PCI DSS 4: eCommerce Changes for SAQ A Explained

The recent PCI DSS v4.0 has some important changes for eCommerce merchants that use a redirect or iframe to reduce scope to Self-Assessment Questionnaire A (SAQ A). Even though the merchant’s website that meets the criteria for SAQ A does not transmit account data, the website does affect where account data is transmitted. We have seen PCI DSS requirements for these merchants steadily increase over PCI DSS versions, and it’s no surprise that there are more requirements in SAQ A for PCI DSS v4.0.

Organisations can start using v4.0 now, although it becomes mandatory from 31st March 2024, when PCI DSS v3.2.1 retires. The latest documetents for PCI DSS and SAQ can be found over on the PCI SSC website.

In the meantime, our expert team have provided a review on the eCommerce requirements in SAQ A v3.2.1. We have then highlighted new ecommerce requirements in SAQ A v4.0 below.

 SAQ A v3.2.1 Ecommerce Requirements

SAQ A v3.2.1 has 24 requirements, with 9 requirements specific to eCommerce channels
summarised as follows:

RequirementSummary
2.1Change or remove vendor defaults prior to installing a system (2 sub-requirements).
6.2Install security patches on all system components and software; install critical security patches within one month of release (2 sub-requirements).
8.1.1Assign users a unique ID.
8.1.3Revoke access immediately for any terminated users.
8.2All users have a password (or token, or biometric).
8.2.3Password parameters configured to require a minimum of seven characters with both letters and numbers (or equivalent complexity).
8.5No group or shared accounts or passwords.

These requirements apply to the web server, which may include the operating system, web applications, and other systems on the server.

Please note that not all iframe solutions may meet the criteria for SAQ A for v3.2.1 or v4.0, depending on how they work and how the payment page may be configured, so it is worth checking against SAQ A criteria.

Additionally, the tables of SAQ A requirements in this blog only include those relating to eCommerce; other requirements include managing paper receipts (if applicable), managing service providers (the redirect or iframe must be to a compliant payment service provider’s payment page), and having a PCI DSS incident response plan.

 PCI DSS v4.0 – SAQ A v4.0 Ecommerce Requirements

SAQ A v4.0 has 31 requirements, with 17 requirements specific to eCommerce channels summarised as follows:

RequirementSummary
2.2.2Change vendor defaults prior to installing a system.
6.3.1Install security patches on all system components and software.
6.3.3Install critical security patches within one month of release.
6.4.3Payment page scripts are authorised, integrity checked and are inventoried (best practice until 31st March 2025, then required) – applies to page redirected from or containing iframe.
8.2.1Assign users a unique ID.
8.2.2No group or shared accounts or passwords (unless exceptional, time-limited, approved, documented, and action attributable to individual).
8.2.5Revoke access immediately for any terminated users.
8.3.1All users have a password (or token, or biometric).
8.3.5Passwords initially set (or reset) to unique value and forced change on first use.
8.3.6Password parameters configured to require a minimum of twelve characters with both letters and numbers (best practice until 31st March 2025, then required; can use minimum of seven characters with both letters and numbers until then).
8.3.7Passwords cannot be the same as any of the last four used.
8.3.9If multi-factor authentication (MFA) not used, then passwords are changed every 90 days (or dynamic analysis of account security posture).
11.3.2Quarterly external vulnerability scans from an ASV on websites on the web server, with re-scans as required until passing scans.
11.3.2.1External vulnerability scans after any significant change, with re-scans until no more vulnerabilities with CVSS 4.0 or above.
11.6.1For use of iframes hosting the payment service provider’s payment page, a change and tamper detection mechanism to alert personnel to changes to HTTP headers or payment page contents; the mechanism must work at least every 7 days (best practice until 31st March 2025, then required).

As with PCI DSS v3.2.1 these requirements apply to the web server, which may include the operating system, web applications, and other systems on the server. Scope and architecture may vary, and it is important to verify the exact boundaries to determine what systems are included in the assessment for SAQ A.

