PCI DSS v4.0.1: The Changes You Need to Know to Qualify for SAQ A
Executive summary
The Payment Card Industry Security Standards Council (PCI SSC) has introduced important changes to the Self-Assessment Questionnaire A (SAQ A) in response to merchant feedback on the complexity of implementing new ecommerce JavaScript security requirements.
As a part of these changes, merchants validating to SAQ A no longer need to comply with specific Requirements 6.4.3 and 11.6.1 outlined in Payment Card Industry Data Security Standard (PCI DSS) v4.0.1.
To qualify for SAQ A, merchants must now confirm that their entire website is secure from script-based attacks, extending beyond just payment pages.
These updates are particularly relevant for merchants and businesses that handle online payments.
In this blog post, we provide a breakdown of what these changes mean, and how Akamai’s solutions can help your business remain compliant and secure.
Updates to PCI DSS compliance obligations
With less than two months before the March 31, 2025, PCI DSS v4.0.1 deadline, the PCI Security Standards Council introduced significant updates for merchants validating to SAQ A.
These changes — particularly the removal of Requirements 6.4.3 and 11.6.1 — have sparked questions about their impact on payment page security and overall PCI DSS compliance obligations. Although this January 2025 update may seem to simplify compliance, it introduces new eligibility criteria that require merchants to ensure their entire website — not just their payment pages — is secure from script-based threats.
So, what does it mean for your business? Let’s summarize the changes.
What’s changed in PCI DSS v4.0.1 SAQ A?
The removal of PCI DSS Requirements 6.4.3 and 11.6.1: Merchants validating to SAQ A no longer need to comply with these specific requirements related to payment page security. Additionally, the requirement for a Targeted Risk Analysis (12.3.1) has been removed for 11.6.1.
The addition of new eligibility criteria: To qualify for SAQ A, merchants must confirm that their entire website is secure against attacks from malicious scripts. In other words, the scope of SAQ A eligibility now extends beyond payment pages to include the entire site.
How do these changes impact information security for your business?
If your business is eligible for SAQ A regarding PCI DSS compliance, you are exempt from the now-removed 6.4.3 and 11.6.1 requirements — but only if your site can prove it’s secure against script-based threats. This shifts the focus to more holistic site security awareness by requiring protection beyond just payment pages.
Merchants who do not meet the new SAQ A criteria must use SAQ A-EP or SAQ D, for which the original requirements are still mandatory. Payment service providers (PSPs) must also still comply with requirements 6.4.3 and 11.6.1 as outlined in PCI DSS v4.0.1.
Protecting your site against script-based attacks
If you are an SAQ A eligible merchant, you might be wondering what you must do to ensure your entire site is protected against script-based attacks to stay compliant. Securing against malicious JavaScript requires comprehensive monitoring and analysis of script execution behavior in the browser. You must know what scripts are executing on your site, understand what they are doing, and have the ability to block any suspicious or anomalous activity, such as unauthorized access to credit card data.
Although do-it-yourself solutions like Content Security Policies or Subresource Integrity exist and can support securing your site, they can be quite complex and difficult for businesses to manage from a resource perspective.
New threats, new standards: How Akamai can help your business security objectives
No matter what merchant eligibility criteria your business falls under, Akamai Client-Side Protection & Compliance can help your business meet and comply with PCI DSS v4.0.1 and secure your website against JavaScript threats. The solution is designed to analyze JavaScript execution behavior in real time to detect and block malicious script activity instantaneously. It provides your business with a complete view of all scripts on your site, including granular insights into their behaviors, vulnerabilities, reach, and impact, as well as data accessed or threats posed.
For PSPs, SAQ A-EP, or SAQ D merchants, Client-Side Protection & Compliance provides dedicated PCI capabilities to meet Requirements 6.4.3 and 11.6.1 and protect your cardholder data environment. Akamai’s solution streamlines compliance workflows and provides dedicated tools for inventorying, justifying, and alerting on suspicious script activity, including changes to payment pages. The solution achieved external QSA validation for meeting JavaScript security Requirements 6.4.3 and 11.6.1 in October 2023.
The PCI DSS v4.0.1 compliance flexibility does not mean reduced security risk
While these changes offer more flexibility in compliance, they do not reduce the risk of becoming the next target of data breaches, malware, and phishing attacks. Web skimming, formjacking, Magecart, and other script-based attacks continue to plague e-commerce businesses, leading to significant revenue loss, damaged brand reputation, and diminished customer trust. Remember, security isn’t just about checking the box — it’s about ensuring your data is safe and protected in today’s ever-evolving threat landscape.
Visit our website to learn more about how Akamai Client-Side Protection & Compliance can help secure your ecommerce business against JavaScript threats and meet PCI DSS v4.0.1 requirements.