Recently, I wrote about the last minute ‘course correction’, from the PCI SSC regarding SAQ A requirements and eligibility. Many questions arose when they dropped the 6.4.3/11.6.1 requirements primarily because along with dropping those requirements, they changed the SAQ A eligibility requirements.
OBS Global is a trusted participant in the Global Executive Assessor Roundtable (GEAR) for PCI SSC-qualified payment security assessor companies and offers you regular insights into the latest updates and what they could mean for your business.
The SSC has clarified its position by publishing FAQ 1588, specifically addressing the portion of the eligibility requirement that states, “The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”
The PCI SSC clarify that this eligibility requirement applies ONLY to merchants using a TPSPs embedded payment page/form (iFrames) and NOT to merchants doing a redirect to the TPSP.
The merchant can confirm that their webpage is not susceptible to script attacks by either:
OR
Confirming the TPSP’s solution “includes techniques that protect the merchant’s payment page from script attacks”
The TPSP's, AoC will include a list of requirements that were not tested or not applicable in Part 2g - Summary of Assessment, so you’ll be able to confirm that 6.4.3 and 11.6.1 aren’t listed there.
Source: PCI DSS v4.0.1 Attestation of Compliance for Report on Compliance – Service Providers, August 2024, Pages 7-8. Available at: PCI Security Standards Council Document Library
This FAQ reaffirms our original understanding of the intent of changes to SAQ A, which effectively transfers all responsibility for the security of the payment pages to the TPSPs from the Merchants that are embedding those payment pages using iFrames.
OBS Global is here to support you in building or enhancing your PCI program and creating a clear compliance roadmap. For expert insights from our QSA team, visit our PCI DSS Resource Center, or message us directly to help you navigate the path to PCI compliance.
About the Author
Daryl Jackson is a Principal Consultant and PCI QSA at Online Business Systems. He has been working in IT Security for over 15 years.
His decades with the DoD combined with his experience advising for projects ranging from small town infrastructure design, to securing some of the world’s largest retailers gives him a unique perspective on security. Daryl’s sharp eye and collaborative manner are pivotal in helping organizations optimize their people, processes, and technologies.