Understanding SAQ A’s New Eligibility Criteria

By
DataStealth
February 18, 2025
-
10
Min Read
What QSAs Want to See for PCI DSS 6.4.3 and 11.6.1 Compliance

On January 30th, 2025, the PCI SSC published a major update to SAQ A that exempts certain merchants from complying with requirements 6.4.3 and 11.6.1.

Those qualifying merchants must follow these two conditions:

  • All elements of the payment page(s)/form(s) delivered to the customer’s browser originate only and directly from a PCI DSS compliant TPSP/payment processor.

  • The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).

This is a significant change. Before the January 2025 update, the PCI SSC had required every organization with online payment pages to comply with requirements 6.4.3 and 11.6.1 ahead of the March 31st, 2025 enforcement deadline, regardless of their SAQ type. 

However, there is now a pathway for merchants meeting SAQ A eligibility criteria to potentially mark both of these requirements as “Not Applicable.” In general, this change could be beneficial for smaller merchants, freeing them from implementing the extensive script management and monitoring controls necessary for requirements 6.4.3 and 11.6.1.

In this blog post, we’ll unpack the changes in SAQ A’s eligibility criteria to identify exactly which organizations the PCI SSC has exempted from requirements 6.4.3 and 11.6.1.

Who’s Eligible Under the New SAQ A Changes?

In general, merchants completing SAQ As are already relying on PCI DSS-compliant third-party service providers (TPSP) for processing payment cards and managing cardholder data (CHD). That’s why they have the least number of systems under scope (31 requirements) compared to SAQ A-EP (151 requirements) or SAQ-D (252 requirements).

It seems that the PCI SSC is taking this a step further by mandating that these merchants fully defer their payment flows to their TPSP. So, for example, the merchant website should redirect to a payment page on the TPSP’s website or embed a TPSP-supplied iframe. 

In other words, the responsibility for meeting requirements 6.4.3 and 11.6.1 falls upon the TPSP as they’re the ones processing payments and managing CHDs in their environment. 

This condition isn’t technically a new requirement as SAQ A merchants already use TPSPs to process, store, and transmit payment card data. For example, a merchant that uses a TPSP would either redirect their customer to a TPSP-supplied payment page or send them to a payment page on their website with a TPSP-supplied iframe. 

Overall, the first condition isn’t new information for the merchants who already outsource all of their CHD functions to TPSPs, which is a requirement to even qualify for SAQ A. However, there may be new implications for TPSPs.

As for the second condition, the PCI SSC is asking merchants to confirm that “their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”

This condition is more ambiguous compared to the first one. For example, the PCI SSC did not clearly define what the “merchant’s e-commerce system(s)” are, especially in the context of the fact that their payment processing and CHD are handled by a TPSP.

Who Must Still Comply With Requirements 6.4.3 and 11.6.1?

The new eligibility criteria specifically apply to merchants completing SAQ As, which already outsourced their payment processing and CHD management to TPSPs.

Merchants eligible for SAQ A-EPs or SAQ Ds will still need to meet requirements 6.4.3 and 11.6.1 ahead of the March 31st, 2025 deadline. These merchants have many more systems under PCI DSS scope due to them either partly or entirely managing CHD. 

However, the PCI SSC’s changes for SAQ A could potentially offer a pathway for merchants eligible for SAQ A-EPs to be eligible for SAQ A instead. 

This approach would allow a SAQ A-EP merchant to greatly reduce the number of systems under PCI DSS scope by taking CHD off of their environment. 

However, with the March 31st enforcement deadline fast approaching, this shift may not be something most organizations can implement in so little time. For at least the near term, the focus should be on complying with requirements 6.4.3 and 11.6.1. 

Moreover, the enforcement deadline is not tied to the organization’s next audit. In other words, they must have a solution for 6.4.3 and 11.6.1 in place by March 31st, 2025, even if their next audit takes place after the enforcement deadline.

For larger merchants, there could be an opportunity here to apply a two-pronged strategy that secures your short-term compliance needs and then simplifies them through the long term.

DataStealth’s Tamper Detection and Protection (TDP) is an out-of-the-box solution for rapidly meeting and exceeding requirements 6.4.3 and 11.6.1. TDP can help you meet the March 31st enforcement deadline and maintain your PCI DSS compliance.

In parallel, you can explore solutions like DataStealth’s Audit Scope Reduction to greatly reduce the number of systems under PCI DSS scope. This may allow you to potentially transition from SAQ D or SAQ A-EP to SAQ A. 

Related articles

View all
We are a Data Security Platform (DSP) that allows organizations to discover, classify, and protect their most sensitive data and documents.
Company
HomeISP Services
Project RescueAbout UsContact
Site Map
HomeData Security PlatformSupportQSA Partner ProgramAbout UsContactBlog
Solutions
Data Discovery and Classification
Dynamic Data Masking
Data TokenizationTest Data Management
PCI Audit Scope Reduction
PCI Tamper Detection and Protection
Contact
info@datastealth.io+1 (855) 553-2839DataStealth Inc.
5995 Avebury Rd
Suite 600
Mississauga ON L5R 3P9
Follow us
InstagramTwitterLinkedinFacebook

©2024 DataStealth Inc. All Rights Reserved.

Privacy Policy