6.4.3 and 11.6.1 as a straightforward approach to meeting the new eligibility criteria. Alternatively, they may adopt solutions like:

  • Processor Attestation:
    • Obtain written confirmation from the payment processor that their iFrame solution includes appropriate protections.
    • Follow processor implementation instructions carefully and demonstrate compliance during assessments.
  • Alternative Security Measures:
    • Conduct penetration testing or deploy a WAF configured to block script-based attacks.
    • Justify alternative approaches to QSAs to ensure they meet the eligibility criteria.

If merchants fail to meet SAQ-A eligibility, they may transition to SAQ A-EP, which involves 136 additional requirements. Implementing 6.4.3 and 11.6.1 initially may minimize the compliance burden and maintain SAQ-A eligibility.

Summary of Key Takeaways

  1. Collaboration Opportunities:
    Service Providers and QSAs play a vital role in helping merchants navigate these changes.
  2. Changes to SAQ-A:
    Explicit requirements 6.4.3 and 11.6.1 have been removed, but strict security expectations remain.
  3. Security Obligations:
    SAQ-A merchants must implement robust protections against script-based vulnerabilities.
  4. Firm Deadline:
    PCI DSS v4.0.1 compliance is required by March 31, 2025.

For the full details, visit the PCI SSC website.

Discover more from

Subscribe to get the latest posts sent to your email.

Disclaimer
The views and opinions expressed in this article are solely my own and do not necessarily reflect the views, opinions, or policies of my current or any previous employer, organization, or any other entity I may be associated with.

Similar Posts