New PCI Requirements Released for SAQ A Merchant Validation

The PCI Security Standards Council (PCI SSC) recently introduced significant updates for merchants validating their compliance using Self-Assessment Questionnaire A (SAQ A). These updates, part of PCI DSS v4.0.1, reflect industry feedback and evolving security concerns, particularly the growing threat of e-skimming.

Key Updates to SAQ A

1. Removal of Specific Security Requirements

One of the most notable changes is the removal of three specific PCI DSS requirements from SAQ A:

• Requirement 6.4.3: Previously required merchants to maintain an inventory and review all scripts on payment pages.
• Requirement 11.6.1: Mandated automated monitoring of payment pages for unauthorized modifications.
• Requirement 12.3.1: A targeted risk analysis is required to support Requirement 11.6.1.

While this simplifies compliance for SAQ A merchants, removing these requirements does not eliminate the need for website security. The fundamental risks remain, and businesses must take proactive steps to ensure they are not vulnerable to malicious attacks like e-skimming.

2. New Eligibility Criteria for SAQ A Merchants

SAQ A merchants must now confirm that their entire website, not just payment pages, is not susceptible to script-based attacks. Specifically, SAQ A now requires merchants to attest:

"The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s)."

This update acknowledges that threats like e-skimming can compromise an entire website, not just payment pages. It also places more responsibility on merchants to evaluate and secure their broader online environment rather than focusing solely on payment flows.

Implications for Merchants and PSPs

1. SAQ A Merchants Must Take Proactive Security Measures

While the explicit script inventory and monitoring requirements have been removed, SAQ A merchants are still responsible for protecting their websites. Practical steps include:

• Regular Security Assessments: Conducting routine website scans to identify vulnerabilities.
• Page Integrity Monitoring: Implementing tools to detect unauthorized script injections across the site.
• Collaboration with Payment Service Providers (PSPs): Ensuring best practices for payment security and website integrity are in place.

For smaller merchants, this shift may feel overwhelming. Previously, SAQ A was considered the "easiest" PCI DSS validation method, but now, they must demonstrate broader security protections. If your business lacks the resources for full-scale security monitoring, consider partnering with vendors that offer cost-effective solutions like web application firewalls (WAFs) or content security policies (CSPs).

2. Payment Service Providers (PSPs) Still Have Security Obligations

PSPs must continue to comply with:

• PCI DSS 6.4.3 and 11.6.1, which remains mandatory for them beyond March 31, 2025.
• Ensuring the integrity of payment flows and script monitoring.
• Supporting merchant clients in addressing e-skimming risks.

This presents a strategic opportunity for PSPs to differentiate themselves by offering merchants security solutions tailored to SAQ A’s new requirements. By providing script monitoring services, security awareness training, and proactive risk assessments, PSPs can strengthen their relationships with merchants and add value to their offerings.

Compliance Timelines and the Shift to SAQ A-EP

The timing of these changes is crucial, as they arrive just two months before the March 31, 2025, PCI DSS v4.0.1 deadline. Merchants who previously qualified for SAQ A may need to reassess their eligibility.

Some organizations may find they no longer qualify for SAQ A and must transition to SAQ A-EP, which includes over 100 additional security requirements. This shift generally applies if:

• The merchant's website interacts with cardholder data beyond redirecting to a PSP.
• The site hosts third-party scripts that are not securely managed.
• There is a lack of documented security measures to mitigate script-based threats.

To maintain eligibility under SAQ A, merchants should:

• Verify that their entire site meets the new security criteria.
• Implement comprehensive site-wide security controls.
• Consult with their acquiring banks or compliance teams to confirm SAQ validation requirements.

Balancing Security and Compliance Simplicity

While these changes simplify some compliance burdens by removing prescriptive requirements, they also introduce ambiguity. Merchants no longer need to maintain exhaustive script inventories or automated monitoring but must ensure their website is secure. The focus has shifted from compliance checkboxes to a risk-based approach—businesses must demonstrate that their sites are not vulnerable to e-skimming without specific directives on how to do so.

For many merchants, this means taking proactive steps beyond what PCI DSS explicitly outlines. It’s no longer just about checking off requirements; it's about ensuring real security.

Closing Thoughts

The updates to SAQ A reflect a dynamic compliance landscape that balances industry feedback with the ongoing need for security against evolving threats like e-skimming. Merchants must take these changes thoughtfully and ensure their e-commerce sites are secure, even without prescriptive requirements. PSPs, in turn, have an opportunity to enhance their support for merchants by offering security solutions tailored to the new SAQ A framework.

With the March 31, 2025, deadline approaching, merchants and PSPs must act immediately to align their compliance strategies with the latest SAQ A updates and ensure continued protection for online transactions.

How Compass IT Compliance Can Help

As a Qualified Security Assessor (QSA), Compass IT Compliance helps merchants and PSPs navigate the evolving PCI DSS landscape. Our team can assist with:

• Assessing your eligibility for SAQ A.
• Evaluating security controls and identifying vulnerabilities.
• Implementing risk mitigation strategies to safeguard your website.

With the March 31, 2025, deadline approaching, now is the time to act. Contact us today to learn how we can help secure your e-commerce operations and ensure compliance with the latest PCI DSS requirements.