Are You Outsourcing eCommerce?
Our recent article PCI SSC Updates SAQ A: Removal of Key E-Commerce Security Requirements & New Eligibility Criteria outlined significant requirement updates – who this affects and next steps. These requirements are still part of PCI DSS v4.0.1 and the March 31, 2025 deadline. However, SAQ type A merchants are no longer required to validate compliance with them, as long as they meet the new eligibility criteria. Even though SAQ A removes specific security controls, merchants must still ensure their site is protected from script-based threats that could impact their eCommerce systems. This is specifically a focus for those that outsource their ecommerce environment to a third party service provider (TSPS).
What Does the SAQ-A Update Mean For Me?
With the SAQ-A eligibility criteria update, our PCI team is getting more questions from businesses who outsource their ecommerce operations – asking how can they satisfy the new criteria. The PCI update indicates if a merchant can confirm that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s), these requirements may not be applicable to them. The HALOCK team reviewed these requirements further, to help organizations understand where they are applicable.
How is A ‘Payment Page’ Defined?
Requirements 6.4.3 and 11.6.1 use the terms, ‘payment page scripts’ and ‘payment pages’. Basically, these are pages that accept credit card information.
These definitions can be found in PCI DSS 4.0.1’s glossary:
Payment Page: A web-based user interface containing one or more form elements intended to capture account data from a consumer or submit captured account data, for purposes of processing and authorizing payment transactions. The payment page can be rendered as any one of:
- A single document or instance,
- A document or component displayed in an inline frame within a non-payment page,
- Multiple documents or components each containing one or more form elements contained in multiple inline frames within a non-payment page.
Payment Page Scripts: Any programming language commands or instructions on a payment page that are processed and/or interpreted by a consumer’s browser, including commands or instructions that interact with a page’s document object model. Examples of programming languages are JavaScript and VB script; neither markup-languages (for example, HTML) or style-rules (for example, CSS) are programming languages.
The wording in Requirement 6.4.3 also states this applies to all payment page scripts – ‘all payment page scripts that are loaded and executed in the consumer’s browser are managed’.
Ultimately, the new requirements surface crucial responsibility in a nuanced regulation. Who is taking the responsibility of their payment page security for outsourced ecommerce environments – which include redirects and iframes?
What Should I Do to Manage my eCommerce Environment under PCI DSS?
If your organization outsources your ecommerce environment, we recommend meeting with your eCommerce third party service provider to verify they are taking the security responsibilities for these payment page script requirements. If you are a third-party service provider, we recommend updating your PCI DSS responsibility documentation to help your clients understand their responsibilities for these requirements.
Our team has also started going back to those third-party service providers (that marked these requirements N/A until 4/2025) to verify they are expecting to take on these requirements for their merchant customers.
Why Should I Review with my TSPS?
As a merchant, your ultimate goal should be to understand who is taking responsibility for these requirements before the March 31, 2025, deadline.
Reference Material – Updated SAQ A
By Viviana Wesley, PCI QSA, ISO 27001 Auditor, CISM
Principal Consultant, Governance, Compliance and Engineering Services
Why HALOCK QSA’s for PCI Compliance?
READ MORE PCI DSS References and Articles
- PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel.
- Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1
- Unpacking the New PCI DSS Password Standards
- Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?
- What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?
- What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?
- PCI SSC Updates SAQ A: Removal of Key eCommerce Security and New Eligibility Criteria – Requirements 6.4.3, 11.6.1, 12.3.1
- The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2
- How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities – Requirements 8.6.1, 7.2.5.1, 8.6.2, 8.6.3, 10.2.1.2
- Are You Keeping an Inventory of Cipher Suites and Certificates for the New PCI DSS – Requirements 12.3.3, 4.2.1.1?
- How to Analyze An Attestation of Compliance (AOC)
- PCI Compliance New Requirements and Targeted Risk Analysis (TRA)
- Enhancing PCI DSS Compliance with Targeted Risk Analysis and DoCRA
- Why It Is Important to Reduce Your PCI DSS Scope
- How to Determine Your Organization’s PCI DSS Scope
- Is Your Encryption Strong Enough for PCI DSS 4.0.1 Compliance?
Cybersecurity & Risk News, Updates, Resources
Cybersecurity Awareness Posters
Review Your Security and Risk Profile
Be Our Guest at FutureCon Chicago 2026
Enjoy breakfast and lunch while connecting with colleagues and industry executives.
Session: Why AI Can’t Fix Your Cyber Risk (and Might Be Making It Worse)
Speaker: Chris Cronin, ISO 27001 Auditor | Partner, HALOCK and Reasonable Risk | Board Chair, The DoCRA Council
DATE: Thursday, January 29, 2026
WHERE: Live In Person | Virtual | Hybrid @ Chicago Marriott Oak Brook
CREDITS: Earn up to 10 CPE Credits
