SAQ A Updates: Ensuring Your E-Commerce Site is Safe from Script Attacks

If you're an e-commerce merchant using an iframe or redirect for payment processing, recent updates to the PCI DSS SAQ A may impact how you maintain compliance. While these changes simplify requirements, a new eligibility rule has been introduced that could affect your compliance status. Here’s what you need to know.

What’s Changing in PCI SAQ A?

The PCI Security Standards Council has released an updated SAQ A template, removing several key requirements:

• Requirement 6.4.3
• Requirement 11.6.1
• Requirement 12.3.1

Previously, these requirements mandated that merchants manage payment page scripts for security purposes. With PCI DSS version 4.0.1, these obligations have been removed as formal requirements for SAQ A merchants.

Timeline for Compliance

• The new SAQ A version is available now for merchants who want to adopt it early.
• The previous version will be deprecated by the end of March 2024.

The New Eligibility Requirement

While script management requirements have been removed, there is a new critical requirement for e-commerce merchants:

Your site must not be susceptible to script attacks that could compromise the payment page.

Who Does This Impact?

• Merchants using an iframe from a payment provider: this applies to you
• Merchants using a full redirect: this does NOT apply to you
  If you use a redirect, your website does not technically host a payment page, so you’re not subject to this requirement.

How to Ensure Your Site Meets the New Security Requirement

If you use an iframe for payment processing, you have two ways to confirm that your site is protected from script-based attacks:

Option 1: Implement Security Measures Yourself

You or your security team can implement controls that align with the previous script security requirements (Requirements 6.4.3 and 11.6.1). These measures help detect and prevent unauthorized modifications to payment page scripts.

Option 2: Obtain Written Confirmation from Your Payment Provider

Work with your PCI-compliant service provider or payment processor to confirm that their embedded payment solution protects your site from script-based attacks. When doing this:

• Request an updated Attestation of Compliance (AOC) from your provider.
• Ensure their security measures align with the new SAQ A eligibility criteria.

Steps to Stay Compliant

1. Check Your Payment Setup

   • Determine whether you use an iframe or a payment page redirect.
   • If you use a redirect, this change does not apply to you.

2. If You Use an Iframe:

   • Contact your payment provider for security confirmation.
   • Request documentation that proves their iframe solution protects against script attacks.
   • Verify compliance with your QSA (Qualified Security Assessor).

3. Maintain Proper Documentation

   • Store and update any compliance records you receive.
   • This ensures a smooth compliance process for future assessments.

What This Means for E-Commerce Merchants

While PCI compliance can often feel complex, these SAQ A updates actually simplify the process for many merchants. By removing script management requirements but introducing a new security check, PCI DSS is ensuring that merchants maintain strong protection against emerging threats.

Key Takeaways:

• If you use a redirect: No action needed for this update.
• If you use an iframe: You must confirm protection against script attacks either through your own security measures or by obtaining confirmation from your payment provider.
• Always document compliance efforts to prepare for future assessments.

For additional guidance on SAQ A compliance, reach out to our team at Schellman. As active members of the PCI e-commerce guidance task force, we can help ensure you meet all new requirements. 

In the meantime, discover other important PCI updates for E-commerce merchants in these helpful resources: 

• Important PCI DSS v4.0.1 Update for E-commerce Merchants 
• Understanding SAQ A Eligibility for E-Commerce PCI Compliance