Education center Client-side Security Terms

SAQ D Merchants

SAQ D Merchants are those with more complex operations, directly handling cardholder data by storing, processing, or transmitting it on their own systems. This category is for merchants who do not qualify for simpler SAQs due to their extensive involvement with cardholder data.

  • Eligibility Criteria: These merchants typically have in-house payment systems, such as point-of-sale terminals or e-commerce platforms that store data, making them subject to all PCI DSS requirements. They are often larger entities or those with high transaction volumes, though smaller merchants with direct data handling also fall here.
  • Compliance Requirements: SAQ D is the most comprehensive, covering all 12 PCI DSS requirements, including firewall management, encryption, access controls, and regular monitoring. Version 4 updates include enhanced vulnerability management and detailed reporting, requiring descriptions of how compliance is achieved for each requirement.
  • Practical Implications: This category faces the highest compliance burden, necessitating robust security measures and potentially external audits by Qualified Security Assessors (QSAs) for Level 1 merchants, though SAQ D is an option for eligible lower levels.
  • Requirement 6.4.3 Applicability: It seems likely that requirement 6.4.3 applies to SAQ D Merchants, as they must comply with all PCI DSS requirements. This includes managing payment page scripts for any payment pages they host, ensuring authorization, integrity, and inventory maintenance. Given their full scope, this requirement is part of their comprehensive compliance, as seen in the SAQ D document for v4.0 (SAQ D for PCI DSS 4.0), which includes all sub-requirements.
  • Requirement 11.6.1 Applicability: The evidence leans toward requirement 11.6.1 applying to SAQ D Merchants, as they handle all aspects of cardholder data, including payment pages. This requirement ensures a change-detection mechanism is in place for their payment pages, evaluated regularly, and is part of their full compliance scope in SAQ D.
  • Practical Implications: SAQ D Merchants face the highest compliance burden, needing robust security measures for all systems, including payment pages. They must implement both requirements 6.4.3 and 11.6.1, reflecting their direct handling of cardholder data.
To illustrate the differences, consider the following table comparing key aspects, including the applicability of requirements 6.4.3 and 11.6.1:

Related resouces

SAQ D TPSP Payment Service providers
SAQ D TPSP Service Providers
SAQ A-EP Merchants

Maintain Full Visibility

Effortlessly automate PCI-DSS 4.0.1 compliance for SAQ D merchants, covering Requirements 6.4.3 and 11.6.1 in just minutes.

  • Continuously monitor all scripts across your entire cardholder data environment (CDE).
  • Ensure script integrity by detecting, blocking, and preventing unauthorized changes.
  • Receive real-time alerts for any unapproved script activities that could pose security risks.
  • Generate detailed compliance reports for internal teams, auditors, and QSAs.
  • Strengthen overall security by preventing malicious scripts from compromising sensitive cardholder data.
Stay secure, stay compliant, and protect your entire payment infrastructure.


Related articles