The PCI Security Standards Council (PCI SSC) has [announced an update] (https://blog.pcisecuritystandards.org/important-updates-announced-for-merchants-validating-to-self-assessment-questionnaire-a) to the Self-Assessment Questionnaire (SAQ) A, which is dedicated to merchants which process online payments using certified third-party service providers, such as Payment Service Providers (PSPs). This update aims to simplify the PCI DSS compliance by easing the requirements related to the monitoring of the payment page (or the page in charge of the redirection to the payment page).

The key change is the removal of Requirements 6.4.3 and 11.6.1, which were introduced in response to attacks targeting e-commerce websites, notably the Magecart attacks:

  1. Requirement 6.4.3 required merchants to inventory and monitor the integrity of scripts executed within customers browser context, ensuring these scripts were legitimate and unaltered.
  2. Requirement 11.6.1 required merchants to implement mechanisms for detecting unauthorized changes to the payment page or redirect page, which may reveal a cyberattack on the website.

These requirements were introduced to mitigate the risk of Magecart attacks, which inject malicious scripts into e-commerce websites to steal customers’ credit card information during the payment process. Now, merchants are now expected to self-assess their exposure to Magecart risks and implement appropriate security measures to address these threats : Addition of an Eligibility Criteria for merchants to “confirm their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”

This update comes just weeks before the original deadline for compliance with these two requirements, which was set for March 31, 2025. This suggests that stakeholders may have encountered diifculties to comply with these requirements, prompting the revision.

Nevertheless, this update does not imply that security measures are now “optional.” The controls outlined in Requirements 6.4.3 and 11.6.1 remain relevant and, in most cases, mandatory for mitigating Magecart attack risks. While these requirements have been removed, the underlying security measures they addressed are still necessary.

Alternative security controls that can be implemented to protect payment pages and mitigate associated risks including:

  1. Monitoring website pages and scripts using File Integrity Monitoring (FIM) solutions such as WAZUH or OSSEC to detect unauthorized modifications.
  2. Reducing reliance on external resources, particularly JavaScript files, which are often targeted in Magecart attacks.
  3. Hosting resources (e.g., JavaScript, CSS, images) locally to limit dependencies on third-party hosting services that may be compromised.

These measures are not exhaustive or exclusive, and other security strategies may also be appropriate.

It is strongly recommended that merchants assess the security measures they have implemented with a Qualified Security Assessor (QSA) to ensure these measures are appropriate, well-defined, and compliant with cybersecurity Best Practices.