SAQ A Merchants Now Exempt from Requirements 6.4.3 and 11.6.1 Under Certain Conditions

By
DataStealth
January 31, 2025
-
5
Min Read
What QSAs Want to See for PCI DSS 6.4.3 and 11.6.1 Compliance

The PCI Security Standards Council (PCI SSC) has introduced a major change for merchants completing Self-Assessment Questionnaire (SAQ) A.

Under specific conditions, SAQ-A merchants may now be exempt from meeting PCI DSS requirements 6.4.3 and 11.6.1. 

Here's what this means and why it matters.

In the lead-up to this announcement, there were rumors that the PCI SSC might delay the enforcement deadline for requirements 6.4.3 and 11.6.1, originally set for March 31st, 2025. 

However, rather than announcing an extended deadline, the Council has instead introduced an exemption for SAQ A merchants—provided certain conditions are met.

SAQ A merchants are not subject to requirements 6.4.3 and 11.6.1 if the “merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”

You can find additional details in the PCI’s blog post here.

What’s Changing?

The exemption applies to two key requirements:

  • Requirement 6.4.3: Ensures that scripts on payment pages are inventoried, authorized, justified, and monitored to prevent malicious tampering.

  • Requirement 11.6.1: Requires real-time monitoring of unauthorized changes to script contents or security-impacting headers to protect against attacks like web skimming.

Previously, all merchants—regardless of their SAQ type—were expected to comply with these requirements. Moving forward, SAQ A merchants are no longer subject to these requirements.

Why the Exemption?

SAQ A merchants outsource all payment processing and cardholder data (CHD) management to TPSPs, meaning they don’t directly handle sensitive card data themselves. As a result, the compliance burden shifts to the TPSP.

To clarify: requirements 6.4.3 and 11.6.1 are not being removed from PCI DSS—they simply won’t apply to SAQ A merchants under these new conditions.

What Does This Mean For Merchants?

This change could significantly benefit e-commerce businesses that rely entirely on TPSPs for payment processing and CHD management. It would result in a reduced compliance burden as eligible merchants can avoid implementing complex script management and monitoring controls themselves, saving time and resources.

Additionally, larger merchants may explore whether they can leverage similar exemptions by reducing their PCI DSS scope through TPSPs.

Stay Tuned for More Details

We’ll continue unpacking these changes in the coming days and weeks as more information becomes available. Get the latest updates and guidance delivered straight to your inbox by signing up for our newsletter.

Related articles

View all
We are a Data Security Platform (DSP) that allows organizations to discover, classify, and protect their most sensitive data and documents.
Company
HomeISP Services
Project RescueAbout UsContact
Site Map
HomeData Security PlatformSupportQSA Partner ProgramAbout UsContactBlog
Solutions
Data Discovery and Classification
Dynamic Data Masking
Data TokenizationTest Data Management
PCI Audit Scope Reduction
PCI Tamper Detection and Protection
Contact
info@datastealth.io+1 (855) 553-2839DataStealth Inc.
5995 Avebury Rd
Suite 600
Mississauga ON L5R 3P9
Follow us
InstagramTwitterLinkedinFacebook

©2024 DataStealth Inc. All Rights Reserved.

Privacy Policy