Important PCI DSS v4.0.1 Update for E-commerce Merchants
Published: Jan 31, 2025
Last Updated: Mar 17, 2025
The PCI Security Standards Council (PCI SSC) has announced significant updates impacting e-commerce merchants currently collecting payments via an iFrame or redirect. The new guidance brings notable changes to the PCI DSS compliance process for merchants who are eligible to complete the Self-Assessment Questionnaire (SAQ) A.
Key Updates:
- Removal of Requirements:
The council has removed the necessity for merchants participating in SAQ A to comply with the below PCI DSS requirements related to the management of payment page scripts. These elements will no longer appear in SAQ A:
-
- 6.4.3
- 11.6.1
- 12.3.1
- Updated SAQ A Version Release:
The council has posted an updated version of the SAQ A that can be found on their website.
- New Eligibility Requirement:
New criterion is being introduced for eligibility in SAQ A. Merchants must now confirm with their third-party service provider that their e-commerce systems are not susceptible to attacks from any loaded scripts. This includes loaded scripts originating from the merchant’s environment or other parties.
Impact on Merchants:
- Streamlined Compliance:
E-commerce merchants who have previously worked to meet the newly removed requirements can now focus on maintaining these controls as best practices, rather than components of mandatory compliance.
- Broader Implications:
These changes also affect larger merchants who base their Report on Compliance (ROC) on SAQ A eligibility criteria as allowed by the PCI SSC in FAQ #1331.
This update highlights the PCI SSC's on-going commitment to refine and evolve standards for better alignment with merchant operations and current threats.
Stay tuned for the release of the new SAQ A version and prepare by consulting with your TPSPs to ensure your web applications are not susceptible to attacks from any loaded scripts. In the meantime, discover other important PCI updates for E-commerce merchants in these helpful resources:
- Understanding SAQ A Eligibility for E-Commerce PCI Compliance
- SAQ A Updates: Ensuring Your E-Commerce Site is Safe from Script Attacks
About Matt Crane
Matt Crane is a Director at Schellman, where he excels in project management and client relations while overseeing assessments against various PCI Standards. With a primary focus on PCI DSS Compliance for organizations spanning diverse industries, Matt leverages a decade of expertise in information security services. Prior to joining Schellman in July 2017, Matt held key positions in both the private and public sectors, specializing in PCI and NIST assessments, as well as intelligence analysis. His extensive background includes leading PCI engagements, performing risk assessments, and general consulting services for merchants and service providers across multiple industry verticals. With an exceptional track record and a profound understanding of the industry, Matt Crane is a valuable asset to Schellman, ensuring clients receive unparalleled guidance in achieving their compliance goals. Matt holds a BBA in Information Security and Assurance as well as several industry certifications including CISSP, CISA, CRISC, QSA,