The new requirements are highlighted in the table above, with some needing significant additional work. These new requirements are as follows:

Requirement 6.4.3

Requirement 6.4.3 requires that you manage JavaScript files included on pages that host the iframe or are the source of the redirect; for example, Google Analytics, third party Ad scripts, or CDN hosted scripts, are especially important. Although this is best practice rather than a requirement until end of Q1 2025, this PCI DSS bulletin from 2019 explains the types of risks:

https://www.pcisecuritystandards.org/wp-content/uploads/2019/08/PCISSC_Magecart_Bulletin_RHISAC_FINAL.pdf

Requirement 8.3.5

Requirement 8.3.5 is enforcing the common practice of having a unique initial password that is forced on first logon, with the same process for password resets.

Requirement 8.3.6

Requirement 8.3.6 has updated the minimum required characters for passwords to twelve, although again, best practice rather than a requirement until end of Q1 2025. However, this should be straightforward to do from now. This needs to be technically enforced.

Requirement 8.3.7

Requirement 8.3.7 is when changing a password, requiring that it cannot be the same as any of the last four used. This needs to be technically enforced.

Requirement 8.3.9

Requirement 8.3.9 means password changes every 90 days, although use of MFA precludes this. MFA should be common practice and easy to implement for most eCommerce platforms.

Requirement 11.3.2

Requirement 11.3.2 for quarterly external vulnerability scans by an ASV is mandatory, and this is not future dated, you need to start quarterly scanning as soon as you transition to PCI DSS v4.0. The scans need to be done on the web sites on the merchant web server, and you need passing scans every quarter.

Requirement 11.6.1

Requirement 11.6.1 for a change and tamper detection mechanism for the page hosting the iframe only applies to iframes that host the payment service provider’s payment page. This is best practice until end of Q1 2025, when it becomes a requirement. This requirement needs careful consideration, and there are some solutions described in the PCI DSS v4.0 guidance column for this requirement.

What should I do next?

There are significant changes in SAQ A for PCI DSS v4.0 for eCommerce merchants, even though the merchant does not store, process, or transmit account data; clearly the merchant web server still has a potential impact on the security of account data.

Although some changes are future dated to 2025 before becoming mandatory and PCI DSS v3.2.1 doesn’t retire until 2024, it is good practice to further protect your web sites now if you are not already.

Some simple ways to do this include:

  • Multi-factor authentication for all accounts
  • Passwords with a minimum of twelve characters
  • Quarterly vulnerability scans
  • Restricting and managing external JavaScript and CSS files
  • Change or tamper detection on pages hosting iframes

Need a helping hand?

Dionach can help you with transitioning to PCI DSS v4.0 by providing you with a PCI DSS v.4.0 gap analysis. This will ensure you know what options you may have and the changes you will need to make to meet the new requirements.

For more information on our PCI DSS v4.0 gap analysis services, please don’t hesitate to get in touch with our team.

Find out how we can help with your cyber challenge

Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at [email protected]

Related Posts

Cyber Security in the Finance Sector: Protecting Sensitive Financial Data

The financial sector has long been a prime target for cyber criminals due to the vast amounts of sensitive data it holds, including personal identification information (PII), financial records, and payment card data. As digital banking services grow and financial institutions embrace technological advancements, the attack surface expands, making robust cyber security measures critical for […]
AdobeStock_476014459

Dionach Partnership with the UK Space Agency Enhances Cyber Security of Space SMEs

Cyber security consultancy Dionach have signed a contract extension with the UK Space Agency to accelerate cyber security within UK Space companies. Dionach, a leading cybersecurity consultancy, has signed a contract extension with the UK space agency to help SMEs within the Space Sector improve their cyber security practices and achieve Cyber Essentials Plus certification. […]
Contact Us

Contact Us Reach out to one of our cyber experts and we will arrange a call