March 3, 2025 — The Payment Card Industry Security Standards Council (PCI SSC) recently issued “FAQ 1588“, providing essential clarification on SAQ A eligibility and security requirements. This update answers key questions that arose following the removal of requirements 6.4.3 and 11.6.1, particularly how merchants using Third-Party Service Provider (TPSP) embedded payment pages (iFrames) must confirm that their sites are not susceptible to script-based attacks.
Key Takeaways from PCI SSC’s Clarification
The revised guidance confirms that SAQ A eligibility changes apply only to merchants using embedded payment forms (iFrames), not those using a redirect-based model.
- Implement PCI DSS requirements 6.4.3 and 11.6.1
– OR – - Obtain assurance from their TPSP that their embedded payment page/form includes security techniques that mitigate script-based attacks.
_
–
_
–
“Understanding evolving PCI compliance requirements is critical for businesses handling online payments,” said Adam Gaydosh, Director of PCI Services at OBS Global. “Our team continues to provide the insights and guidance organizations need to stay secure and compliant.”
As a trusted member of the Global Executive Assessor Roundtable (GEAR), OBS Global is breaking down what this means for merchants and how businesses can ensure compliance.
For the full details, visit our latest blog PCI SAQ A Changes: Course Correction Update
–
About OBS Global
OBS Global, is a leading digital transformation and cybersecurity consultancy, helping organizations optimize business processes, enhance security, and drive innovation. As a GEAR member, OBS Global provides deep expertise in PCI compliance, risk management, and cybersecurity strategies.
