Important Update on PCI DSS SAQ A Eligibility Criteria

The PCI Security Standards Council (PCI SSC) has published a new Frequently Asked Question (FAQ 1588) to help businesses better understand the updated eligibility criteria for Self-Assessment Questionnaire (SAQ) A under PCI DSS v4.0.1. These new requirements will take effect on April 1, 2025 and are especially important for e-commerce merchants using embedded payment pages (like iframes).

 

What’s Changing?

To be eligible for SAQ A, merchants must confirm that their website is not vulnerable to script-based attacks that could compromise customer payment data.

 

How Can Merchants Confirm Their Website is Secure?

Merchants can confirm their site is protected from script attacks in one of two ways:

  1. By Implementing Security Measures:
    • Use protection methods recommended in PCI DSS Requirements 6.4.3 and 11.6.1 to block scripts that could steal payment data.
    • These protections can be set up by the merchant or a third-party service provider (TPSP).
  1. By Getting Confirmation from Their Payment Provider:
    • If the merchant uses a PCI DSS-compliant third-party service provider (TPSP) or payment processor, they can confirm that their embedded payment page already includes protections against script attacks.
    • Merchants must ensure they follow the provider’s security guidelines properly.

Who Does This Apply To?

This applies only to e-commerce merchants who use a third-party provider’s embedded payment page (like an iframe) on their website.

 To whom this eligibility criterion does not apply (and does not need to implement technical controls such as those in security requirements 6.4.3 and 11.6.1 or obtain confirmation from their TPSP)?

  • Merchants who redirect customers to a payment provider’s website (e.g., via a redirect link, HTTP 30x, meta tag, or JavaScript redirect).
  • Merchants who fully outsource payment processing (e.g., sending customers a payment link via email).

What Should Merchants Do Now?

  • Check with your payment provider (TPSP) and/or acquirer to confirm if SAQ A is the correct self-assessment for your business.
  • Work with your provider to ensure you have the right security measures in place.
  • Visit the PCI SSC website to review the full FAQ and additional resources.

This update aims to make compliance clearer and ensure stronger payment security for e-commerce businesses. By following these guidelines, merchants can confidently validate their compliance while protecting their customers' payment data.

https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/how-does-an-e-commerce-merchant-meet-the-saq-a-eligibility-criteria-for-scripts/

 

 

Contact Us