If you thought PCI DSS 4.0.1 was just a minor tweak to the old requirements, think again. 2025 is here, and it’s clear that many SAQ A-EP merchants are still missing critical steps needed to stay compliant. In fact, we noticed that over 90% of SAQ A-EP merchants aren’t aware that they need to implement new technical measures to address Requirements 6.4.3 and 11.6.1.
In December 2024, many SAQ A-EP merchants mistakenly assume that filling out their self-assessment questionnaire is enough to satisfy the new PCI DSS 4 requirements. In reality, updated stipulations—especially those found in Requirements 6.4.3 and 11.6.1—require specific technical controls, such as implementing a comprehensive script inventory, continuous monitoring, and automated alerts to detect unauthorized changes. While they may think a check-the-box approach suffices, failing to adopt these new measures leaves them exposed to both security risks and potential non-compliance fines.
Let’s cut straight to the chase: here are the top five mistakes you should avoid if you don’t want to fall out of compliance this year.
Mistake Number 1 – Believing Scripts On Payment Page Are “Out of Scope” Because They Use a TPSP iFrame
Many merchants assume that because the payment form is handled by a third party and/or via TPSP iFrame, the scripts running on their own web pages aren’t part of the compliance scope. Big mistake. Requirement 6.4.3 explicitly states that scripts on payment pages must be inventoried, monitored, and controlled.
Why This Is a Problem
- Visibility: While merchants are not responsible for scripts loaded inside of TPSP’s iFrame but they are still responsible for all other scripts loaded on payment webpages.
- Security Gaps: A malicious script could compromise cardholder data as soon as a customer clicks “Pay.”
Pro Tip: Set up a formal ongoing and automated process for inventorying and auditing every script except of scripts loaded inside of TPSP’s iFrame, whether it’s your own or sourced from a third party.
Mistake Number 2 – Ignoring Requirement 6.4.3 Entirely
Even those merchants who do know there’s a 6.4.3 requirement sometimes shrug it off, thinking it’s a “nice-to-have.” In reality, 6.4.3 is mandatory for PCI DSS 4.0.1 compliance—and it’s not a small requirement. It calls for a robust inventory of all JavaScript (or other scripts) and a system for monitoring unexpected changes or suspicious behavior.
Why This Is a Problem
- Failure to Document: QSA will be looking for proof of your script inventory and monitoring program.
- High Risk of Data Breach: Unmonitored scripts are a treasure trove for hackers.
Pro Tip: Keep a centralized repository (or use a automated discovery and monitoring toolset) that tracks script name, version, source, and any changes made.
Mistake Number 3 – Ignoring Requirement 11.6.1 for SAQ A-EP Compliance
Requirement 11.6.1 takes script inventory to the next level—real-time monitoring. It’s not enough just to know which scripts you have; you also need to detect when they’ve been tampered with or start acting out of the ordinary.
Why This Is a Problem
- Delayed Detection: If you only check scripts once a week, a hacker can exfiltrate sensitive data long before you catch on.
- No Alerts: Failing to set up real-time alerts means you’re essentially flying blind.
Pro Tip: Implement a monitoring solution that flags unusual script behaviors (like unexpected changes to content or data transfers) as soon as they happen, and integrate it with your SIEM tool for centralized incident management.
Mistake Number 4 – Relying on an Annual Scan Instead of Continuous Oversight
SAQ A-EP is a critical focus of the Payment Card Industry Data Security Standard (PCI DSS) version 4, which introduces significant changes that affect merchants. Designed specifically for e-commerce merchants who partially outsource their payment processing, SAQ A-EP addresses websites that impact transaction security. This article will clarify these SAQ A-EP changes and outline the top 5 actions merchants must take before March 31, 2025, to maintain compliance.
Why This Is a Problem
- Compliance Gaps: When QSA come looking for evidence, “We did a scan last year” is no longer sufficient.
- Real-World Threats: Cyberattacks happen every day; you need continuous oversight to stay ahead of them.
Pro Tip: Make ongoing scans and monitoring a routine part of your security practice. Automated daily or weekly scans can identify vulnerabilities before they spiral out of control.
Mistake Number 5 – Failing to Document the Audit Trail
You could be implementing all the technical measures in the world, but if you’re not documenting them properly, you’ll still fail an audit. PCI DSS 4.0 has stricter documentation requirements, and auditors will want to see proof that you’re doing exactly what you say you’re doing—especially around 6.4.3 and 11.6.1.
Why This Is a Problem
- No Evidence: QSA might ask, “Where’s the record of scripts over the last 90 days?” If you can’t provide it, what will you do?
- Accountability: Without logs and reports, you can’t pinpoint who did what and when if a breach occurs.
Pro Tip: Maintain a centralized log of every script, who authorized it, and the reason behind it. Store these records long enough to satisfy your audit retention requirements—often at least a year, if not more.
Securing Your SAQ A-EP Compliance for 2025
The shift to PCI DSS 4.0 is not just a minor update. Requirements 6.4.3 and 11.6.1 are game-changers for SAQ A-EP merchants, demanding far more visibility and real-time monitoring than previous versions. If you’re guilty of any of the five mistakes above, it’s time for a course correction—pronto.
- Get an accurate inventory of every script in your environment.
- Implement real-time monitoring to ensure scripts behave as expected.
- Document everything so when the QSA asking for proof, you will demonstrate that you’ve done everything that is required.
By tackling these mistakes head-on, you’ll not only protect your customers’ data but also save yourself a massive headache (and potential fines) in the long run. Now’s the time to double-check your SAQ A-EP processes and shore up your protection.
