The PCI Security Standards Council (PCI SSC) has made significant updates to Self-Assessment Questionnaire type A (SAQ A) as part of PCI DSS v4.0.1. These changes impact e-commerce merchants who outsource payment processing and previously relied on the SAQ A for compliance validation.

The latest modifications include:

  • Removal of PCI DSS Requirements 6.4.3, 11.6.1, and 12.3.1 from SAQ A.
  • New eligibility criteria requiring merchants to confirm their site is not susceptible to script-based attacks.

These updates take effect on March 31, 2025, when the new January 2025 SAQ A version replaces the October 2024 version.

Who Is Affected by the PCI SSC Updates to SAQ A?

The SAQ A changes apply to:

  • E-commerce merchants using hosted payment pages (redirects or iFrames).
  • Businesses that rely on PCI DSS-compliant third-party payment providers for e-commerce outsourcing.

If your organization previously used SAQ A for e-commerce compliance validation, you need to understand how these updates impact your security responsibilities.

What Has Changed?

1. Removal of Key Security Requirements from SAQ A

  • Requirement 6.4.3 (E-Commerce Payment Page Security) – Requires organizations to manage their scripts to prevent unauthorized code from executing in payment pages as they are rendered in the consumer’s browser.
  • Requirement 11.6.1 (Automated Detection for Unauthorized Scripts) – Requires organizations to implement change- and tamper-detection mechanisms to detect and prevent malicious script injection attacks (e.g., Magecart attacks).
  • Requirement 12.3.1 (Targeted Risk Analysis for 11.6.1) – Requires merchants to perform a risk assessment to determine how often script monitoring should occur if a periodic cadence is leveraged.

What this means to you: These requirements are still part of PCI DSS v4.0.1, but SAQ type A merchants are no longer required to validate compliance with them, as long as they meet the new eligibility criteria.

2. New SAQ type A Eligibility Criteria

  • Merchants must now “confirm their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”

What this means to you: Even though SAQ A removes specific security controls, merchants must still ensure their site is protected from script-based threats.

Why Are These Changes Important?

  • Simplifies compliance for SAQ A merchants – Removing 6.4.3, 11.6.1, and 12.3.1 reduces reporting complexity for businesses that fully outsource payments.
  • Does NOT eliminate security risks – Script-based attacks (e.g., Magecart, formjacking) remain a significant threat, so merchants must still protect their website environments.
  • Emphasizes merchant accountability – The new eligibility requirement makes it clear that merchants cannot ignore web security, even if they use third-party payment providers. Organizations needs to fully understand who is taking responsibility for e-commerce environments and outsourcing integration components.

How Can Merchants Ensure Compliance?

  • Verify SAQ A eligibility – Confirm that your business meets the new criteria for script-based attack prevention.
  • Implement website security measures – Use Content Security Policy (CSP), Subresource Integrity (SRI), and real-time script monitoring to prevent malicious injection attacks.
  • Assess your risk exposure – Even without 12.3.1, businesses should perform risk assessments to evaluate vulnerabilities in their e-commerce environment.
  • Confirm third-party provider compliance – Ensure your payment service provider remains PCI DSS compliant and follows strong security practices.
  • Update security policies – Adapt internal security policies to reflect the new SAQ A scope and the ongoing need for web security measures.

Action Items for Merchants & Compliance Teams

Before March 31, 2025:

  • Download and review the January 2025 SAQ A version (available on PCI SSC’s website).
  • Evaluate your website’s exposure to script-based threats and implement security measures (e.g., CSP, SRI, and monitoring).
  • Confirm that your third-party payment provider meets PCI DSS v4.0.1 standards.
  • Update security documentation and policies to align with the new SAQ A eligibility criteria.
  • Train staff on secure website management to reduce the risk of unauthorized script injection.
  • Read PCI SSC’s blog on the SAQ A update.

Conclusion

The removal of PCI DSS Requirements 6.4.3, 11.6.1, and 12.3.1 from SAQ A simplifies compliance for e-commerce and CNP merchants, but does not eliminate the risk of cyber threats. The new eligibility criteria reinforce that merchants must still secure their websites from script-based attacks.

By reviewing SAQ A changes now and implementing website security best practices, businesses can ensure compliance before the PCI DSS v4.0.1 March 31, 2025 deadline while maintaining strong cybersecurity protections.

Need help assessing your e-commerce security posture? HALOCK can partner with you to achieve compliance and ensure reasonable security as the regulations require. Call us today.

READ MORE PCI DSS References and Articles