Cheat Sheet and Action Plan: The PCI Council’s SAQ-A Eligibility Update

by Source Defense

Implications to 6.4.3 and 11.6.1 and What It Means for PSPs, Merchants, and QSAs.

On January 30, 2025 the PCI Security Standards Council announced changes to eligibility requirements for any merchant trying to demonstrate compliance under a SAQ-A. Under the changes, SAQ-A merchants will no longer have to specifically follow requirements 6.4.3 and 11.6.1 – but they must still have eSkimming security solutions in place.

The PCI Council’s recent changes to SAQ-A merchant eligibility requirements have sparked conversations and debate across the PCI community. As a proud member of the E-Commerce Guidance Taskforce empaneled in October by the PCI Council, Source Defense has been a first-hand participant.

Here is what you should know if you read nothing more:

  1. This change DOES NOT mean a major change for the vast majority of merchants! The overwhelming majority still have to comply with requirements 6.4.3 and 11.6.1. Merchants across Level 1,2,3 and even most of Level 4 who cannot meet SAQ-A eligibility must still meet these requirements by the March 31, 2025 deadline!
  2. This change only impacts a SMALL SUB-SEGMENT of the small merchant population – only those who meet the already stringent SAQ-A eligibility requirements
    (i.e. E-Commerce ONLY merchants who fully outsource)
  3. The new language states (SD editorial in parens) “Merchants must confirm that their site (an expansion from PAYMENT PAGE) is not susceptible to attacks (must PREVENT attacks) from scripts (1st party, 3rd party, nth party) that could compromise their eCommerce systems.” While the modification to eligibility requirements may change how SAQ-A merchants approach the challenge of defeating eSkimming attacks they are still entirely responsible for keeping their customers safe and secure.  
  4. This is the ONLY change coming and it has been made solely at the discretion of the Council. Nothing in the way of changes has or will come from the E-Commerce Guidance Taskforce – some merchants may falsely believe a deadline extension or changes to the Standard are coming from that effort – they are not.

    Source Defense, along with dozens of other ecosystem partners, has been an active member of the E-commerce Guidance Taskforce since it was created in October.

    The group has only been working to provide a guidance document related to implementing 6.4.3 and 11.6.1 – it has never been its charter to make changes to the DSS.

With just weeks until the March 31 compliance deadline for PCI DSS 4.0, this announcement will definitely kick up a significant amount of dust and confusion. As we have for the better part of the past two years, Source Defense wants to help educate you through this confusion.


Key Takeaways:

This change removes explicit references to requirements 6.4.3 and 11.6.1 for SAQ-A merchants – a small sub-segment of the small merchant population. All other merchant types and ecosystem players must still adhere to these requirements.

However, even with some of the more specific requirements removed for SAQ-A eligible merchants, the underlying security expectations remain, leaving PSPs, merchants, and QSAs with critical responsibilities—and significant opportunities.

Let’s break down what’s changed, what hasn’t, and what it means for each audience.

What Changed?

SAQ-A merchants no longer need to meet the specific controls outlined in 6.4.3 and 11.6.1, which require inventorying, justifying, and ensuring the integriy of scripts on payment pages, as well as the weekly monitoring of security-affecting HTTP headers.

However, in order to even be SAQ-A eligible….”Merchants must confirm that their site is not susceptible to attacks from scripts that could compromise their eCommerce systems.” 

At face value, this change simplifies compliance for a very small subsegment of the small merchant community – those that meet the “eCommerce only” classifications outlined in the SAQ-A requirements.

But in reality, it sets up circular reasoning and establishes an exceptionally high bar.

Without eSkimming security and script controls in place, it’s impossible for merchants to confirm they are free from vulnerabilities.

The result? The removal of 6.4.3 and 11.6.1 does not eliminate the need for robust security—it simply reframes how it is achieved.

This change will also affect what type of self-attestation many merchants are able to perform. Merchants who cannot satisfy the new requirement included above will be required to complete one of the other forms of self-attestation questionnaires, all of which include significantly more questions, controls, and requirements..including 6.4.3 and 11.6.1 

What Hasn’t Changed?

