Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

PCI DSS Compliance for SAQ-D Service Providers and Merchants is more critical than ever. Despite widespread awareness of the updated requirements, ot appears that over 90% of service providers remain unaware that they must implement new technical measures for the iFrames (with payment functions loaded) on their customers’ payment pages to meet Requirements 6.4.3 and 11.6.1.

PCI DSS 4 introduces new requirements for SAQ-A and SAQ-A-EP Merchants. Key new changes are Requirements 6.4.3 and 11.6.1. While these requirements play a crucial role in preventing and detecting e-commerce skimming attacks they also require merchants to implement and operate new technical capabilities on payment webpages. Requirements 6.4.3 and 11.6.1 apply to all scripts executed in a consumer’s browser on payment pages, defined as web-based interfaces that capture or submit account data.

SAQ A-EP is a key focus of the Payment Card Industry Data Security Standard (PCI DSS) version 4, which introduces changes affecting merchants. Designed for e-commerce merchants who partially outsource their payment processing but have website elements impacting transaction security, SAQ A-EP ensures compliance with these updated requirements. This article clarifies these changes and outlines the top 5 actions SAQ A-EP merchants should take before March 31, 2025.

If you thought PCI DSS 4.0.1 was just a minor tweak to the old requirements, think again. 2025 is here, and it’s clear that many SAQ A-EP merchants are still missing critical steps needed to stay compliant. In fact, we noticed that over 90% of SAQ A-EP merchants aren’t aware that they need to implement new technical measures to address Requirements 6.4.3 and 11.6.1.

PCI DSS 4 Compliance requires a clear understanding of the latest requirements, particularly Requirement 6.4.3 and 11.6.1, which emphasize the importance of JavaScript monitoring for maintaining secure payment environments. For AppSec, Infosec, or ISA/QSA professionals, staying on top of PCI DSS 4.0.1 can feel overwhelming, but protecting payment card data leaves no room for errors.

PCI DSS is a set of requirements that is applied to every small and large organization that accepts, stores, processes, or transmits cardholder data. In particular, PCI DSS for SaaS companies is essential, as these platforms frequently handle sensitive customer information and must adhere to the latest security standards. In 2024, the updated version of PCI DSS 3.2.1, PCI DSS v4.0, became mandatory after being officially released on March 31, 2022, allowing organizations a transition period.

Being PCI DSS 4 compliant is crucial for e-commerce merchants—businesses that accept credit card payments on their websites and web applications. The new PCI DSS requirements (6.4.3 and 11.6.1) are designed to strengthen payment page security, and if you’re processing online payments, you’re likely required to comply. Compliance helps protect your customers’ sensitive payment information while ensuring the integrity and security of your payment process.

If you’re running a business that takes online credit card payments, you know that you’ve got to become compliant with PCI DSS Requirements 6.4.3 and 11.6.1. Meeting these requirements is crucial for PCI DSS Version 4 Compliance and helps prevent costly data breaches. However, the costs of compliance tools can add up quickly, especially for small businesses. In particular, PCI DSS requirements 6.4.3 and 11.6.1 can seem daunting.

The Payment Card Industry Data Security Standard (PCI DSS) is a global standard designed to ensure the security of cardholder information. It is crucial for any organization that stores, processes, or transmits payment card data to comply with PCI DSS to protect the integrity and confidentiality of cardholder information.