In response to industry feedback, and because of the complexity of implementing new ecommerce security controls, the following Payment Card Industry Data Security Standards (PCI DSS) requirements have been removed from the PCI DSS v4.0.1 Self-Assessment Questionnaire A (SAQ A):
- PCI DSS requirement 6.4.3.
- PCI DSS requirement 11.6.1
With the recent update to PCI DSS SAQ A eligibility criteria, the PCI Security Standards Council (PCI SSC) has determined that, in order to be eligible to use this document to attest their PCI compliance, you must:
- Confirm that all elements of the payment pages and forms delivered to the customer’s browser originate only and directly from a PCI DSS compliant Third-Party Service Provider (TPSP) or payment processor.
- Confirm your site is not susceptible to attacks from scripts that could affect your e-commerce systems.
This means that, even though most of the responsibility for these controls now belong to the TPSPs or payment processors, SAQ A merchants must ensure that the payment page elements and scripts that are loaded from their providers through different integrations are PCI DSS compliant, and apply security measures to protect from script attacks.
Requirements 6.4.3 and 11.6.1 remain applicable to merchants that are eligible for PCI DSS Self-Assessment Questionnaire D (SAQ D) and merchants that are required to present an Attestation of Compliance (AoC) for onsite assessment.
SAQ A eligible integrations
To help you attest to the eligibility requirements for SAQ A, Adyen provides assurance for the security of its products through our annual PCI DSS Attestation of Compliance (AoC).
You can find additional information about security measures for the specific integrations you implement on the Adyen Developer Resources page for PCI DSS compliance and confirm your site is secure.
When it goes into effect
The new SAQ A version, published in January 2025, is available for review. However, it does not go into effect until March 31, 2025, which is when the new PCI DSS v4.0.1 requirements will also go into effect. Until then, you can mark these requirements as non-applicable, if you are using an SAQ A template published in October 2024.