PCI Council Released Update of SAQ A: New Eligibility Criteria Replaces Future-dated Requirements

5. February 2025

Last updated: 28 February, 2025

A few days ago, the PCI Security Standards Council (PCI SSC) announced important changes to SAQ A. Who is affected by the change? When will it take effect? And above all: What is changing? We have summarized it for you:

Who is SAQ A intended for?

Every company that accepts credit card payments must comply with the security requirements of the credit card organizations and therefore the PCI DSS. Depending on the classification of the company, compliance can be demonstrated either through an annual on-site audit or by completing an annual Self Assessment Questionnaire (SAQ). There are different types of SAQ. The selection or the use of each type requires specific (technical) eligibility criteria. These must be confirmed by the company before it can demonstrate its PCI compliance using the appropriate questionnaire.

SAQ A is a type of SAQ that has so far been used primarily by small e-commerce merchants. One of its eligibility criteria is that the merchant must have fully outsourced all credit card data processing functions to PCI DSS validated and compliant third parties. The new version of SAQ A will add an additional eligibility criteria.

What will change with the new SAQ A?

The following requirements have been removed from the new version of the SAQ A:

  • Requirements 6.4.3 and 11.6.1 for payment page security
  • Requirement 12.3.1 for a Targeted Risk Analysis to support Requirement 11.6.1

These three requirements were introduced with version 4.0 of the PCI DSS and are among the “Future-dated Requirements”. They were therefore only considered best practices until now and were to become mandatory with the deadline of 31 March 2025. In the new version of SAQ A, they have been completely removed, but remain part of the actual standard. The reason? According to the PCI Council, the intention is to create a balance of security needs and reasonable security requirements.

This eliminates three requirements for merchants that are complex to implement. However, in order to continue to guarantee the security of SAQ A merchants and their credit card data processing, a new Eligibility Criteria for the use of SAQ A has been introduced. Merchants of all sizes must confirm:

[...] for merchants to “confirm their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).

As a result, the new SAQ A is no longer an option for all e-commerce merchants. Those who cannot comply with the Eligibility Criteria will have to fall back on the SAQ A-EP and thus fulfill over 100 additional requirements.

A Frequently Asked Question (FAQ) has been published by the Council in response to requests from the industry for more clarity on the new Eligibility Criteria. Find out more here.

When will the new SAQ A apply?

There are currently 2 versions of the SAQ A available on the website of the PCI Council: The current version from October 2024 and the new version from January 2025. The former will remain in place for the time being and will expire on 31 March 2025. The new version from January 2025 has already been published for review, but will not come into force until the old version expires on 31 March 2025.

Also interesting:

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

Current developments in AI systems show that vulnerabilities are found more quickly, suitable exploits are developed more quickly, and attacks are increasingly implemented automatically. This significantly reduces the time between discovery and exploitation. What used...

Bafin Publishes 9th Amendment to MaRisk

Bafin Publishes 9th Amendment to MaRisk

On 30 June 2026, all credit institutions and financial services institutions in Germany received an important circular: Following the consultation phase, the German Federal Financial Supervisory Authority (Bafin) published the 9th amendment to its Minimum Requirements...

usd AG Listed as EPI Partner for Mobile Security Evaluations

usd AG Listed as EPI Partner for Mobile Security Evaluations

The popularity of mobile payments is growing, and with it, the demand for verified security. usd AG is expanding its activities in the EPI environment and will also conduct Mobile Security Evaluations in the future. This places us among the few EPI-listed Security...

Categories

Categories