Blog / PCI DSS Compliance

SAQ A-EP: Top 5 Actions Merchants Must Take to comply with PCI DSS 4 Requirements 6.4.3 and 11.6.1 by March 31, 2025

January 6, 2025

SAQ A-EP is a key focus of the Payment Card Industry Data Security Standard (PCI DSS) version 4, which introduces changes affecting merchants. Designed for e-commerce merchants who partially outsource their payment processing but have website elements impacting transaction security, SAQ A-EP ensures compliance with these updated requirements. This article clarifies these changes and outlines the top 5 actions SAQ A-EP merchants should take before March 31, 2025.

Understanding SAQ A-EP and PCI DSS 4.0

SAQ A-EP Merchant Compliance

SAQ A-EP applies to e-commerce merchants who do not directly receive account data but control how customers are redirected to a third-party payment processor (TPSP), or who include a TPSP’s embedded payment page on their website. These merchants do not electronically store, process, or transmit cardholder data on their systems. However, their websites impact how account data is transmitted. PCI DSS 4.0 introduces new requirements, particularly concerning payment page scripts and unauthorized changes, that affect SAQ A-EP merchants.

Key Changes in PCI DSS 4.0 for SAQ A-EP Merchants

  • Focus on Payment Page Security: PCI DSS 4.0 emphasizes the security of payment pages, particularly for merchants whose websites interact with the payment process, even if they do not handle cardholder data directly.
  • Requirements 6.4.3 and 11.6.1: These requirements are key for SAQ A-EP merchants.
    • Requirement 6.4.3 mandates managing all payment page scripts to ensure authorization and integrity. It requires a method to confirm that each script is authorized and a method to assure the integrity of each script. It also requires that an inventory of all scripts is maintained with a written business or technical justification for each script. This applies to all scripts loaded from the entity’s environment, as well as those loaded from third and fourth parties.
    • Requirement 11.6.1 requires that unauthorized changes on payment pages are detected and responded to. This includes implementing mechanisms that detect and report on changes to the headers and content of the payment page, such as violations of the Content Security Policy (CSP).

Top 5 Things SAQ A-EP Merchants Must Do Before March 31, 2025

  1. Implement Comprehensive Script Management:
    • Inventory all scripts on your payment pages, including those loaded from your environment and third parties.
    • Document the business or technical justification for each script.
    • Establish a method to authorize all scripts, ensuring that only approved scripts are loaded and executed.
    • Implement a method to assure the integrity of each script, which can help prevent malicious alterations.
  2. Deploy Unauthorized Change Detection:
    • Implement mechanisms to detect unauthorized changes to the headers and content of the payment page.
    • Consider using Content Security Policy (CSP) violations to detect such changes.
    • Ensure there is a process for responding to detected unauthorized changes.
  3. Maintain Thorough Documentation and Policies:
    • Document all security policies and operational procedures related to payment page scripts and unauthorized change detection.
    • Ensure that all policies and procedures are kept up to date, in use, and known to all affected parties.
    • Keep a detailed inventory of all scripts with their business or technical justification.
    • Maintain records of script authorizations and responses to any detected unauthorized changes.
  5. Confirm and Monitor TPSP Compliance:
    • Verify that your TPSP is PCI DSS compliant for all services used.
    • Maintain a list of all third-party service providers and the services they provide.
    • Ensure that you have written agreements with TPSPs that outline their responsibility for cardholder data security.
  7. Review and Maintain SAQ Eligibility:
    • Ensure you still meet the eligibility criteria for SAQ A-EP. If your setup has changed, you may need to use SAQ D.
    • Be aware of the difference between SAQ A and SAQ A-EP. SAQ A-EP applies to merchants who have a website that affects the security of the payment transaction, whereas SAQ A applies to merchants who have fully outsourced all payment processing.

Understanding the Timeline

These requirements are considered a best practice until March 31, 2025, after which they become mandatory. Full compliance with these requirements is necessary by that date to avoid potential penalties.

Why These Changes Matter

These changes are essential because they address vulnerabilities that can lead to e-commerce skimming attacks. By implementing these measures, SAQ A-EP merchants can protect their customers’ data and maintain secure payment processes.

Conclusion

The transition to PCI DSS 4.0 requires SAQ A-EP merchants to enhance the security of their payment environments. By understanding the new requirements and implementing the top 5 actions listed above, merchants can ensure compliance, protect their customers, and maintain a secure payment system. Begin implementing these changes now to meet the compliance deadline of March 31, 2025.


Free Assessment

Security for Everyone that Visits Your Website

Find out if your web application is hiding vulnerable, malicious, or dangerous code that could damage your customers and your business. No payment information required.


Next Readings: