This article is produced with scandiweb's eCommerce expertise

Collaborate with our development, PPC, SEO, data & analytics, or customer experience teams to grow your eCommerce business.

Hire us now

See our services

Browse the portfolio

Hire us

Our services

See portfolio

Rolands Jermolajevs

Service Cloud Director
Feb 20, 2025
6 min read
Technology

PCI DSS SAQ A 2025 Updates: What eCommerce Merchants Need to Know

Related Services

The PCI Security Standards Council (PCI DSS) compliance process has been simplified for eCommerce merchants using iFrames or Redirects. But if your checkout doesn’t rely on these processing methods, you’ll need to adjust before March 31, 2025.

What changed

  • PCI updated SAQ A on January 30, 2025. This form is used by businesses that process payments but don’t handle card details directly.
  • Two security rules were removed—merchants no longer need to monitor third-party scripts on their checkout pages.
  • A new rule was added where merchants must confirm their site is secure from attacks.

The PCI Security Standards Council (PCI SSC) updated the Self-Assessment Questionnaire (SAQ) A on January 30, 2025. SAQ A applies only to merchants who fully outsource payment processing to PCI-compliant providers, meaning they do not store, process, or transmit cardholder data.

While PCI DSS 4.0.1 remains unchanged, the SAQ A requirements have been modified. Two security controls, Requirements 6.4.3 and 11.6.1, have been removed. Previously, these required merchants to monitor third-party scripts on their checkout pages and detect unauthorized modifications to the payment form. Instead of enforcing these controls, the PCI SSC has introduced a new eligibility criterion: merchants must now confirm that their site is not vulnerable to script-based attacks.

This change eliminates complex and costly monitoring requirements while still holding merchants accountable for their website security. For many SAQ A merchants, compliance will now be faster and easier since they no longer need to track and validate external scripts on their payment pages.|

Why it changed 

  • Script monitoring was too complicated and expensive—there were no automated tools, so merchants had to track scripts manually.
  • Merchants using iFrames and Redirects don’t handle payment data, so strict monitoring wasn’t necessary.
  • New rule focuses on general website security, reducing unnecessary compliance steps for most merchants.

The PCI SSC removed requirements 6.4.3 and 11.6.1 because enforcing them created unnecessary complexity and costs for SAQ A merchants. Tracking third-party scripts is difficult and time-consuming, as there are no automated solutions to simplify it.

Another reason for the change is that SAQ A merchants already minimize security risks by outsourcing payment processing. When an iFrame or Redirect is used, all payment data is handled by a PCI-compliant third party, meaning sensitive information never touches the merchant’s servers. Since these businesses do not store, process, or transmit cardholder data, enforcing constant script monitoring on their checkout pages was deemed excessive.

Who is affected

  • Good news for eCommerce merchants using iFrames or Redirects—compliance is now simpler and requires less effort.
  • eCommerce merchants who do not use iFrames or Redirects must switch to SAQ A-EP or SAQ D before March 31, 2025.
  • Failing to update compliance may result in higher fees or inability to process online payments.

The SAQ A update affects two main groups of merchants: those who will benefit from the changes and those who must take action before March 31, 2025, to remain compliant.

Merchants who use iFrames or Redirects for payment processing will find compliance simpler. They no longer need to implement script integrity monitoring on their checkout pages, making SAQ A validation easier and requiring fewer technical resources and manual oversight.

However, merchants who do not use iFrames or Redirects will lose their eligibility for SAQ A. If their checkout form directly interacts with payment data before sending it to a third-party provider, they must transition to a more stringent SAQ type.

SAQ A-EP applies to merchants who manage their checkout page but do not store cardholder data, requiring security measures like vulnerability scans and penetration testing. SAQ D, however, applies to businesses that store, process, or transmit payment card data, and require full PCI DSS compliance.

Failure to transition to the correct SAQ type by the end of March could result in non-compliance, higher processing fees, potential fines, or even the loss of the ability to process online payments.

How this affects scandiweb’s clients using ReadyMage

  • ReadyMage is a fully managed Magento hosting solution by scandiweb that offers a secure and optimized environment for eCommerce stores.
  • Merchants using iFrames or Redirects on ReadyMage will now have an easier compliance process with fewer security checks.
  • Those who do not use iFrames or Redirects must transition to SAQ A-EP or SAQ D and implement additional security controls before the deadline.

ReadyMage is a fully managed Magento hosting solution developed by scandiweb that provides a streamlined and secure environment for eCommerce stores. It simplifies Magento deployment, hosting, and security, ensuring merchants have a PCI-compliant infrastructure while maintaining high performance. Since ReadyMage merchants often integrate with third-party payment providers, the recent PCI DSS SAQ A updates may impact their compliance process.

ReadyMage merchants using iFrames or Redirects now have a simplified SAQ A validation process, as script monitoring is no longer required. However, for merchants who do not use these methods, compliance will become more complex, requiring a transition to SAQ A-EP or SAQ D. This means implementing new security controls and ensuring their infrastructure meets higher PCI DSS standards.

What to do now

  • Identify whether your store uses iFrames or Redirects to determine if you still qualify for SAQ A.
  • If switching to SAQ A-EP or SAQ D, review the additional security measures required, such as vulnerability scanning.
  • Update your compliance documentation to reflect the 2025 PCI DSS changes before the deadline.

The first step is to review your payment processing setup. If your checkout relies on iFrames or Redirects, your SAQ A validation will remain simple, and no additional action is required. However, if your checkout does not use these methods, you must prepare for a more complex compliance process.

Merchants should also ensure their websites are secure against script-based threats. This includes updating their Magento store and third-party integrations, using only trusted scripts, and implementing security measures such as Content Security Policies (CSPs) and security headers. These steps will help reduce the risk of malicious scripts compromising the checkout page.

Finally, merchants must update their SAQ A documentation for 2025 assessments. Those moving to SAQ A-EP or SAQ D should work with PCI compliance experts to ensure a smooth transition without disruptions to their payment processing.

Our team is ready to assist if you need guidance on SAQ A eligibility, a compliance-friendly payment setup, or security enhancements. Contact us today to ensure your store is fully compliant and ready for the 2025 PCI DSS changes.

Hire eCommerce experts

Get in touch for a free consultation.

Your request will be processed by

Aigars Pavlovics

co-founder, I will personally reply the same day

Liene Maike

Key Account Manager

Maris Skujins

Key Account Manager, partner

If you enjoyed this post, you may also like