PCI SSC Announces Changes to the SAQ A

In the modern business landscape, nearly every merchant has an ecommerce payment channel through their website, and the SAQ-A is one of only 3 SAQs that can be used for ecommerce channels (the others being SAQ-A-EP and SAQ-D).  More significantly, it is by far the smallest of the three; the current version includes only 31 requirements, whereas the SAQ-A-EP has 151 and the SAQ-D includes all of them.

The simplicity and relatively lower compliance burden of SAQ-A make it the most sought-after SAQ among merchants and probably the most widely used.  So, when v4 of the Standard was released, and the PCI SSC introduced two of the headline new requirements to SAQ-A, 6.4.3 – (All payment page scripts must be authorised, justified, and integrity checked) and 11.6.1 – (You must deploy change detection on the headers and contents of all payment pages), it had a significant impact on merchants utilising this streamlined compliance path.

Both new requirements are very technical and demand significant resources to implement, either utilising internal resources or by leveraging a suitable third-party solution.  However, this introduction was generally well-received within the industry, as many payment pages are vulnerable to the types of attacks these requirements aim to mitigate.  Here at URM, we have spent the past two years working with most of our clients to help them implement suitable processes to meet these requirements.

So, when the PCI SSC unexpectedly announced the removal of these requirements from, arguably, the SAQ that needed them the most, it came as a surprise.  The reaction has been mixed; some organisations that were struggling to meet the new requirements are relieved, but others that have spent significant time and resources implementing solutions are now wondering if they have wasted their time and effort.  Whilst both responses are understandable, they may be misplaced due to the addition of the new eligibility criteria.

Each of the SAQs contains a list of criteria that you must meet in order to use that SAQ.  This ensures any requirements that have been excluded from the specific SAQ are genuinely irrelevant to your organisation.  The newly added criterion in SAQ-A requires merchants to ‘confirm their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s)’.

This means that while the specific technical requirements (6.4.3 and 11.6.1) were removed, merchants are still responsible for ensuring their sites are protected from script-based attacks.  This clearly indicates that the PCI SSC does not view these requirements as unnecessary.  Instead, the addition of this new eligibility criterion reinforces the importance of securing payment pages against such threats, placing the responsibility back on merchants to demonstrate that their sites are not at risk.

So, how do you meet this new criterion to ensure your organisation can still use SAQ-A, i.e., how do you confirm your site is not susceptible to attacks from scripts?  The most obvious way would be to comply with the requirements that were removed.  As such, if you have spent time and resources meeting them, these efforts have not been wasted  as they remain the most effective way to demonstrate your site is secure.  However, the key change is that merchants now have some flexibility.  If you have an alternative, innovative method to prove that your site is protected from script-based attacks, it could also be acceptable under the new eligibility criteria.

Whilst the PCI SSC has removed requirements 6.4.3 and 11.6.1 from SAQ-A, the introduction of the new eligibility criteria makes it clear that the security of merchants’ payment pages remains a priority.  Script-based attacks continue to pose a significant threat, and organisations that have already implemented the removed requirements will not only be well-positioned to meet the new criteria but will also strengthen their overall security posture against these risks.  If, however, you had not yet implemented the new requirements, this update to SAQ-A enables you to find a means of protecting your site against these attacks that is effective and appropriate for your organisation’s specific needs.  At the same time though, you must be certain when you complete SAQ-A that you have met this new criterion sufficiently, or your PCI DSS compliance could be invalid.