January 30, 2025
|
5
MIN Read

SAQ A Merchants Now Exempt from Requirements 6.4.3 and 11.6.1 Under Certain Conditions

By
Thomas Borrel

The PCI Security Standards Council (PCI SSC) has introduced a major change for merchants completing Self-Assessment Questionnaire (SAQ) A.

Under specific conditions, SAQ-A merchants may now be exempt from meeting PCI DSS requirements 6.4.3 and 11.6.1. 

Here's what this means and why it matters.

In the lead-up to this announcement, there were rumors that the PCI SSC might delay the enforcement deadline for requirements 6.4.3 and 11.6.1, originally set for March 31st, 2025. 

However, rather than announcing an extended deadline, the Council has instead introduced an exemption for SAQ A merchants—provided certain conditions are met.

SAQ A merchants are not subject to requirements 6.4.3 and 11.6.1 if the “merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”

You can find additional details in the PCI’s blog post here.

Update: On February 28th, 2025, the PCI SSC released FAQ 1588 clarifying how SAQ A merchants using embedded payment forms or iframes from their TPSPs could prove their payment pages are “not susceptible” to script-based attacks. In FAQ 1588, the PCI SSC states that to prove this requirement, the merchant would essentially need to implement the controls in requirements 6.4.3 and 11.6.1 or get a confirmation from their TPSP/payment processor. 

Learn more about this change in our latest blog here. 

What’s Changing?

The exemption applies to two key requirements:

  • Requirement 6.4.3: Ensures that scripts on payment pages are inventoried, authorized, justified, and monitored to prevent malicious tampering.
  • Requirement 11.6.1: Requires real-time monitoring of unauthorized changes to script contents or security-impacting headers to protect against attacks like web skimming.

Previously, all merchants—regardless of their SAQ type—were expected to comply with these requirements. Moving forward, SAQ A merchants are no longer subject to these requirements.

Why the Exemption?

SAQ A merchants outsource all payment processing and cardholder data (CHD) management to TPSPs, meaning they don’t directly handle sensitive card data themselves. As a result, the compliance burden shifts to the TPSP.

To clarify: requirements 6.4.3 and 11.6.1 are not being removed from PCI DSS—they simply won’t apply to SAQ A merchants under these new conditions.

What Does This Mean For Merchants?

This change could significantly benefit e-commerce businesses that rely entirely on TPSPs for payment processing and CHD management. It would result in a reduced compliance burden as eligible merchants can avoid implementing complex script management and monitoring controls themselves, saving time and resources.

Additionally, larger merchants may explore whether they can leverage similar exemptions by reducing their PCI DSS scope through TPSPs.

About the Author:
Thomas Borrel Portrait.
Thomas Borrel
Chief Product Officer
LinkedIn Icon.
Thomas Borrel is an experienced leader in financial services and technology. As Chief Product Officer at Polymath, he led the development of a blockchain-based RWA tokenization platform, and previously drove network management and analytics at Extreme Networks and strategic partnerships at BlueCat. His expertise includes product management, risk and compliance, and security.
Most Recent Blog Articles:
View All -->
Company
HomeISP Services
Project RescueAbout UsContact
Site Map
HomeAboutSupportBlogQSA Partner Program
Solutions
Data Discovery and Classification
Dynamic Data Masking
Data TokenizationTest Data Management
PCI Audit Scope Reduction
PCI eSkimming Protection
Compliance to Requirements
6.4.3 and 11.6.1
Contact
info@datastealth.io
+1 (855) 553-2839
DataStealth Inc.
5995 Avebury Rd
Suite 600
Mississauga ON L5R 3P9
Follow us
InstagramTwitterLinkedinFacebook

©  2025  DataStealth Inc. All Rights Reserved.

Privacy Policy