With the March 31, 2025, PCI DSS deadline fast approaching, the PCI Security Standards Council has announced important modifications for merchants validating to Self-Assessment Questionnaire A (SAQ A). This has left online merchants, qualified security assessors (QSAs), and payment service providers (PSPs) alike wondering what these changes really mean. 

E-commerce businesses have geared up to comply with requirements 6.4.3 and 11.6.1 since PCI DSS v4 was first introduced in 2022, so updating SAQ A just two months before the deadline is a significant change that may impact the way many of them approach payment page security and compliance.

But should it? Let’s break it down.

How exactly did SAQ A change?

There are two key updates to SAQ A:

1. Removal of PCI DSS Requirements 6.4.3 and 11.6.1 for payment page security, and Requirement 12.3.1 for a Targeted Risk Analysis to support Requirement 11.6.1. This means that merchants who validate to SAQ A will no longer need to comply with requirements 6.4.3 and 11.6.1.

2. Addition of an Eligibility Criteria for merchants to “confirm their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”

This means that only merchants who can confirm that they meet this criterion will be able to validate to SAQ A. All other merchants who previously used SAQ A will now have to validate to SAQ A-EP or SAQ D.

This is neither an extension nor an exemption, but possibly an expansion.

What does the new guidance actually mean?

First, there is no impact to PSPs and merchants that are ineligible for SAQ A. They must still implement 6.4.3 and 11.6.1 by the deadline of March 31.

SAQ A merchants are seemingly exempt, as long as they can demonstrate that “their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).” But this begs the question: how?

Well, by implementing 6.4.3 and 11.6.1. After all, that’s pretty much their intent—with one important difference. Requirements 6.4.3 and 11.6.1 apply only to payment pages and the webpages that include an embedded payment page or form from third-party PSPs or payment processors. However, the new SAQ A eligibility criterion applies to the merchant’s entire website.

What is the outcome of the new guidance?

To qualify for SAQ A, some merchants may choose to apply 6.4.3 and 11.6.1 to their entire website. Others may go even further, deploying full client-side security controls against e-skimming and other script risks. Over the coming weeks, the dust will begin to settle, and several alternative approaches are likely to emerge as well.

But the clock is ticking. With March 31 fast approaching, merchants don’t have the luxury of waiting to see how this all plays out. 

Whatever approach you choose, HUMAN Security is here to help. Our core PCI DSS solution streamlines payment page protection and compliance with requirements 6.4.3 and 11.6.1, whether on your payment page only or across your entire site. 
Those opting for more comprehensive protection to confirm that their website is not susceptible to script attacks will benefit from our complete Client-side Defense solution. This provides complete browser script visibility and control across the entire website, enabling customers to safely benefit from JavaScripts.

Click here for more on HUMAN and PCI DSS compliance, and register for our webinar on SAQ A.