In response to stakeholder feedback regarding the complexity of implementing the new e-commerce security Requirements 6.4.3 and 11.6.1 in PCI Data Security Standard (PCI DSS) v4.0.1, the PCI Security Standards Council (PCI SSC) has announced important modifications for merchants validating to Self-Assessment Questionnaire A (SAQ A).
SAQ A includes only those PCI DSS requirements applicable to merchants with account data functions completely outsourced to PCI DSS validated and compliant third parties, where the merchant retains only paper reports or receipts with account data. SAQ A merchants may be either e-commerce or mail/telephone-order merchants (card-not-present) and do not store, process, or transmit any account data in electronic form on their systems or premises.
After thorough consideration and review of industry stakeholder feedback, PCI SSC is making the following updates to SAQ A:
- Removal of PCI DSS Requirements 6.4.3 and 11.6.1 for payment page security, and Requirement 12.3.1 for a Targeted Risk Analysis to support Requirement 11.6.1.
- Addition of an Eligibility Criteria for merchants to “confirm their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”
Two versions of SAQ A are currently available on our website: one published in October 2024 and this new one published in January 2025. The SAQ A version that was published in October 2024 will be retired on 31 March 2025. The SAQ A version published in January 2025 is available now for review, but it does not take effect until 31 March 2025 (which is when the new PCI DSS v4.0.1 requirements will also take effect).
PCI DSS v4.0.1 Requirements 6.4.3, 11.6.1, and 12.3.1 become effective as of 31 March 2025. While these modifications to SAQ A will affect how merchants approach compliance reporting for these requirements, it’s important to note that they do not remove or diminish the underlying requirements within PCI DSS. SAQ A represents a balance of security needs and reasonable security requirements, while continuing to provide options and flexibility for compliance enforcing entities.
PCI SSC does not define compliance requirements for any organization or set compliance validation responsibilities. PCI SSC provides tools that may be used to facilitate compliance validation. Compliance validation requirements are set by brands, acquirers, payment facilitators, etc., which are often referred to as compliance enforcing entities. Organizations must consult with their compliance enforcing entity if they have questions regarding PCI DSS compliance validation requirements or the applicable validation tools that they may be eligible to use.
These developments underscore the vital role our stakeholder community plays in shaping and refining PCI standards and supporting program materials. The collaborative process that led to these changes exemplifies the benefits of being a Participating Organization in the PCI SSC community. Organizations interested in contributing to future development of standards or learning more about becoming a Participating Organization can find additional information on our website.