SAQ A Merchants are defined as those who have fully outsourced all payment processing functions to a PCI DSS-compliant third-party service provider, ensuring they do not store, process, or transmit electronic cardholder data on their own systems. They may retain paper reports or receipts with cardholder data, but their electronic involvement is minimal.
- Eligibility Criteria: To qualify, all account data functions must be outsourced, with no electronic handling by the merchant. This includes scenarios like e-commerce stores using third-party payment pages or mail-order/telephone-order (MOTO) businesses with fully outsourced processing.
- Compliance Requirements: SAQ A is the simplest, with fewer questions (around 24 in version 3, with updates in version 4 for clarity), focusing on ensuring the third party’s compliance and securing any paper records. Version 4 adds emphasis on vulnerability alerts and script security for browser interactions.
- Requirement 6.4.3 Applicability: Research suggests that requirement 6.4.3 applies to SAQ A Merchants, but in a limited scope. Specifically, it pertains to scripts on their website pages that provide the URL to the TPSP payment page. The requirement ensures these scripts are authorized, their integrity is assured, and an inventory is maintained with justification. This is crucial for securing their website, which is part of their scope, even though they do not handle payment pages directly. For example, in the SAQ A document for v4.0 (SAQ A for PCI DSS 4.0), it is listed under requirement 6, with applicability notes indicating it applies to merchant website pages providing the TPSP payment page URL.
- Requirement 11.6.1 Applicability: The evidence leans toward requirement 11.6.1 not applying to SAQ A Merchants. This requirement is about having a change-detection mechanism for payment pages, defined as web-based interfaces that capture or submit account data. Since SAQ A Merchants do not have payment pages (their website only redirects to the TPSP’s payment page), this requirement is not relevant. Upon checking the official SAQ A document for v4.0, requirement 11.6.1 is not listed, confirming it does not apply.
- Practical Implications: SAQ A Merchants have a low compliance burden, focusing on securing their website scripts under 6.4.3 and ensuring physical security for paper records. They do not need to implement change-detection mechanisms for payment pages, reducing their scope compared to other merchant types.
To illustrate the differences, consider the following table comparing key aspects, including the applicability of requirements 6.4.3 and 11.6.1:
