The Payment Card Industry Security Standards Council (PCI SSC) has announced significant updates to Self-Assessment Questionnaire A (SAQ A), particularly affecting e-commerce merchants. These changes, taking effect on 31 March 2025, remove certain requirements and introduce new eligibility criteria that require merchants to strengthen website security and protect against malicious script attacks.

With the compliance deadline fast approaching, it’s crucial for merchants to understand what’s changing, what’s at stake, and how to ensure they remain compliant.

TrendsPredictions 2025_webheader_landing

What is SAQ A?

SAQ A is designed for merchants who fully outsource their payment processing functions to a PCI DSS validated third-party service providers (TPSPs).

Who qualifies for SAQ A?

  • E-commerce or mail/telephone-order merchants (card-not-present transactions).
  • Merchants who do not store, process, or transmit account data electronically on their own systems.
  • Merchants that rely entirely on TPSPs to handle payment transactions securely.

The key changes to SAQ A in 2025

1. Removal of Specific Security

Requirements

This new change affects only the e-commerce related requirements in the SAQ and not the ones for mail/telephone order.

The following PCI DSS requirements have been removed from SAQ A:


6.4.3 – Protection of payment pages from unauthorized modification.


11.6.1 – Ongoing monitoring for unauthorized changes to payment pages.


12.3.1 – Targeted Risk Analysis related to 11.6.1.

What this means for merchants:

Although these requirements are no longer explicitly required in SAQ A, security remains a top priority. Merchants must still ensure their websites are protected from the security threats that these requirements address.

  • Quote: "While these modifications to SAQ A will affect how merchants approach compliance reporting, they do not remove or diminish the underlying requirements within PCI DSS." – PCI DSS

2. New Eligibility Criteria for SAQ A

To qualify for SAQ A, e-commerce merchants must now meet two additional conditions:

  1. All payment page elements (forms, scripts, iframes, etc.) must come only and directly from a PCI DSS-compliant TPSP.
  2. Merchants must confirm their site is not susceptible to script-based attacks that could impact their e-commerce systems.
  • Quote: "The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s)." – PCI SSC
    3. PCI SSC provides compliance validation tools, but final requirements are set by acquirers,                 payment brands, and compliance-enforcing entities.
  • Quote: "PCI SSC provides tools that may be used to facilitate compliance validation. Compliance validation requirements are set by brands, acquirers, payment facilitators, etc." – PCI SSC

Key Takeaway:


While the new change effectively removes the direct responsibility for implementing requirements 6.4.3, 11.6.1, and 12.3.1 from the merchant, those requirements remain part of the overall PCI DSS framework and must be met by the TPSP. Essentially, while the merchant is no longer required to directly implementing these controls, they must ensure that their TPSP is compliant with them—meaning that the protections provided by these requirements are indirectly in place through the TPSP's compliance.

The new eligibility criteria focus on securing the entire website—not just the checkout page. Simply stating that a website does not use scripts is no longer enough.

 

 

Why These Changes Matter

Even though PCI SSC removed certain security requirements, merchants still bear full responsibility for website security.

Merchants relying on SAQ A must now:
Ensure their entire website is protected from script-based attacks.
Continuously monitor for malicious script injections.
Provide evidence that their security measures meet SAQ A eligibility criteria.

What happens if you are not eligible for SAQ A?
Merchants failing to meet the new SAQ A eligibility criteria will be required to switch to SAQ A-EP, which includes 151 security controls compared to the 27 in SAQ A—significantly increasing compliance complexity and costs.

SAQ A Compliance Timeline: Key Dates

October 2024 – The existing SAQ A version remains valid until March 31, 2025.
January 2025 – The new SAQ A version is published.
March 31, 2025 – The updated SAQ A v4.0.1 r1 officially replaces the previous version from October 2024.

Merchants should plan accordingly to avoid compliance gaps during this transition.

How to Protect Your Website & Stay SAQ A Compliant

To meet SAQ A’s new security requirements, merchants should take proactive steps to safeguard their websites.

1. Monitor & Secure Your Shopping Cart

Use appropriate solution and controls to detect and prevent malicious script injections targeting TPSP elements.

2. Implement Webpage Integrity Protections

Adopt solution and implement controls for Webpage Integrity to safeguard your entire website—not just checkout pages—from script-based attacks.

3. Use Only PCI DSS-Compliant Third-Party Scripts

Ensure that all external scripts used on your site are sourced from PCI DSS-compliant TPSPs to reduce the risk of unauthorized modifications.

4. Conduct a Security Risk Assessment

Regularly scan and audit your website to identify vulnerabilities where unauthorized scripts could be injected.

Why this matters:
Malicious scripts can be injected dynamically at any time. One-time security checks are not enoughcontinuous monitoring is essential.

5. Consult PCI Compliance Experts

Work with Qualified Security Assessors (QSAs) to ensure your business meets SAQ A’s latest eligibility criteria.

Final Thoughts: Act Now to Stay Compliant

These changes to SAQ A aim to streamline compliance while reinforcing security for online merchants. However, maintaining compliance under the new criteria requires proactive website monitoring and security enhancements.

If you're unsure whether your business meets the new SAQ A requirements—or if you need expert guidance on securing your e-commerce platform—we’re here to help.

With SAQ A’s 2025 updates, merchants must take a proactive role in securing their websites against cyber threats.

Key Takeaways:

  • New SAQ A eligibility criteria require full-site security—not just payment pages.
  • Non-compliance could force a transition to SAQ A-EP, adding 100+ new requirements.
  • Implementing script protections and continuous monitoring is critical.
  • Consult with compliance experts to ensure your site remains secure.

Need Help Staying SAQ A Compliant?

Ensuring your website meets PCI DSS v4.0.1 requirements can be complex—but you don’t have to do it alone.

We at Integrity360 specialise in helping merchants adapt to these changes, secure their websites, and maintain compliance with confidence.

Contact us today to protect your business and stay compliant in 2025 and beyond!

 

Contact Us