Last updated: 28 February, 2025
A few days ago, the PCI Security Standards Council (PCI SSC) announced important changes to SAQ A. Who is affected by the change? When will it take effect? And above all: What is changing? We have summarized it for you:
Who is SAQ A intended for?
Every company that accepts credit card payments must comply with the security requirements of the credit card organizations and therefore the PCI DSS. Depending on the classification of the company, compliance can be demonstrated either through an annual on-site audit or by completing an annual Self Assessment Questionnaire (SAQ). There are different types of SAQ. The selection or the use of each type requires specific (technical) eligibility criteria. These must be confirmed by the company before it can demonstrate its PCI compliance using the appropriate questionnaire.
SAQ A is a type of SAQ that has so far been used primarily by small e-commerce merchants. One of its eligibility criteria is that the merchant must have fully outsourced all credit card data processing functions to PCI DSS validated and compliant third parties. The new version of SAQ A will add an additional eligibility criteria.
What will change with the new SAQ A?
The following requirements have been removed from the new version of the SAQ A:
- Requirements 6.4.3 and 11.6.1 for payment page security
- Requirement 12.3.1 for a Targeted Risk Analysis to support Requirement 11.6.1
These three requirements were introduced with version 4.0 of the PCI DSS and are among the “Future-dated Requirements”. They were therefore only considered best practices until now and were to become mandatory with the deadline of 31 March 2025. In the new version of SAQ A, they have been completely removed, but remain part of the actual standard. The reason? According to the PCI Council, the intention is to create a balance of security needs and reasonable security requirements.
This eliminates three requirements for merchants that are complex to implement. However, in order to continue to guarantee the security of SAQ A merchants and their credit card data processing, a new Eligibility Criteria for the use of SAQ A has been introduced. Merchants of all sizes must confirm:
[...] for merchants to “confirm their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
As a result, the new SAQ A is no longer an option for all e-commerce merchants. Those who cannot comply with the Eligibility Criteria will have to fall back on the SAQ A-EP and thus fulfill over 100 additional requirements.
A Frequently Asked Question (FAQ) has been published by the Council in response to requests from the industry for more clarity on the new Eligibility Criteria. Find out more here.
When will the new SAQ A apply?
There are currently 2 versions of the SAQ A available on the website of the PCI Council: The current version from October 2024 and the new version from January 2025. The former will remain in place for the time being and will expire on 31 March 2025. The new version from January 2025 has already been published for review, but will not come into force until the old version expires on 31 March 2025.
