This page provides information about determining if you are eligible to demonstrate the Payment Card Industry Data Security Standard (PCI DSS) compliance of your online payments integration through a Self-Assessment Questionnaire A (SAQ A).
If you have previously submitted SAQ A documents, note that the PCI Security Standards Council (PCI SSC) has removed some of the script security requirements, making it easier to be eligible for SAQ A.
Requirements
Before you begin, check if the information on this page applies to you.
| Requirement | Description |
|---|---|
| Integration type | The information on this page is relevant for online payments integrations. |
Eligibility requirements
In accordance with PCI DSS v4.0.1, to be eligible to use the SAQ A to attest the PCI DSS compliance of your online payments integration, you must:
- Confirm that all elements of the payment pages and forms delivered to the customer’s browser originate only and directly from a PCI DSS compliant Third-Party Service Provider (TPSP) or payment processor.
- Confirm your site is not susceptible to attacks from scripts that could affect your e-commerce systems.
This means that most of the responsibility for these controls belongs to the TPSPs or payment processors.
However, as a SAQ A merchant you must ensure that the payment page elements and scripts that are loaded from your providers through different integrations are PCI DSS compliant, and apply security measures to protect from script attacks. For example, SAQ A requirement 11.3.2 mandates regular vulnerability scans.
You can download the SAQ A from the PCI site.
How Adyen can help
To help you attest to the eligibility requirements for SAQ A, Adyen provides assurance for the security of its products through Adyen's annual PCI DSS Attestation of Compliance (AoC).
In addition, we provide information about:
- Security measures for the specific integrations you implement in our PCI DSS compliance guide.
- Vulnerability scanning of your Adyen online payments integration to comply with SAQ A requirement 11.3.2.
Changes to the SAQ A requirements
In response to industry feedback, and because of the complexity of implementing new ecommerce security controls, in 2025 the PCI DSS has updated the SAQ A eligibility criteria.
In the new PCI DSS v4.0.1 standard, the following PCI DSS SAQ A requirements have been removed:
- PCI DSS requirement 6.4.3, about payment page scripts.
- PCI DSS requirement 11.6.1, about change- and tamper-detection mechanisms.
Requirements 6.4.3 and 11.6.1 remain applicable to merchants that are required to submit PCI DSS Self-Assessment Questionnaire D (SAQ D) and merchants that are required to present an Attestation of Compliance (AoC) for onsite assessment.
The new SAQ A version has gone into effect on March 31, 2025, which is when the PCI DSS v4.0.1 requirements have also gone into effect.