There are Self Assessment Questionary (SAQ) A update that you must be aware of after March 2025.

The Update

PCI Security Standards Council (PCI SSC) has announced essential modifications for merchants validating to Self-Assessment Questionnaire A (SAQ A), which will be effective after March 2025.

The following is updated:

• Removal of PCI DSS Requirements 6.4.3 and 11.6.1 for payment page security, and Requirement 12.3.1 for a Targeted Risk Analysis to support Requirement 11.6.1. 
• Addition of an Eligibility Criteria for merchants to “confirm their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”

The Meaning

There is now less for eCommerce merchants to do during the SAQ A preparation. However, effective compliance can now be achieved with greater flexibility from one site and increment of merchant responsibility from another. In the case of failure, the number of applied requirements can increase.

What To Do

For any merchant with a payment channel under the SAQ A, Readiness.info recommends using one or more of the following approaches:

• Conduct web application testing of the eCommerse site. That is evidence that malicious insertion or tampering with scripts is impossible.
• Implement requirements 6.4.3 and 11.6.1 across the entire eCommerce site to prevent the threats.
• Achieve and document an in-house method of confirming that the eCommerce site is not inclined to script attacks.
• Get the confirmation from the merchant’s PCI DSS compliant Third-Party Service Provider that the provided solution is protected from the script attacks. See PCI SSC FAQ 1588 for more information.

Who Is Affected

Change affects any merchant who is responsible for providing SAQ A to the Acquierer or Payment Brand.