Next Steps from the PCI Council’s SAQ-A Update: Critical Responsibilities and Opportunities for PSPs

by Source Defense

The PCI Council’s recent update to SAQ-A merchant requirements will spark questions and confusion across the eCommerce ecosystem. Under the changes, SAQ-A merchants will no longer have to specifically follow requirements 6.4.3 and 11.6.1 – but in order TO BE SAQ-A eligible, they must still have eSkimming security solutions in place. A head scratching, circular logic change for sure…

So What Does This Mean for You as a PSP? 

1. While this announcement removes the explicit need for SAQ-A merchants to comply with PCI DSS 4.0 requirements 6.4.3 and 11.6.1, the implications for Payment Service Providers (PSPs) are clear: your responsibility to secure your own environments remains unchanged, as does the March 31 deadline.
   
2. The new language states (SD editorial in parens) “Merchants must confirm that their site (an expansion from PAYMENT PAGE) is not susceptible to attacks (must PREVENT attacks) from scripts (1st party, 3rd party, nth party) that could compromise their eCommerce systems.” While the modification to eligibility requirements may change how SAQ-A merchants approach the challenge of defeating eSkimming attacks they are still entirely responsible for keeping their customers safe and secure.  
   
3. Given your role in the compliance process, you now have to find a way to ensure that all of your SAQ-A merchants are not susceptible to eSkimming attacks in order to let them use SAQ-A…
   
   Here is some good news – supporting your small merchant clients in addressing the risks of eSkimming attacks is not just a responsibility – it’s a strategic opportunity.

What Has Changed (and What Hasn’t)

This update affects a narrow subset of merchants—only those who meet the stringent requirements to qualify as SAQ-A. For PSPs, there are a few key takeaways:

1. No Changes for PSP Compliance: PSPs must still meet the requirements of 6.4.3 and 11.6.1 by the March 31 deadline. This includes inventorying and monitoring scripts and protecting payment flows from unauthorized activity.
2. SAQ-A Merchants Still Need Protection: While SAQ-A merchants are not required to adhere to these specific controls, they are still responsible for ensuring their sites are not vulnerable to eSkimming attacks. They will need solutions, you’ll need to help – we can help you, help them! 
3. Opportunity to Strengthen Your Value Proposition: This change opens the door for PSPs to differentiate themselves by supporting small merchants with scalable, cost-effective eSkimming solutions.

We have worked diligently to develop a low-cost, management free solution for the Small Merchant community – we are already in the process of rolling this solution out through a network of partners in the PSP community – JOIN US! 

Supporting Your SAQ-A Merchants: A Strategic Responsibility

For PSPs, helping SAQ-A merchants secure their eCommerce environments represents both a responsibility and an opportunity. These merchants face unique challenges in addressing the risks of eSkimming, Magecart, and formjacking attacks. By partnering with a solution provider like Source Defense, PSPs can offer merchants a seamless, low-cost solution that delivers real protection without adding operational burdens.

Here’s how you can leverage this opportunity:

• Bolster Your Value Proposition: Position your organization as a proactive partner in eSkimming security by offering a ready-made solution for your SAQ-A merchants.
• Differentiate Your Services: Not all PSPs will provide this level of support. By stepping in with a comprehensive solution, you can stand out in a crowded market.
• Generate Revenue: Partnering with Source Defense to deliver a protection-first, no-burden solution to SAQ-A merchants creates a new revenue stream while helping your clients achieve their security goals.

Why Source Defense Is the Ideal Partner for PSPs

Source Defense has been at the forefront of eSkimming security and compliance, working with the PCI Security Standards Council and ecosystem stakeholders to address the growing threat of eSkimming. Our Small Merchant Solution is tailored to meet the needs of PSPs and their merchant clients:

1. Effortless Deployment: Protection within hours, not days.
2. Proactive Security: Unlike reactive solutions, Source Defense proactively blocks malicious JavaScript and secures payment flows.
3. Cost-Effective: Designed to fit small merchant budgets, our solution offers protection-first security without placing a burden on your merchants.
4. Proven Results: Trusted by over 1,000 leading brands and more than 200 Qualified Security Assessors (QSACs).

By partnering with Source Defense, PSPs can deliver immediate value to their merchant clients, strengthen their market position, and create a significant revenue uplift.

The March 31 Deadline: No Room for Delay

For PSPs, the March 31 deadline for compliance with PCI DSS 4.0 remains a critical milestone. This means your own environments must meet the 6.4.3 and 11.6.1 requirements, including script inventory, monitoring, and real-time threat detection. Source Defense’s platform can also support PSPs in achieving compliance efficiently, freeing up resources to focus on merchant support.

Turn Responsibility Into Opportunity

This update from the PCI Security Standards Council highlights the importance of proactive security measures and partnership-driven solutions. PSPs that rise to the challenge of supporting all of their merchants – especially SAQ-A merchants – can deliver significant value while enhancing their competitive edge.

Call to Action:
Take the lead in securing your environments and supporting your SAQ-A merchants. Contact Source Defense today to explore partnership opportunities and discover how our Small Merchant Solution can deliver protection-first security and a new revenue stream for your organization.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.

Download the Guide