Important PCI DSS v4.0.1 Update for E-commerce Merchants
Published: Jan 31, 2025
Last Updated: Feb 5, 2025
The PCI Security Standards Council (PCI SSC) has announced significant updates impacting e-commerce merchants currently collecting payments via an iFrame or redirect. The new guidance brings notable changes to the PCI DSS compliance process for merchants who are eligible to complete the Self-Assessment Questionnaire (SAQ) A.
Key Updates:
- Removal of Requirements:
The council has removed the necessity for merchants participating in SAQ A to comply with the below PCI DSS requirements related to the management of payment page scripts. These elements will no longer appear in SAQ A:
-
- 6.4.3
- 11.6.1
- 12.3.1
- Updated SAQ A Version Release:
The council has posted an updated version of the SAQ A that can be found on their website.
- New Eligibility Requirement:
New criterion is being introduced for eligibility in SAQ A. Merchants must now confirm with their third-party service provider that their e-commerce systems are not susceptible to attacks from any loaded scripts. This includes loaded scripts originating from the merchant’s environment or other parties.
Impact on Merchants:
- Streamlined Compliance:
E-commerce merchants who have previously worked to meet the newly removed requirements can now focus on maintaining these controls as best practices, rather than components of mandatory compliance.
- Broader Implications:
These changes also affect larger merchants who base their Report on Compliance (ROC) on SAQ A eligibility criteria as allowed by the PCI SSC in FAQ #1331.
This update highlights the PCI SSC's on-going commitment to refine and evolve standards for better alignment with merchant operations and current threats.
Stay tuned for the release of the new SAQ A version and prepare in the meantime by consulting with your TPSPs to ensure your web applications are not susceptible to attacks from any loaded scripts.