SAQ A Updates: Ensuring Your E-Commerce Site is Safe from Script Attacks
Published: Mar 17, 2025
If you're an e-commerce merchant using an iframe or redirect for payment processing, recent updates to the PCI DSS SAQ A may impact how you maintain compliance. While these changes simplify requirements, a new eligibility rule has been introduced that could affect your compliance status. Here’s what you need to know.
What’s Changing in PCI SAQ A?
The PCI Security Standards Council has released an updated SAQ A template, removing several key requirements:
- Requirement 6.4.3
- Requirement 11.6.1
- Requirement 12.3.1
Previously, these requirements mandated that merchants manage payment page scripts for security purposes. With PCI DSS version 4.0.1, these obligations have been removed as formal requirements for SAQ A merchants.
Timeline for Compliance
- The new SAQ A version is available now for merchants who want to adopt it early.
- The previous version will be deprecated by the end of March 2024.
The New Eligibility Requirement
While script management requirements have been removed, there is a new critical requirement for e-commerce merchants:
Your site must not be susceptible to script attacks that could compromise the payment page.
Who Does This Impact?
- Merchants using an iframe from a payment provider: this applies to you
- Merchants using a full redirect: this does NOT apply to you
If you use a redirect, your website does not technically host a payment page, so you’re not subject to this requirement.
How to Ensure Your Site Meets the New Security Requirement
If you use an iframe for payment processing, you have two ways to confirm that your site is protected from script-based attacks:
Option 1: Implement Security Measures Yourself
You or your security team can implement controls that align with the previous script security requirements (Requirements 6.4.3 and 11.6.1). These measures help detect and prevent unauthorized modifications to payment page scripts.
Option 2: Obtain Written Confirmation from Your Payment Provider
Work with your PCI-compliant service provider or payment processor to confirm that their embedded payment solution protects your site from script-based attacks. When doing this:
- Request an updated Attestation of Compliance (AOC) from your provider.
- Ensure their security measures align with the new SAQ A eligibility criteria.
Steps to Stay Compliant
-
Check Your Payment Setup
- Determine whether you use an iframe or a payment page redirect.
- If you use a redirect, this change does not apply to you.
-
If You Use an Iframe:
- Contact your payment provider for security confirmation.
- Request documentation that proves their iframe solution protects against script attacks.
- Verify compliance with your QSA (Qualified Security Assessor).
-
Maintain Proper Documentation
- Store and update any compliance records you receive.
- This ensures a smooth compliance process for future assessments.
What This Means for E-Commerce Merchants
While PCI compliance can often feel complex, these SAQ A updates actually simplify the process for many merchants. By removing script management requirements but introducing a new security check, PCI DSS is ensuring that merchants maintain strong protection against emerging threats.
Key Takeaways:
- If you use a redirect: No action needed for this update.
- If you use an iframe: You must confirm protection against script attacks either through your own security measures or by obtaining confirmation from your payment provider.
- Always document compliance efforts to prepare for future assessments.
For additional guidance on SAQ A compliance, reach out to our team at Schellman. As active members of the PCI e-commerce guidance task force, we can help ensure you meet all new requirements.
In the meantime, discover other important PCI updates for E-commerce merchants in these helpful resources:
About Matt Crane
Matt Crane is a Director at Schellman, where he excels in project management and client relations while overseeing assessments against various PCI Standards. With a primary focus on PCI DSS Compliance for organizations spanning diverse industries, Matt leverages a decade of expertise in information security services. Prior to joining Schellman in July 2017, Matt held key positions in both the private and public sectors, specializing in PCI and NIST assessments, as well as intelligence analysis. His extensive background includes leading PCI engagements, performing risk assessments, and general consulting services for merchants and service providers across multiple industry verticals. With an exceptional track record and a profound understanding of the industry, Matt Crane is a valuable asset to Schellman, ensuring clients receive unparalleled guidance in achieving their compliance goals. Matt holds a BBA in Information Security and Assurance as well as several industry certifications including CISSP, CISA, CRISC, QSA,