Changes in SAQ A of PCI DSS v4.0.1

As part of efforts to achieve security and compliance balance, the PCI SSC announced on January 30, 2025 that checks related to payment page security (6.4.3 and 11.6.1) will be removed from Self-Assessment Questionnaire A (Self-Assessment Questionnaire – SAQ A), trade-oriented.

Update February 28, 2025
The 28 February 2025 the PCI SSC published a new frequently used question (FAQ #1588) clarifying the eligibility criterion of SAQ A, as explained below in the ‘February 2025 update’ section.

After many internal discussions and reviews (especially stemming from the e-commerce working group, which is currently working on an informational supplement for payment page security, to be published in the short term), the PCI SSC has announced that the Self-Assessment Questionnaire A (Self-Assessment Questionnaire – SAQ A) has been amended by removing controls 6.4.3 and 11.6.1, as well as control 12.3.1 for the Targeted Risk Analysis (TRA) which supports requirement 11.6.1:

Requirement 6.4.3

Requirement 11.6.1

Requirement 12.3.1

Similarly, the eligibility criterion (Eligibility Criteria) used to enable identification of whether or not trading may employ SAQ A has also been modified, adding an express confirmation by the entity that its e-commerce website is not susceptible to attacks via scripts (or active content):

Eligibility Criterion for SAQ A

Implications of these changes in SAQ A

Removal of these controls in SAQ A (where the trade delegates entirely the processing of card data to a provider validated in PCI DSS – fully outsourced) has two sides:

  • On the one hand, it facilitates the compliance of those merchants that use integration solutions with payment platforms using redirection or iFrames, decreasing three controls.
  • However, it leaves the entity exposed to potential attacks derived from manipulations of the redirection controls or integrations via iFrames that involve interaction with the site where they are hosted.

In that sense, the risk management of attacks on payment pages of SAQ A has been removed as long as the commerce CONFIRMS that EFFECTIVELY its e-commerce service is not susceptible to attacks through scripts, It is therefore imperative that a preliminary assessment is carried out to validate these scenarios.

In conclusion: Remove controls 6.4.3, 11.6.1, 12.3.1 ALWAYS AND WHEN you trade CONFIRM that your website IS NOT VULNERABLE to attacks via scripts. Otherwise, it is necessary to implement the controls of other SAQs such as SAQ A-EP or SAQ D.

Update February 2025

Due to doubts arising from the way in which commerce should confirm that if site is not vulnerable to attacks through scripts, in February 2025 the PCI SSC published a new FAQ (FAQ #1588 How does an e-commerce merchant meet the SAQ A eligibility criteria for scripts?) where the following clarifications are made:

  • It is clarified that this confirmation does not apply when the merchant makes a redirect to the payment provider's page or when the payment functions are fully delegated to a provider (full outsourcing).
  • This confirmation should be made only when the merchant's website includes a payment form or page from a payment provider embedded in one or more inline frames (iFrames). In this case, proceed as follows:
    • Trade or supplier must implement techniques such as those described in requirements 6.4.3 or 11.6.1 to protect the website from the trade of scripts aimed at obtaining card data; or
    • Get confirmation from the merchant's payment provider that provides the embedded payment form or page that your solution protects the merchant's payment page from attacks from scripts when deployed according to the supplier's instructions.

Likewise, it is clarified that a third-party script provider is not considered a service provider (Third-Party Service Provider – TPSP) if the scripts are not related to payment processing and do not impact the security of card data.

In conclusion: If the trade uses iFrames, it must implement controls for the protection of scripts malicious (such as 6.4.3 or 11.6.1) or ask your payment provider if these techniques are implemented in your environment.

Dates of entry into force

The following are the effective dates of these changes:

  • 31 March 2025: The October 2024 version of SAQ A will be removed.
  • 1 April 2025: The January 2025 version (SAQ A r1) will enter into force, not including controls 6.4.3. 11.6.1 and 12.3.1

Downloads

The new version of SAQ A (SAQ A r1) is now available for download at PCI SSC website.

Also, here is the official communiqué of the PCI SSC in this regard: Important Updates Announced for Merchants Validating to Self-Assessment Questionnaire A

Leave to Reply