  1. No Changes for non-SAQ-A Merchants: The deadline still looms as March 31, 2025 to adhere to the requirements outlined under 6.4.3 and 11.6.1
  2. No Changes for PSP Compliance
    PSPs are still required to meet 6.4.3 and 11.6.1 by the March 31 deadline. This includes script inventory, monitoring, and ensuring payment flow security.
  3. SAQ-A Merchants Still Need Protection
    While the explicit compliance requirements are gone, the security risks—and the expectation to prevent them—remain.
  4. The March 31 Deadline Stands
    The deadline for complying with PCI DSS 4.0, including 6.4.3 and 11.6.1, remains unchanged.

What It Means for PSPs

This change presents PSPs with both a challenge and an opportunity. Your small merchant clients may interpret this update as a relaxation of their obligations, leaving them vulnerable to attacks like eSkimming and Magecart. This is your chance to step up as a trusted partner, offering solutions that simplify compliance and strengthen security.

  • Support Your SAQ-A Merchants: Educate them on the importance of script controls and guide them toward solutions that meet their needs.
  • Bolster Your Value Proposition: By delivering a low-cost, no-burden solution for small merchants, you can stand out in the competitive PSP landscape.
  • Generate Revenue: Partnering with Source Defense allows you to introduce new value-added services that enhance your bottom line while supporting your clients

We have worked diligently to develop a low-cost, management free solution for the Small Merchant community – we are already in the process of rolling this solution out through a network of partners in the PSP community – JOIN US! .

What It Means for Merchants

If you aren’t a SAQ-A eligible Merchant – this means NOTHING. If you are a large merchant who previously tried to demonstrate SAQ-A eligibility – this means it is HARDER to do so. In effect, the Council has created circular reasoning – want to be SAQ-A eligible? Get eSkimming controls in place…how? See 6.4.3 and 11.6.1 – basically, no game playing here – close this loop!

For SAQ-A merchants, this update can feel confusing. The removal of explicit guidance around 6.4.3 and 11.6.1 might seem like a reprieve, but the underlying requirement to secure your site from script-based vulnerabilities remains. Without robust controls, achieving compliance—and protecting your customers—becomes nearly impossible.

Source Defense’s Small Merchant Solution is designed specifically for merchants like you. With minimal effort and cost, you can implement the necessary protections to secure your site and meet the new eligibility requirements.

What It Means for QSAs

As a QSA, your expertise is more critical than ever. Merchants will turn to you for clarity on these changes, and you’ll need to help them understand that while the explicit mention of 6.4.3 and 11.6.1 is gone under SAQ-A, the expectation to secure their environments remains.

  • Educate and Guide: Help merchants navigate the nuances of these changes and implement solutions that address the underlying risks.
  • Provide Actionable Solutions: Partnering with Source Defense gives you access to proven tools that make it easy for merchants to implement eSkimming controls and secure their environments.
  • Clarify FAQ-1331: Address concerns that Level 1 merchants might misuse this change to avoid compliance. Highlight the circular logic that makes eSkimming controls essential for SAQ-A eligibility.

Why Source Defense Is the Solution for All Stakeholders

For over two years, Source Defense has partnered with Merchants, QSAs, PSPs, eCommerce Platform Providers, the PCI Council, and a host of others to help educate on these new controls, simplify compliance and continue its pioneering focus on client-side security challenges. Our solutions are tailored to meet the needs of every stakeholder:

  • Merchants: Protect your site from eSkimming attacks with a simple, cost-effective platform that requires minimal effort to deploy and manage.
  • PSPs: Deliver value-added services with a low-cost, scalable solution for your small merchant clients.
  • QSAs: Simplify your assessments with a proven solution that supports compliance with PCI DSS 4.0.1 while addressing real-world security risks.

Moving Forward

The PCI Council’s update to SAQ-A requirements might seem like a curveball, but it reinforces the importance of robust eSkimming protections and proactive client-side security. Whether you’re a PSP, merchant, or QSA, this change presents an opportunity to lead, innovate, and enhance security for everyone in the payment ecosystem.

Let Source Defense help you turn this challenge into an opportunity. Request a Consultation today to learn how our platform can support your compliance and security goals.

Related Posts:

Finding the Right Partner for PCI DSS 4.0.1 Compliance: Requirements 6.4.3 and 11.6.1
Assessing the New SAQ-A Changes: Insights for QSAs
Next Steps from the PCI Council’s SAQ-A Update: Critical Responsibilities and Opportunities for PSPs

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.

Download the Guide
Scroll