PCI DSS v4 Update: The New SAQ A Changes Explained
With the PCI DSS March 31 deadline drawing near, the recent Jan 30th, 2025, update to the Self-Assessment Questionnaire (SAQ A) seems like another important change for e-commerce merchants to get their heads around, but is it really another hurdle or a much-needed wake-up call? Let’s go through the changes.
Who is eligible for SAQ A?
SAQ A only applies to e-commerce or mail/telephone order (MOTO) merchants who can confirm that they:
- Accept only card-not-present (CNP) transactions
- Fully outsource cardholder data functions to a PCI DSS-compliant processor
- Do not store, process, or transmit cardholder data electronically (paper records only)
- Use TPSPs that are PCI DSS compliant
Key Changes in the SAQ A Update
Removal of Requirements 6.4.3 and 11.6.1
To be clear, these requirements are not being removed from PCI DSS. What’s happening is that if e-commerce merchants can confirm that, “…their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s),” then they do not have to meet them, and they can self-assess their compliance using form SAQ A.
So, for SAQ A-eligible vendors who can confirm that their site isn’t susceptible to script attacks, the update relieves them of the need to comply with 6.4.3 and 11.6.1, which were specifically introduced to combat e-skimming attacks, along with Requirement 12.3.1, which called for a targeted risk analysis to support Requirement 11.6.1.
Additionally, SAQ A only applies to, “…merchants with account data functions completely outsourced to PCI DSS validated and compliant third parties, where the merchant retains only paper reports or receipts with account data.” So, this update effectively transfers the responsibility for maintaining compliance with 6.4.3 and 11.6.1 to PCI DSS-validated and compliant third-party service providers (TPSP) or payment processors.
New Focus: Comprehensive Website Security
As we noted, although merchants validating to SAQ A will no longer need to comply with requirements 6.4.3 and 11.6.1, they instead must confirm that their entire website is secured against script-based attacks, and those who cannot confirm this must validate to SAQ A-EP or SAQ D. This raises the question of “how”, though: how can they confirm that their entire website is not susceptible to script-based attacks? Well, unfortunately, they can’t! If they embed those approved TPSP’s payment forms in iframes—which are often invisible to embedded security solutions—they may find themselves crossing their fingers and hoping for the best.
A far safer approach would be placing their trust in a remotely executed script analysis solution like Reflectiz, as it offers complete visibility over iframe scripts (and all scripts) and alerts their security teams to any problematic behaviors they may display before they can become problems.
What This Means for Merchants
The update puts merchants in something of a Catch-22 situation: if they outsource payment processing to an approved provider and can show that their e-commerce systems aren’t vulnerable to attacks then they won’t have to comply with 6.4.3 and 11.6.1, but the best way for them to demonstrate this is to show that they do more than comply with 6.4.3 and 11.6.1, not just protecting their payment pages from unauthorized code changes but the entire site.
It seems, then, that the best way for merchants to qualify for self-assessment with SAQ A is, ironically, to expand their security approach by adopting more comprehensive monitoring and threat remediation tools, but this outcome was no doubt what PCI SSC intended and is arguably no bad thing given that it encourages greater security for businesses and their customers.
The Reflectiz dashboard covers these requirements comprehensively. It offers a dedicated PCI page that makes compliance with 6.4.3 and 11.6.1 straightforward, and also reduces the reporting burden for merchants, allowing them to quickly generate compliance reports for PCI audits and demonstrate to QSAs that Reflectiz protects their business with ongoing monitoring of all payment page scripts loaded and executed in the consumer’s browser, along with quick-response tamper detection to alert them of any changes.
It’s a proactive, preventative, remotely executed solution that constantly updates its map of connected third and fourth-party scripts and apps, delivering maximum protection against web-skimming and Magecart attacks and ultimate peace of mind.
Potential Compliance Challenges
The impending March 31st deadline creates urgent compliance challenges, compelling businesses to rapidly reassess their current status, potentially upgrade to more comprehensive assessment questionnaires like SAQ A-EP, and implement more robust website monitoring solutions to meet the evolving PCI DSS security requirements.
When You Might Need a Different SAQ
Consider a different Self-Assessment Questionnaire if:
- You control the web environment affecting the payment process
- You store or process cardholder data internally
- Your website has more complex payment integrations
Recommendations for Merchants
- Conduct a thorough review of your entire website’s security
- Implement continuous monitoring solutions such as Reflectiz
- Verify your vulnerability to script-based attacks
- Consult with a PCI DSS compliance expert if you’re unsure about your status
The Importance of Proactive Web Security
Even if a business qualifies for SAQ A, it’s important to remember that outsourcing payment processing doesn’t eliminate security risks. Attackers can still compromise a website through skimming attacks like Magecart and form jacking before customers even check out, so merchants must secure them to stay PCI DSS compliant.
Final Thoughts
The PCI DSS SAQ A update reflects the dynamic nature of cybersecurity, and with time running out, merchants must consider how they can respond with the quickest, most effective way to protect their e-commerce environments. Whichever SAQ path they take, and to answer our initial question, this update is both a hurdle and a wake-up call for businesses that by necessity operate in an increasingly hostile environment. Reflectiz is every e-commerce merchant’s best option for meeting PCI DSS script security requirements and keeping their business safe for customers.
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Related Articles
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!