Are you an SAQ A merchant figuring out if or how the PCI DSS 4 update applies to you?
Let’s break it down in simple terms before you talk to your QSA and ISA:
Do These Changes Affect You?
If your website simply redirects customers to your payment processor’s page (like PayPal or Stripe) and you don’t modify anything about how that payment page works, you’re still good to go with SAQ A – nothing major has changed for you.
When You Don’t Need Comply with Requirements 6.4.3 and 11.6.1:
You can stick with your current SAQ A approach without additional requirements if:
- Your website simply has a standard “Pay Now” button that sends (redirects) customers to your payment processor’s page
- You don’t customize or modify how the payment page works
- You don’t embed payment forms in your website
However, if you use any of these on your website:
- An embedded payment form (iframe)
- Embed custom code in the payment page
- Make any modifications to how the payment page appears
Then yes, you may need to comply with the new requirements 6.4.3 and 11.6.1.
Schedule a Demo
You will see how to easily automate PCI-DSS 4.0.1 compliance for Requirements 6.4.3 and 11.6.1 in minutes.
- Autonomously and continuously maintain inventory of scripts, assure integrity, and confirm scripts are authorized.
- Automatically detect and prevent unexpected script activities.
- Get alerted of unauthorized scripts and unexpected script activities.
- Easily provide reports to your teams and QSA.
- Keep your company protected.
What’s Changed and What You Need to Do
If You Use Embedded Payment Forms (iframes) then you need to comply with Requirements 6.4.3 and 11.6.1:
- You must now document how you handle changes to your website that might affect the payment process
- You need to test these parts of your website regularly to make sure they’re secure
- Keep records of when you make changes and test things
If You Use Custom Code for Payment Redirects:
- Create a process for reviewing any changes to how customers get sent to the payment page
- Test these components regularly to ensure they haven’t been tampered with
- Document all your changes and testing
Simple Steps to Stay Compliant
- Make a list of everywhere your website connects with the payment process
- Create simple documentation for how you handle changes to these areas
- Set up regular testing of these components (you can work with a qualified security partner for this)
- Keep records of all changes and tests
The Bottom Line
The key message is clear: if you do anything custom with how payments work on your website, you need to document and test those components. If you just use standard payment buttons and redirects, you’re still fine with the basic SAQ A requirements.
Not sure which category you fall into? Look at your website and ask: “Do we do anything special with how customers pay?” If the answer is yes, you’ll need to meet these new requirements. If not, you’re already set.
As always, talk to your PCI Qualified Security Assessor (QSA) and Internal Security Assessor (ISA) to clarify exactly what you are required to comply with and how to demonstrate evidence of compliance.
