{"title":"Self-Assessment Questionnaire A eligibility","category":"default","creationDate":1779533780,"content":"<p>This page provides information about determining if you are eligible to demonstrate the Payment Card Industry Data Security Standard (PCI DSS) compliance of your online payments integration through a Self-Assessment Questionnaire A (SAQ A).<\/p>\n<p>If you have previously submitted SAQ A documents, note that the PCI Security Standards Council (PCI SSC) has <a href=\"#changes\">removed some of the script security requirements<\/a>, making it easier to be eligible for SAQ A.<\/p>\n<h2>Requirements<\/h2>\n<p>Before you begin, check if the information on this page applies to you.<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Requirement<\/th>\n<th style=\"text-align: left;\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\"><strong>Integration type<\/strong><\/td>\n<td style=\"text-align: left;\">The information on this page is relevant for online payments integrations.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Eligibility requirements<\/h2>\n<p>In accordance with PCI DSS v4.0.1, to be eligible to use the SAQ A to attest the PCI DSS compliance of your online payments integration, you must:<\/p>\n<ul>\n<li>Confirm that all elements of the payment pages and forms delivered to the customer\u2019s browser originate only and directly from a PCI DSS compliant Third-Party Service Provider (TPSP) or payment processor.<\/li>\n<li>Confirm your site is not susceptible to attacks from scripts that could affect your e-commerce systems.<\/li>\n<\/ul>\n<p>This means that most of the responsibility for these controls belongs to the TPSPs or payment processors.<\/p>\n<p>However, as a SAQ A merchant you must ensure that the payment page elements and scripts that are loaded from your providers through different integrations are PCI DSS compliant, and apply security measures to protect from script attacks. For example, SAQ A requirement 11.3.2 mandates regular <a href=\"\/development-resources\/pci-dss-compliance-guide\/vulnerability-scanning-regulation\">vulnerability scans<\/a>.<\/p>\n<p>You can <a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/SAQ%20(Assessment)\/SAQ\/PCI-DSS-v4-0-1-SAQ-A.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">download the SAQ A<\/a> from the PCI site.<\/p>\n<h2>How Adyen can help<\/h2>\n<p>To help you attest to the eligibility requirements for SAQ A, Adyen provides assurance for the security of its products through Adyen's annual PCI DSS Attestation of Compliance (AoC).<\/p>\n<p>In addition, we provide information about:<\/p>\n<ul>\n<li>Security measures for the specific integrations you implement in our <a href=\"\/development-resources\/pci-dss-compliance-guide\/#online-payments\">PCI DSS compliance guide<\/a>.<\/li>\n<li><a href=\"\/development-resources\/pci-dss-compliance-guide\/vulnerability-scanning-regulation\">Vulnerability scanning<\/a> of your Adyen online payments integration to comply with SAQ A requirement 11.3.2.<\/li>\n<\/ul>\n<h2 id=\"changes\">Changes to the SAQ A requirements<\/h2>\n<p>In response to industry feedback, and because of the complexity of implementing new ecommerce security controls, in 2025 the PCI DSS has <a href=\"https:\/\/blog.pcisecuritystandards.org\/important-updates-announced-for-merchants-validating-to-self-assessment-questionnaire-a\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">updated the SAQ A eligibility criteria<\/a>.<\/p>\n<p>In the new PCI DSS v4.0.1 standard, the following PCI DSS SAQ A requirements have been removed:<\/p>\n<ul>\n<li>PCI DSS requirement 6.4.3, about payment page scripts.<\/li>\n<li>PCI DSS requirement 11.6.1, about change- and tamper-detection mechanisms.<\/li>\n<\/ul>\n<p><a href=\"\/online-payments\/script-security-compliance\">Requirements 6.4.3 and 11.6.1<\/a> remain applicable to merchants that are required to submit PCI DSS Self-Assessment Questionnaire D (SAQ D) and merchants that are required to present an Attestation of Compliance (AoC) for onsite assessment.<\/p>\n<p>The new SAQ A version has gone into effect on March 31, 2025, which is when the PCI DSS v4.0.1 requirements have also gone into effect.<\/p>\n<h2>See also<\/h2>\n<div class=\"see-also-links output-inline\" id=\"see-also\">\n<ul><li><a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/SAQ%20(Assessment)\/SAQ\/PCI-DSS-v4-0-1-SAQ-A.pdf\"\n                        target=\"_blank\"\n                         class=\"external\">\n                    Download the SAQ A\n                <\/a><\/li><li><a href=\"\/development-resources\/pci-dss-compliance-guide\"\n                        target=\"_self\"\n                        >\n                    PCI DSS compliance guide\n                <\/a><\/li><li><a href=\"\/development-resources\/pci-dss-compliance-guide\/vulnerability-scanning-regulation\"\n                        target=\"_self\"\n                        >\n                    \nVulnerability scanning for SAQ A\n                <\/a><\/li><\/ul><\/div>\n","url":"https:\/\/docs.adyen.com\/development-resources\/pci-dss-compliance-guide\/saq-a-eligibility","articleFields":{"description":"Determine if you are eligible for SAQ A, and learn about changed PCI DSS script security requirements for SAQ A."},"algolia":{"url":"https:\/\/docs.adyen.com\/development-resources\/pci-dss-compliance-guide\/saq-a-eligibility","title":"Self-Assessment Questionnaire A eligibility","content":"This page provides information about determining if you are eligible to demonstrate the Payment Card Industry Data Security Standard (PCI DSS) compliance of your online payments integration through a Self-Assessment Questionnaire A (SAQ A).\nIf you have previously submitted SAQ A documents, note that the PCI Security Standards Council (PCI SSC) has removed some of the script security requirements, making it easier to be eligible for SAQ A.\nRequirements\nBefore you begin, check if the information on this page applies to you.\n\n\n\nRequirement\nDescription\n\n\n\n\nIntegration type\nThe information on this page is relevant for online payments integrations.\n\n\n\nEligibility requirements\nIn accordance with PCI DSS v4.0.1, to be eligible to use the SAQ A to attest the PCI DSS compliance of your online payments integration, you must:\n\nConfirm that all elements of the payment pages and forms delivered to the customer\u2019s browser originate only and directly from a PCI DSS compliant Third-Party Service Provider (TPSP) or payment processor.\nConfirm your site is not susceptible to attacks from scripts that could affect your e-commerce systems.\n\nThis means that most of the responsibility for these controls belongs to the TPSPs or payment processors.\nHowever, as a SAQ A merchant you must ensure that the payment page elements and scripts that are loaded from your providers through different integrations are PCI DSS compliant, and apply security measures to protect from script attacks. For example, SAQ A requirement 11.3.2 mandates regular vulnerability scans.\nYou can download the SAQ A from the PCI site.\nHow Adyen can help\nTo help you attest to the eligibility requirements for SAQ A, Adyen provides assurance for the security of its products through Adyen's annual PCI DSS Attestation of Compliance (AoC).\nIn addition, we provide information about:\n\nSecurity measures for the specific integrations you implement in our PCI DSS compliance guide.\nVulnerability scanning of your Adyen online payments integration to comply with SAQ A requirement 11.3.2.\n\nChanges to the SAQ A requirements\nIn response to industry feedback, and because of the complexity of implementing new ecommerce security controls, in 2025 the PCI DSS has updated the SAQ A eligibility criteria.\nIn the new PCI DSS v4.0.1 standard, the following PCI DSS SAQ A requirements have been removed:\n\nPCI DSS requirement 6.4.3, about payment page scripts.\nPCI DSS requirement 11.6.1, about change- and tamper-detection mechanisms.\n\nRequirements 6.4.3 and 11.6.1 remain applicable to merchants that are required to submit PCI DSS Self-Assessment Questionnaire D (SAQ D) and merchants that are required to present an Attestation of Compliance (AoC) for onsite assessment.\nThe new SAQ A version has gone into effect on March 31, 2025, which is when the PCI DSS v4.0.1 requirements have also gone into effect.\nSee also\n\n\n                    Download the SAQ A\n                \n                    PCI DSS compliance guide\n                \n                    \nVulnerability scanning for SAQ A\n                \n","type":"page","locale":"en","boost":17,"hierarchy":{"lvl0":"Home","lvl1":"Development resources","lvl2":"PCI DSS compliance guide","lvl3":"Self-Assessment Questionnaire A eligibility"},"hierarchy_url":{"lvl0":"https:\/\/docs.adyen.com\/","lvl1":"https:\/\/docs.adyen.com\/development-resources","lvl2":"https:\/\/docs.adyen.com\/development-resources\/pci-dss-compliance-guide","lvl3":"\/development-resources\/pci-dss-compliance-guide\/saq-a-eligibility"},"levels":4,"category":"Development Resources","category_color":"green","tags":["Self-Assessment","Questionnaire","eligibility"]}}