The PCI Security Standards Council (PCI SSC) has announced an important update for PCI DSS 4.0.1, specifically for e-commerce merchants using Self-Assessment Questionnaire A (SAQ A). This update follows industry concerns over the complexity of implementing security requirements 6.4.3 and 11.6.1 and aims to provide a more risk-based approach to compliance.
What Is SAQ A?
SAQ A applies to merchants that fully outsource account data functions to PCI DSS-compliant third parties. These businesses—whether e-commerce or mail/telephone order merchants—do not store, process, or transmit account data electronically on their systems. Instead, they rely entirely on third-party providers, retaining only paper records or receipts containing account data.
What Has Changed?
After reviewing feedback from merchants and industry experts, the PCI SSC has made the following key changes:
Removal of security requirements 6.4.3 and 11.6.1 previously mandated additional payment page security controls.
Removal of requirement 12.3.1, which required a Targeted Risk Analysis in support of requirement 11.6.1.
Addition of a new eligibility requirement for merchants to confirm that their e-commerce system is not vulnerable to script-based attacks that could compromise security.
What This Means for Merchants
The PCI SSC has removed the detailed technical requirements for using payment page iframes, the original aim is now in the SAQ A eligibility criteria (despite being quite ambiguous). The responsibility is still on the merchant to ensure that their website is not susceptible to unknown/rogue scripts that could affect their consumers.
This is more of a risk-based approach than before, but now specifically calls out the whole e-commerce system, as often these scripts are not just on parent and payment pages. Now, there is no mandated requirement to log and authorise each script as before, but you must be sure that your website is secure, including all first & third-party scripts. Evidence should be kept proving this in case of a breach as without this you are likely to be found non-compliant.
Who Needs to Take Action?
Merchants who previously implemented solutions to meet requirements 6.4.3 and 11.6.1 will likely remain compliant with the new eligibility criteria, provided their security measures extend across the entire e-commerce system.
Merchants using payment page redirects to a PCI DSS-compliant payment gateway were previously out of scope for 6.4.3 and 11.6.1. Under the new update, they must now verify that all scripts within their e-commerce system are secure.
Service providers must still meet the original security requirements before the compliance deadline of March 31, 2025.
Upcoming Deadlines and Next Steps
Two versions of SAQ A are currently available:
October 2024 edition – Valid until March 31, 2025.
January 2025 (r1) edition – Effective after March 31, 2025, incorporating the new PCI DSS 4.0.1 eligibility criteria.
Merchants are advised to attest or re-attest under the October 2024 SAQ A before March 31, 2025, allowing them additional time to meet the new eligibility criteria. From April 1, 2025, only the revised SAQ A will be accepted.
How OmniCyber Can Help
Navigating PCI DSS compliance can be complex, but ensuring your e-commerce platform meets security expectations is critical. If you have any questions about these changes or need guidance on meeting the new eligibility requirements, contact OmniCyber Security today.
