- LG vs Samsung TV: Which brand should you buy in 2025?
- Amazon credits analog with making Ocelot a more-efficient quantum chip
- This Samsung Galaxy S25 Ultra deal on Amazon gets you a $200 gift card for free
- How TikTok's enhanced desktop app challenges YouTube in game streaming - and more
- The Sandisk Extreme Pro 8TB Portable SSD is $210 off at Amazon
FAQ Clarifies New SAQ A Eligibility Criteria for E-Commerce Merchants
The PCI Security Standards Council (PCI SSC) is pleased to announce the release of a Frequently Asked Question (FAQ), developed in direct response to industry requests for greater clarity on the new eligibility criteria for the recently revised Self-Assessment Questionnaire (SAQ) A. This update reflects our commitment to supporting the e-commerce community by providing clear, actionable guidance to help businesses meet new requirements under PCI DSS v4.0.1, which take effect on 1 April 2025.
Specifically, the eligibility criteria in PCI DSS v4.0.1 SAQ A r1 states:
The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
FAQ 1588 clarifies that the merchant can confirm that the merchant’s webpage is not susceptible to script attacks by either:
- Using techniques such as, but not limited to, those detailed in PCI DSS Requirements 6.4.3 and 11.6.1 to protect the merchant’s webpage from scripts targeting account data. These techniques may be deployed by the merchant or a third party.
Or
- Obtaining confirmation from the merchant’s PCI DSS compliant Third-Party Service Providers (TPSPs)/payment processor providing the embedded payment page/form(s) that, when implemented according to the TPSP’s/payment processor’s instructions, the TPSP’s/payment processor’s solution includes techniques that protect the merchant’s payment page from script attacks.
Note that the SAQ A eligibility criteria only applies to e-commerce merchants with a webpage that includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frame(s) (iframes)).
This SAQ A eligibility criteria does not apply to e-commerce merchants with a webpage that redirects customers from the merchant’s webpage to a TPSP/payment processor (for example, including but not limited to, with an HTTP 30x redirect, a meta redirect tag, or a JavaScript redirect) or e-commerce merchants that fully outsource payment functions to a TPSP/payment processor (for example, by providing customers with an email with a link to a TPSP’s website to pay).
Merchants should work closely with their TPSPs to obtain guidance about how to implement the TPSP’s solution securely. Merchants should also check with their acquirer or relevant payment brands to confirm if SAQ A is the appropriate self-assessment questionnaire for their environment.
The newly published FAQ is available through the PCI SSC website and provides additional resources, including references to related FAQs on SAQs and payment brand contact information. With this new resource, merchants can more confidently navigate their validation journey, reducing uncertainty and strengthening payment security.
