We are a Data Security Platform (DSP) that allows organizations to discover, classify, and protect their most sensitive data and documents.
© 2025 DataStealth Inc. All Rights Reserved.
Sign up to Access
January 30, 2025
|
5
MIN Read
SAQ A Merchants Now Exempt from Requirements 6.4.3 and 11.6.1 Under Certain Conditions
The PCI Security Standards Council (PCI SSC) has introduced a major change for merchants completing Self-Assessment Questionnaire (SAQ) A.
Under specific conditions, SAQ-A merchants may now be exempt from meeting PCI DSS requirements 6.4.3 and 11.6.1.
Here's what this means and why it matters.
In the lead-up to this announcement, there were rumors that the PCI SSC might delay the enforcement deadline for requirements 6.4.3 and 11.6.1, originally set for March 31st, 2025.
However, rather than announcing an extended deadline, the Council has instead introduced an exemption for SAQ A merchants—provided certain conditions are met.
SAQ A merchants are not subject to requirements 6.4.3 and 11.6.1 if the “merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”
You can find additional details in the PCI’s blog post here.
Update: On February 28th, 2025, the PCI SSC released FAQ 1588 clarifying how SAQ A merchants using embedded payment forms or iframes from their TPSPs could prove their payment pages are “not susceptible” to script-based attacks. In FAQ 1588, the PCI SSC states that to prove this requirement, the merchant would essentially need to implement the controls in requirements 6.4.3 and 11.6.1 or get a confirmation from their TPSP/payment processor.
Learn more about this change in our latest blog here.
What’s Changing?
The exemption applies to two key requirements:
- Requirement 6.4.3: Ensures that scripts on payment pages are inventoried, authorized, justified, and monitored to prevent malicious tampering.
- Requirement 11.6.1: Requires real-time monitoring of unauthorized changes to script contents or security-impacting headers to protect against attacks like web skimming.
Previously, all merchants—regardless of their SAQ type—were expected to comply with these requirements. Moving forward, SAQ A merchants are no longer subject to these requirements.
Why the Exemption?
SAQ A merchants outsource all payment processing and cardholder data (CHD) management to TPSPs, meaning they don’t directly handle sensitive card data themselves. As a result, the compliance burden shifts to the TPSP.
To clarify: requirements 6.4.3 and 11.6.1 are not being removed from PCI DSS—they simply won’t apply to SAQ A merchants under these new conditions.
What Does This Mean For Merchants?
This change could significantly benefit e-commerce businesses that rely entirely on TPSPs for payment processing and CHD management. It would result in a reduced compliance burden as eligible merchants can avoid implementing complex script management and monitoring controls themselves, saving time and resources.
Additionally, larger merchants may explore whether they can leverage similar exemptions by reducing their PCI DSS scope through TPSPs.
About the Author:
Thomas Borrel
Thomas Borrel is an experienced leader in financial services and technology. As Chief Product Officer at Polymath, he led the development of a blockchain-based RWA tokenization platform, and previously drove network management and analytics at Extreme Networks and strategic partnerships at BlueCat. His expertise includes product management, risk and compliance, and security.
