On Jan. 30, PCI issued updates for merchants validating to SAQ A.
PCI responded to stakeholder feedback re complexity of implementing e-commerce security requirements 6.4.3, 11.6.1 in PCI Data Security Standard (PCI DSS) V4.0.1.
Announced important modifications for for merchants validating to self-assessment questionnaire A (SAQ A), after consideration of the stakeholder feedback.
Follows PCI Aug. 2024 issued revised ROC template for PCI DSS V4.0.1, see #224207.
Background
SAQ A includes only PCI DSS requirements applicable to merchants with account data functions completely outsourced to PCI DSS validated and compliant third parties, where the merchant retains only paper reports or receipts with account data.
SAQ A merchants may be either e-commerce or mail/telephone order merchants, do not store, process, transmit any account data in electronic form on systems/premises.
Updates to SAQ A
Removal of PCI DSS Requirements 6.4.3 and 11.6.1 for payment page security, and Requirement 12.3.1 for a Targeted Risk Analysis to support requirement 11.6.1.
Addition of an Eligibility Criteria for merchants to confirm their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
Modifications will affect how merchants approach compliance reporting for these requirements, but do not remove or diminish the underlying PCI DSS requirements.
Effectiveness
Two versions of SAQ A are currently available on the PCI website: one published in October 2024 and this new one published in January 2025 following amendments.
SAQ A version that was published in October 2024 will be retired on Mar. 31, 2025.
The SAQ A version published in January 2025 is available now for review, but does not take effect till Mar. 31, 2025 (when new PCI DSS v4.0.1 requirements also take effect).
