As a result of feedback from involved parties about the challenges of implementing the fresh e-commerce security Specifications 6.4.3 and 11.6.1 in PCI Data Security Standard (PCI DSS) v4.0.1, the PCI Security Standards Council (PCI SSC) has unveiled crucial adjustments for retailers validating to Self-Assessment Questionnaire A (SAQ A).
SAQ A exclusively covers the PCI DSS requirements that are relevant to retailers whose account data tasks are fully delegated to PCI DSS validated and compliant third parties, where the retailer only maintains paper reports or receipts containing account data. SAQ A retailers could either be e-commerce or mail/telephone-order retailers (card-not-present) and do not house, handle, or transmit any account data electronically on their systems or premises.
After careful scrutiny and examination of industry feedback, PCI SSC is implementing the following changes to SAQ A:
- Eradication of PCI DSS Requirements 6.4.3 and 11.6.1 concerning payment page security, and Requirement 12.3.1 for a Targeted Risk Analysis to support Requirement 11.6.1.
- Inclusion of an Eligibility Criteria for retailers to “validate their site is not vulnerable to attacks from scripts that could impact the retailer’s e-commerce system(s).”
There are presently two versions of SAQ A accessible on our website: one released in October 2024 and this new one released in January 2025. The SAQ A version from October 2024 will be phased out on 31 March 2025. The SAQ A version published in January 2025 is now available for review, but its enforcement begins on 31 March 2025 (coinciding with the enforcement of the new PCI DSS v4.0.1 requirements).
PCI DSS v4.0.1 Requirements 6.4.3, 11.6.1, and 12.3.1 will become effective as of 31 March 2025. While these amendments to SAQ A will influence how retailers handle compliance reporting for these requirements, it’s crucial to acknowledge that they do not eliminate or weaken the underlying requirements outlined in the PCI DSS. SAQ A represents a harmony between security necessities and reasonable security prerequisites, while still offering choices and adaptability for compliance enforcement groups.
PCI SSC does not specify the compliance requirements for any entity or define compliance validation duties. PCI SSC offers tools that can aid in compliance validation. The compliance validation criteria are determined by brands, acquirers, payment facilitators, etc., often recognized as compliance enforcement entities. Entities should seek advice from their compliance enforcement group if they have inquiries about PCI DSS compliance validation prerequisites or the suitable validation tools at their disposal.
These advancements highlight the pivotal role our involved community plays in molding and enhancing PCI standards and supporting program resources. The collaborative approach leading to these revisions is a reflection of the benefits of being a Participating Organization within the PCI SSC community. Entities keen on contributing to future standards development or discovering more about becoming a Participating Organization can access more details on our website.
About Author
