Decoding the Upcoming Changes to PCI DSS Self-Assessment Questionnaire A (SAQ A) V4.0.1

The Payment Card Industry Data Security Standard (PCI DSS) is a critical set of security requirements for any organization that handles cardholder data. For smaller merchants who process card payments online and don't store sensitive data, the Self-Assessment Questionnaire A (SAQ A) has traditionally been a simplified path to compliance. However, recent updates to the PCI DSS, particularly impacting SAQ A, are changing the landscape. This blog post dives deep into these changes, explaining what they mean for merchants and outlining the steps needed to maintain compliance.

Understanding the Basics: What is the SAQ A?

Before we dive into the changes, let's recap what the SAQ A is. It's a document that serves as a self-validation tool designed for merchants who process card payments through a third-party service provider (TPSP) and do not store, process, or transmit any cardholder data within their own systems. This typically applies to e-commerce merchants that redirect customers to a secure payment page hosted by their TPSP. Because these merchants have limited interaction with sensitive data, their validation requirements are less stringent than those who handle card data directly.

Key Changes to SAQ A: What You Need to Know

The PCI Security Standards Council (PCI SSC) has recently announced significant updates to SAQ A, set to take effect on March 31, 2025. These changes aim to simplify compliance requirements for merchants handling cardholder data through e-commerce channels.

Key updates include:

1. Removal of Specific Requirements: These requirements, previously part of PCI DSS v4.0.1, will no longer apply to SAQ A.
   • Requirement 6.4.3: Security of payment pages.
   • Requirement 11.6.1: Targeted risk analysis to support Requirement 11.6.
   • Requirement 12.3.1: Targeted risk analysis to support Requirement 11.6.
2. Introduction of Eligibility Criteria: A new eligibility criterion has been added, specifying that merchants must confirm they meet certain conditions to qualify for this self-assessment.

While these specific requirements are removed from SAQ A, the underlying security principles of the PCI DSS remain unchanged. Merchants should continue to adhere to all applicable PCI DSS requirements to ensure the protection of cardholder data.

Navigating the Changes to PCI DSS

For detailed information and guidance on these updates, merchants are encouraged to consult the revised SAQ A documents; and engage with their Merchant Services Providers (MSP) and acquirers. PCI DSS compliance validation requirements are determined by your MSP and acquirers, which can provide specific guidance tailored to individual circumstances.

With this modification to PCI DSS, some e-commerce merchants may no longer qualify for the simplified SAQ A. Merchants utilizing SAQ A  typically outsource their payment processing either to a TPSP or by embedding a payment form within an iframe. It’s crucial for these merchants to ensure their website redirection or iframe embedding is secure, as it plays the key role in protecting cardholder data during transactions. Therefore, if these methods of redirection are used and vulnerable, the merchant may now be required to complete SAQ-AEP, which includes Requirements 6.4.3 and 11.6.1.

Institutions should assess their current security posture by conducting a thorough assessment of their website’s security to identify any gaps in current practices, while also examining vulnerability scans and penetration testing. Based on their assessment, implementation of security controls to address any identified vulnerabilities may be necessary. Also, this is a good time to review and update institutional security policies and procedures to reflect the new SAQ A requirements, and ensure all personnel involved in managing the website and payment activities receive adequate security awareness training.

Managing the complexities of PCI DSS compliance can be challenging, especially with the recent changes to SAQ A. Merchants should consider seeking guidance from qualified security assessors (QSAs), acquirers, merchant services providers, vendors or other cybersecurity professionals. These experts can help you understand the requirements, assess your security posture, and implement the necessary controls to achieve and maintain compliance. They can also provide valuable insights into best practices for website security and help you stay ahead of emerging threats.

Looking Ahead: The Future of PCI DSS and SAQ A

The updates to SAQ A represent a significant shift in how higher education institutions approach PCI DSS compliance, especially concerning outsourced payment processing. Looking ahead, the PCI DSS is likely to continue to transform as the threat landscape evolves. By embracing a proactive approach to security and working closely with their merchant service providers, institutions can enhance the security of their payment systems, protect sensitive financial information, and maintain compliance with industry standards.

The updated SAQ A, while requiring more effort, ultimately strengthens the security of the entire payment ecosystem, benefiting both merchants and consumers. Staying informed about these developments and implementing necessary changes will be crucial for higher education institutions to continue providing secure and efficient payment services to their campus communities.

To gain additional insights, you can review the Important Updates Announced for Merchants Validating to Self-Assessment Questionnaire A.

How TouchNet supports PCI Compliance in Higher Education

TouchNet is a trusted leader in PCI compliance for higher education, providing institutions with the technology and expertise needed to navigate evolving security standards with confidence. Our solutions are designed to simplify compliance by reducing PCI scope, securing transactions, and ensuring data protection across campuswide payment ecosystems. With built-in security features, expert guidance, and a commitment to staying ahead of regulatory changes—including the latest PCI DSS updates impacting SAQ A—TouchNet helps colleges and universities maintain compliance while delivering seamless and secure payment experiences. Learn more about TouchNet PCI Services.