PCI DSS: SAQ A Update - What Changed and Why It Matters

The PCI SSC announced a new Self-assessment Questionnaire A (SAQ A) version today. This update removes the new requirements introduced in PCI DSS v4 designed to combat e-skimming attacks (6.4.3 and 11.6.1) and introduces new eligibility criteria that the merchant must confirm to be able to validate their compliance using this SAQ:

“The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”

From a security perspective, this is a positive change. It requires merchants of all sizes to confirm that not only their payment pages and parent pages are secure but also that their website is not susceptible to attacks from web skimmers that could impact their e-commerce system. This aligns with the types of incidents we have been observing, where web skimmers are often deployed site-wide.

Additionally, this change may encourage merchants to expand the scope of their website monitoring—from focusing solely on securing payment data to protecting all types of data. It could also aid in detecting fraud and phishing attacks. Monitoring tools such as Jscrambler’s Webpage Integrity provide a comprehensive set of features to harden and secure entire websites.

The Challenge of Timing

The timing of this change is a surprise, as we are just two months away from the March 31st deadline when the new requirements were to become mandatory. Some organizations that previously limited their assessments to the SAQ A scope may now find themselves ineligible and may need to consider, for instance, SAQ A-EP instead. Discovering that they must now comply with 100 additional requirements is certainly not ideal. To avoid this, organizations will likely want to ensure they remain eligible for the new SAQ A.

The best way to do so—and to confirm that a site is not susceptible to script-based attacks—is by implementing site-wide page integrity monitoring. This enables organizations to confidently verify that no skimmers are present on their websites.

Ambiguity vs. Simplicity

While requirements 6.4.3 and 11.6.1 provided a clear and structured approach, the new eligibility criteria is more outcome-focused. However, on the bright side, this change simplifies compliance, as organizations are no longer explicitly required to maintain an inventory of scripts, authorize each version, or review every update. Instead, they must confirm that first- and third-party scripts on their site do not make the site susceptible to attacks that could affect payments, including iframed payment forms.

This surely applies not only to silent skimming attacks but also to double-entry skimming attacks, where an end user is tricked into entering payment details twice caused by an attacker's error message or by manipulated form behavior.

How Jscrambler Can Help

At Jscrambler, we are committed to working with all industry stakeholders to help organizations stay protected from attacks targeting e-commerce systems. Although the timing of this change presents challenges, Jscrambler’s Webpage Integrity can help organizations swiftly adapt and ensure merchants can meet the SAQ A eligibility criteria and are able to continue to assess and report their compliance using the limited number of requirements within SAQ A.

Get in touch with us to see how we can help you meet the new eligibility criteria.