Late on the 30th January, 2025 the PCI SSC announced changes to SAQ A, which may be seen as positive or negative depending on one’s perspective.
The future-dated requirements (6.4.3, 11.6.1 and in turn 12.3.1), which were due to take effect on April 1st, will now be removed from the new version of SAQ A. Instead, a new eligibility criteria bullet has been introduced:
SAQ A merchants confirm that, for this payment channel:
- The merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions;
- All processing of account data is entirely outsourced to PCI DSS compliant third-party service provider (TPSP)/payment processor;
- The merchant does not electronically store, process, or transmit any account data on merchant systems or premises, but relies entirely on a TPSP(s) to handle all these functions;
- The merchant has confirmed that TPSP(s) are PCI DSS compliant for the services being used by the merchant; and
- Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically.
Additionally, for e-commerce channels:
- All elements of the payment page(s)/form(s) delivered to the customer’s browser originate only and directly from a PCI DSS compliant TPSP/payment processor.
- The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
Why Could This Be Good News for Some?
This revision is broader and more open to interpretation than requirements 6.4.3 and 11.6.1, which focused specifically on the payment page payment page scripts, headers, cookies, and change detection mechanisms to prevent skimming attacks. The new broader approach could allow multiple ways for an entity to demonstrate compliance with the entry criteria, including the original approach of script monitoring, change detection mechanisms, but now….what about vulnerability scanning, penetration testing, or even implementing a Content Security Policy (CSP) etc?. Could these be alternatives to change detection?
One significant benefit of this change is the potential cost reduction for e-commerce merchants. Previously, meeting requirements 6.4.3 and 11.6.1 often involved purchasing specialised third-party solutions. When these requirements were first introduced, one of my clients was quoted $50,000 per domain name for a solution. While costs have since come down, they remain high for many businesses. This new, risk-based approach could provide a more cost-effective alternative for many e-commerce merchants.
Why Could This Be Bad News for Some?
The new entry criteria may create challenges for some e-commerce merchants who previously qualified for SAQ A but now struggle to meet the updated entry criteria. As a result, they may need to validate using SAQ A-EP or even SAQ D, which are more complex and demanding.
However, it’s important to note that the PCI SSC is expected to release additional guidance in the coming 8 weeks on how merchants can demonstrate compliance with the new criteria. It may turn out that meeting this new criteria is less difficult than it first appears.
Additionally, this change could impact solution providers that entered the market in response to the original requirements. Many of these providers developed specialised solutions to help merchants meet 6.4.3 and 11.6.1. Now, they may need to pivot their offerings to help merchants comply with the broader, less rigid entry criteria of SAQ A.
For companies that have already invested in expensive solutions tailored to 6.4.3 and 11.6.1, this change raises questions about the continued value of those solutions.
It is also important to note that the use of iFrame’s or URL Redirects as the payment integration could also come into play. The requirements 6.4.3 and 11.6.1 only applied to merchant that use an iFrame and were not applicable for entities using URL Redirects. The question now may be, if I use a URL Redirect is my site susceptible to script attacks? If this question can be answered then it may make meeting the new entry criteria easier for merchants that already use URL Redirects or have already planned on the move to them to address requirements 6.4.3 and 11.6.1.
Only time will tell how the industry will adapt, but the next eight weeks will undoubtedly be interesting as more details emerge.
The new SAQ A will be in use from the end of March, until then, entities can still use the SAQ A that was last updated in October 2024.
Final Thoughts
As always, merchants should stay informed and consult with their PCI QSA to ensure they fully understand their compliance obligations. The shift in the PCI SSC’s approach to SAQ A highlights the evolving nature of e-commerce attack vectors and the need for a flexible, risk-based approach to security. Keeping an eye on upcoming PCI SSC guidance will be crucial in navigating these changes effectively.
The PCI SSC blog release can be found here:
