New SAQ A eligibility criteria: What does this change announced by the PCI SSC imply?

By Jaime Loaiza
3 Feb 2025

On 30 January 2025, the PCI Security Standards Council (PCI SSC) announced a significant update that directly impacts merchants who validate their compliance through the Self-Assessment Questionnaire A (SAQ A). This announcement implies a significant change to the eligibility criteria, which will force many businesses to re-evaluate how they comply with PCI DSS requirements.

Historically, SAQ A has been an option used by those merchants that completely outsource payment card data management to PCI-compliant vendors. However, recent adjustments published on the official PCI SSC website remove some controls that were previously required to qualify under SAQ A for the new v4.0.1 version.

Undoubtedly, these changes create some uncertainty about the applicability of some controls. For this reason, it is essential that companies understand in detail what these changes mean and how they could impact their compliance process.

As a QSA company specialized in compliance, A2SECURE’s experts have highlighted the key issues of the update that will be useful for companies affected by this change.

What are the main changes in the PCI V4.0.1 update?

Following the process of analysis and review of the comments made by stakeholders in the payment industry, the PCI Security Standards Council (PCI SSC) has made specific updates in the SAQ A.

These updates can be summarized in two key points; firstly, the removal of requirements and secondly, the inclusion of a new eligibility requirement.

Removal of requirements

Two controls that were to be considered ‘mandatory’ by the entity as of 31 March 2025 have been removed:

  • 6.4.3. All payment page scripts that are loaded and executed in the consumer’s browser are handled in the following way:
    • A method is implemented to confirm that each script is authorized.
    • A method is implemented to ensure the integrity of each script.
    • An inventory of all scripts is maintained with a written business or technical justification explaining their necessity.
  • 11.6.1. The change and tamper detection mechanism is deployed as follows:
    • To send alerts to staff on unauthorised modifications (including compromise indicators, changes, additions and deletions) to security-affecting HTTP headers and script content of payment pages as received by the consumer’s browser.
    • The mechanism is configured to evaluate the received HTTP header and payment page.
    • The functions of the mechanism are performed as follows:
      • At least weekly
      • Periodically, (at a frequency defined in the entity-specific risk analysis, which is developed according to all elements specified in Requirement 12.3.1.)

Similarly, requirement 12.3.1, which was scheduled to become mandatory on March 31, 2025, has been removed.

  • For each PCI DSS requirement that specifies completing a specific risk analysis, the analysis must be documented and include:
    • Identification of the assets to be protected.
    • Identification of the threats against which the requirement is intended to protect.
    • Identification of factors contributing to the likelihood and/or impact of a threat materializing.
    • Resulting analysis determining and including justification as to how the frequency or processes defined by the entity to meet the requirement minimize the likelihood and/or impact of the threat materializing.
    • Review of each specific risk analysis at least once every 12 months to determine whether the results are still valid or whether an updated risk analysis is needed.
    • Conducting updated risk analyses when necessary, as determined by the annual review.

NOTE: For SAQ A, this requirement only applies to businessess that have chosen the option to perform a specific risk analysis to define the frequency with which the functions of the change and tamper detection mechanism are performed (requirement 11.6.1).

New eligibility requirement: Confirmation that website is free of vulnerabilities

The PCI SSC states that in order for merchants to remove some of the previously required controls, they must first comply with a new condition.

Specifically, the condition is to confirm that their websites are not vulnerable to scripting attacks that could compromise their e-commerce systems.

Actualización PCI V4

At first glance, this might appear to be a straightforward requirement for those businesses that fit into the ‘eCommerce only’ category – described in SAQ A through full outsourcing of the payment form to a PCI DSS provider.

However, in the experience of our QSA experts, this change implies a considerable challenge. Declaring that a website is protected is insufficient to guarantee the security of a merchant.

Specific measures need to be implemented to minimize risks, such as eSkimming attacks or script tampering. This approach implies that merchants really need to understand what measures they have in place to protect themselves against such attacks before they can confirm that their site is secure.

The update implemented by PCI DSS redefines compliance by requiring merchants to strengthen their preventative controls in order to validate eligibility.

How can affected merchants demonstrate PCI DSS compliance?

Currently, there are two versions for merchants affected by the upgrade to demonstrate PCI DSS compliance:

  • PCI DSS version released in October 2024.

This version includes the requirements considered as best practices (6.4.3, 11.6.1 and 12.3.1) that were to be mandatory as of 31 March 2025. This version of SAQ A will be withdrawn on 31 March 2025.

  • PCI DSS version published in January 2025

This version removes mandatory compliance with controls 6.4.3, 11.6.1 and 12.3.1, but adds eligibility criteria for merchants to confirm that their website is not susceptible to scripted attacks that could affect the merchant’s e-commerce systems.

How does the new update affect traders?

These changes represent a major shift in the way many merchants approached compliance with the new version of the PCI DSS. A version that introduces 64 new controls and will be mandatory as of 1 April 2025.

For many merchants, the removal of controls 6.4.3 and 11.6.1 may come as a relief. However, the new requirement for such merchants to confirm that sites are free of vulnerabilities introduces a significant challenge.

Merchants that did not categorize themselves as SAQ A will not see substantial changes in their approach. However, for merchants that were demonstrating PCI DSS compliance through an SAQ A, the update makes the process more complicated.

Portada Artículo BLOG (92)

The need to ensure the absence of vulnerabilities through specific measures becomes a fundamental requirement.

In fact, although it is no longer mandatory to comply with the removed controls, in practice it is still necessary to implement mechanisms to ensure that the website is not vulnerable to scripted attacks.

In short, although at first glance it may seem that the requirements are reduced, the level of responsibility for maintaining a secure environment does not diminish. A2SECURE experts say that the real impact is the need to strengthen security.

Next steps: A2SECURE Recommendations

Controls 6.4.3 and 11.6.1 were specifically designed to reduce the risk of script-based attacks on web pages. By removing these controls, merchants that demonstrate PCI DSS compliance through an SAQ A must take responsibility for ensuring that level of security.

Identifying and neutralizing vulnerabilities in scripts requires a proactive approach. It is important to maintain an up-to-date script inventory, implement continuous monitoring, perform periodic security testing, etc. Without these measures, ensuring that a website is free of threats is more difficult than before – when controls were mandatory-.

Therefore, the best way to deal with this update is to adopt a more proactive cybersecurity posture and less reliant on ad hoc requirements.

As a company specialized in this area, A2SECURE can help retailers understand, implement and maintain these practices. Everything with the goal of ensuring not only compliance, but also a real improvement in their security posture.

Would you like to increase the security of your website and reduce the risk of script-based attacks? Contact our expert team: [email protected]

Comments are closed.