PCI DSS Compliance for SAQ-D Service Providers and Merchants is more critical than ever. Despite widespread awareness of the updated requirements, ot appears that over 90% of service providers remain unaware that they must implement new technical measures for the iFrames (with payment functions loaded) on their customers’ payment pages to meet Requirements 6.4.3 and 11.6.1.

PCI DSS 4 introduces new requirements for SAQ-A and SAQ-A-EP Merchants. Key new changes are Requirements 6.4.3 and 11.6.1. While these requirements play a crucial role in preventing and detecting e-commerce skimming attacks they also require merchants to implement and operate new technical capabilities on payment webpages. Requirements 6.4.3 and 11.6.1 apply to all scripts executed in a consumer’s browser on payment pages, defined as web-based interfaces that capture or submit account data.

SAQ A-EP is a key focus of the Payment Card Industry Data Security Standard (PCI DSS) version 4, which introduces changes affecting merchants. Designed for e-commerce merchants who partially outsource their payment processing but have website elements impacting transaction security, SAQ A-EP ensures compliance with these updated requirements. This article clarifies these changes and outlines the top 5 actions SAQ A-EP merchants should take before March 31, 2025.

If you thought PCI DSS 4.0.1 was just a minor tweak to the old requirements, think again. 2025 is here, and it’s clear that many SAQ A-EP merchants are still missing critical steps needed to stay compliant. In fact, we noticed that over 90% of SAQ A-EP merchants aren’t aware that they need to implement new technical measures to address Requirements 6.4.3 and 11.6.1.

PCI DSS 4 Compliance requires a clear understanding of the latest requirements, particularly Requirement 6.4.3 and 11.6.1, which emphasize the importance of JavaScript monitoring for maintaining secure payment environments. For AppSec, Infosec, or ISA/QSA professionals, staying on top of PCI DSS 4.0.1 can feel overwhelming, but protecting payment card data leaves no room for errors.