Information on Recent SAQ A Requirements for Online Sellers

AndyC 3 March 2025

A new Frequently Asked Question (FAQ) has been released by the PCI Security Standards Council (PCI SSC) to address the updated eligibility criteria for Self-Assessment Questionnaire (SAQ) A.

FAQ Clarifies New SAQ A Eligibility Criteria for E-Commerce Merchants

A new Frequently Asked Question (FAQ) has been released by the PCI Security Standards Council (PCI SSC) to address the updated eligibility criteria for Self-Assessment Questionnaire (SAQ) A. This FAQ was developed based on industry feedback to offer clearer guidance regarding the new requirements outlined in PCI DSS v4.0.1, effective from 1st April 2025.

The revised eligibility criteria in PCI DSS v4.0.1 SAQ A r1 are as follows:

Confirmation from the merchant that their e-commerce system is not vulnerable to script attacks.

FAQ 1588 explains that the merchant can confirm the protection against script attacks on their webpage by:

  • Implementing security measures such as those specified in PCI DSS Requirements 6.4.3 and 11.6.1 to safeguard the webpage from script threats that target account details. These measures can be applied by the merchant or a third party.

Or

  • Receiving validation from their PCI DSS compliant Third-Party Service Providers (TPSPs)/payment processor who provide the embedded payment page/form(s), ensuring that their solution includes safeguards against script attacks on the payment page.

It is important to note that these SAQ A eligibility criteria are applicable only to online sellers whose webpage contains an embedded payment page/form from a TPSP/payment processor, such as inline frames (iframes).

These criteria do not cover online sellers whose webpage redirects customers to a TPSP/payment processor or those who completely rely on a TPSP/payment processor for payment functions.

Merchants are advised to collaborate closely with their TPSPs to implement secure solutions and to consult their acquirer or payment brands to verify if SAQ A is the suitable self-assessment questionnaire for their setup.

The newly issued FAQ can be accessed on the PCI SSC website and offers additional support resources, including links to related FAQs on SAQs and payment brand contact details. This resource equips merchants to confidently navigate the validation process, mitigating uncertainties and enhancing payment security.

View the New FAQ 1588

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , ,

More Stories

Meet the Council’s New Client Engagement Operations Director

Meet the Council’s New Client Engagement Operations Director

AndyC 16 December 2025
The AI Exchange: Innovators in Payment Security Featuring SISA

The AI Exchange: Innovators in Payment Security Featuring SISA

AndyC 3 December 2025
Apple faces a new privacy fight in India

Meet the Council’s New Director, Training Programs

AndyC 2 December 2025
Request for Comments: PCI Key Management Operations (KMO) v1.0 Standard

Request for Comments: PCI Key Management Operations (KMO) v1.0 Standard

AndyC 25 November 2025
PCI SSC Publishes Mobile Payments on COTS (MPoC) Guidance Document

PCI SSC Publishes Mobile Payments on COTS (MPoC) Guidance Document

AndyC 20 November 2025
The AI Exchange: Innovators in Payment Security Featuring Block, Inc.

The AI Exchange: Innovators in Payment Security Featuring Block, Inc.

AndyC 4 November 2025

You may have missed

4 Pillars of Network Risk Reduction: A Guide to Network Security Risk Management

NCC Group Taps Qualys to Extend Managed Security Service into Shadow IT Realm

AndyC 20 December 2025
4 Pillars of Network Risk Reduction: A Guide to Network Security Risk Management

NCC Group Taps Qualys to Extend Managed Security Service into Shadow IT Realm

AndyC 20 December 2025
4 Pillars of Network Risk Reduction: A Guide to Network Security Risk Management

NCC Group Taps Qualys to Extend Managed Security Service into Shadow IT Realm

AndyC 20 December 2025
4 Pillars of Network Risk Reduction: A Guide to Network Security Risk Management

NCC Group Taps Qualys to Extend Managed Security Service into Shadow IT Realm

AndyC 20 December 2025
4 Pillars of Network Risk Reduction: A Guide to Network Security Risk Management

NCC Group Taps Qualys to Extend Managed Security Service into Shadow IT Realm

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.