Assessing the New SAQ-A Changes: Insights for QSAs

by Source Defense

The PCI Security Standards Council’s recent update to SAQ-A merchant eligibility and compliance requirements introduces significant changes with just weeks to go before the March 31st deadline for 6.4.3 and 11.6.1…shocker. The TL:DR? Under the changes, SAQ-A merchants will no longer have to specifically follow requirements 6.4.3 and 11.6.1 – but they must still have eSkimming security solutions in place in order to BE SAQ-A eligible. (Head scratch much? Yeah – we get it) 

These changes are going to leave many merchants confused—and will place even more importance on the role of Qualified Security Assessors (QSAs). While this update removes explicit references to requirements 6.4.3 and 11.6.1 for SAQ-A merchants, the underlying security obligations remain, creating both challenges and opportunities for QSAs to lead and support their clients.

Here is what you should know if you read nothing more:

  1. This change DOES NOT mean merchants do not have to comply with requirements 6.4.3 and 11.6.1 – merchants across Level 1,2,3 and even most of Level 4 must still meet these requirements by the March 31, 2025 deadline!
  2. This change only impacts a SMALL SUB-SEGMENT of the small merchant population – only those who meet the already stringent SAQ-A eligibility requirements
    (i.e. E-Commerce ONLY merchants who fully outsource)
  3. The new language states that in order to be SAQ-A eligible (SD editorial in parens) “Merchants must confirm that their site (an expansion from PAYMENT PAGE) is not susceptible to attacks (must PREVENT attacks) from scripts (1st party, 3rd party, nth party) that could compromise their eCommerce systems.” While the modification to eligibility requirements may change how SAQ-A merchants approach the challenge of defeating eSkimming attacks, they are still entirely responsible for keeping their customers safe and secure.
  4. This is the ONLY change coming and it has been made solely at the discretion of the Council. Nothing in the way of changes has or will come from the E-Commerce Guidance Taskforce – some merchants may falsely believe a deadline extension or changes to the Standard are coming from that effort – they are not. Source Defense, along with dozens of other ecosystem partners, has been an active member of the E-commerce Guidance Taskforce since it was created in October. The group has only been working to provide a guidance document related to implementing 6.4.3 and 11.6.1 – it has never been its charter to make changes to the DSS.

With just weeks until the March 31 compliance deadline for PCI DSS 4.0, this announcement will definitely kick up a significant amount of dust and confusion. As we have for the better part of the past two years, Source Defense wants to help educate you through this confusion.

What Has Changed?

The new eligibility requirement for SAQ-A merchants introduces a critical condition: merchants must confirm their site is not susceptible to attacks from scripts that could compromise their eCommerce systems.

This change effectively replaces the explicit guidance on 6.4.3 and 11.6.1 with an open-ended, high-bar requirement that still mandates robust eSkimming and script controls. While the removal of specific compliance steps may appear to simplify things on the surface, it creates a circular challenge for merchants—and by extension, their QSAs:

  • Without script inventory, monitoring, and controls (the core elements of 6.4.3 and 11.6.1), merchants cannot demonstrate their site is secure.
  • Without demonstrating this security, they cannot meet the eligibility requirements for SAQ-A…sooooooo, see 6.4.3 and 11.6.1 

For many merchants, this shift adds to the confusion around what is required and leaves them looking to QSAs for guidance.

The Role of QSAs: Turning Complexity into Clarity

As a QSA, your role has never been more critical. merchants are relying on your expertise to navigate this complex landscape. Here are three key ways you can add value:

  1. Educate on the New Requirements
    Many SAQ-A merchants will mistakenly interpret this change as a relaxation of their obligations. It’s up to QSAs to explain that while the explicit mention of 6.4.3 and 11.6.1 is gone, the underlying security expectations remain just as stringent. Without proper eSkimming controls, merchants cannot meet the new SAQ-A eligibility requirements.
  2. Provide Practical Solutions
    Confusion creates an opportunity for QSAs to deliver real value by guiding merchants toward proven solutions. Source Defense is well known to the QSA community as a pioneer in the space that offers clients a cost-effective, low-effort solution to implement the necessary eSkimming controls. Source Defense’s platform provides proactive protection against malicious scripts and helps merchants address compliance requirements seamlessly. If you haven’t seen a demo, let’s change that! 
  3. Set Expectations for Compliance
    Clarify the implications of FAQ-1331, which raised concerns about whether Level 1 merchants might attempt to use it to bypass 6.4.3 and 11.6.1. The reality is that this new eligibility requirement creates a circular reasoning loop—merchants cannot achieve SAQ-A compliance without some form of eSkimming controls. Your expertise in assessing these requirements is essential to ensure compliance is achieved correctly and without shortcuts.

Partnering with Source Defense: A Proven Path to Success

For the past two years, Source Defense has worked closely with QSAs to educate merchants and deliver solutions that address eSkimming security. We even went so far as to develop a free QSA assessment tool which you need to look at if you haven’t already!

With the March 31 deadline fast approaching, Source Defense remains a trusted partner in helping merchants—and their QSAs—meet compliance and security needs.

  • Proactive eSkimming Protection: Source Defense blocks malicious script activity at the point of input, safeguarding sensitive customer data and mitigating eSkimming risks.
  • Ease of Use: The platform offers an intuitive dashboard for script inventory, monitoring, and policy enforcement, reducing the operational burden on merchants and their QSAs.
  • A Trusted Partner: With experience supporting over 1,000 leading brands and 200 QSACs, Source Defense brings deep expertise to eSkimming security.

Moving Forward: Guidance for QSAs

The SAQ-A update, while not ideal in timing or clarity, highlights the ongoing importance of robust eSkimming protections and the expertise QSAs bring to the table. As merchants grapple with these changes, QSAs have the opportunity to lead, educate, and provide actionable solutions.

By leveraging your expertise and partnering with Source Defense, you can help merchants not only meet compliance requirements but also strengthen their overall security posture—turning confusion into confidence.

Want to learn more about how Source Defense can support your efforts as a QSA? Request a demo today and discover how our platform simplifies compliance, secures eSkimming environments, and enhances the value you deliver to your clients.

Related Posts:

Finding the Right Partner for PCI DSS 4.0.1 Compliance: Requirements 6.4.3 and 11.6.1
Cheat Sheet and Action Plan: The PCI Council’s SAQ-A Eligibility Update
Next Steps from the PCI Council’s SAQ-A Update: Critical Responsibilities and Opportunities for PSPs

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.

Download the Guide
Scroll