The Payment Card Industry Security Standards Council (PCI SSC) has announced significant updates to Self-Assessment Questionnaire A (SAQ A), particularly affecting e-commerce merchants. These changes, taking effect on 31 March 2025, remove certain requirements and introduce new eligibility criteria that require merchants to strengthen website security and protect against malicious script attacks.
With the compliance deadline fast approaching, it’s crucial for merchants to understand what’s changing, what’s at stake, and how to ensure they remain compliant.
SAQ A is designed for merchants who fully outsource their payment processing functions to a PCI DSS validated third-party service providers (TPSPs).
Who qualifies for SAQ A?
Requirements
This new change affects only the e-commerce related requirements in the SAQ and not the ones for mail/telephone order.
The following PCI DSS requirements have been removed from SAQ A:
6.4.3 – Protection of payment pages from unauthorized modification.
11.6.1 – Ongoing monitoring for unauthorized changes to payment pages.
12.3.1 – Targeted Risk Analysis related to 11.6.1.
Although these requirements are no longer explicitly required in SAQ A, security remains a top priority. Merchants must still ensure their websites are protected from the security threats that these requirements address.
To qualify for SAQ A, e-commerce merchants must now meet two additional conditions:
While the new change effectively removes the direct responsibility for implementing requirements 6.4.3, 11.6.1, and 12.3.1 from the merchant, those requirements remain part of the overall PCI DSS framework and must be met by the TPSP. Essentially, while the merchant is no longer required to directly implementing these controls, they must ensure that their TPSP is compliant with them—meaning that the protections provided by these requirements are indirectly in place through the TPSP's compliance.
The new eligibility criteria focus on securing the entire website—not just the checkout page. Simply stating that a website does not use scripts is no longer enough.
Even though PCI SSC removed certain security requirements, merchants still bear full responsibility for website security.
Merchants relying on SAQ A must now:
Ensure their entire website is protected from script-based attacks.
Continuously monitor for malicious script injections.
Provide evidence that their security measures meet SAQ A eligibility criteria.
What happens if you are not eligible for SAQ A?
Merchants failing to meet the new SAQ A eligibility criteria will be required to switch to SAQ A-EP, which includes 151 security controls compared to the 27 in SAQ A—significantly increasing compliance complexity and costs.
October 2024 – The existing SAQ A version remains valid until March 31, 2025.
January 2025 – The new SAQ A version is published.
March 31, 2025 – The updated SAQ A v4.0.1 r1 officially replaces the previous version from October 2024.
Merchants should plan accordingly to avoid compliance gaps during this transition.
To meet SAQ A’s new security requirements, merchants should take proactive steps to safeguard their websites.
Use appropriate solution and controls to detect and prevent malicious script injections targeting TPSP elements.
Adopt solution and implement controls for Webpage Integrity to safeguard your entire website—not just checkout pages—from script-based attacks.
Ensure that all external scripts used on your site are sourced from PCI DSS-compliant TPSPs to reduce the risk of unauthorized modifications.
Regularly scan and audit your website to identify vulnerabilities where unauthorized scripts could be injected.
Why this matters:
Malicious scripts can be injected dynamically at any time. One-time security checks are not enough—continuous monitoring is essential.
Work with Qualified Security Assessors (QSAs) to ensure your business meets SAQ A’s latest eligibility criteria.
These changes to SAQ A aim to streamline compliance while reinforcing security for online merchants. However, maintaining compliance under the new criteria requires proactive website monitoring and security enhancements.
If you're unsure whether your business meets the new SAQ A requirements—or if you need expert guidance on securing your e-commerce platform—we’re here to help.
With SAQ A’s 2025 updates, merchants must take a proactive role in securing their websites against cyber threats.
Ensuring your website meets PCI DSS v4.0.1 requirements can be complex—but you don’t have to do it alone.
We at Integrity360 specialise in helping merchants adapt to these changes, secure their websites, and maintain compliance with confidence.
Contact us today to protect your business and stay compliant in 2025 and beyond!