The PCI DSS SAQ A is a self-assessment tool designed for merchants that outsource all cardholder data processing functions to PCI DSS-compliant third-party service providers and do not store, process, or transmit cardholder data electronically on their own systems or premises.
Purpose
To help eligible merchants validate their compliance with PCI DSS version 4.0, ensuring the security of cardholder data through appropriate policies, procedures, and relationships with third-party providers.
Eligibility Criteria
Merchants who:
Accept only card-not-present transactions (e-commerce or mail/telephone order).
Have all cardholder data functions outsourced to validated third-party providers.
Retain no electronic storage, processing, or transmission of account data.
Only keep paper reports or receipts (if any), which are not received electronically.
For e-commerce: All payment page elements must be hosted by PCI DSS-compliant third partiesPCI-DSS-v4-0-SAQ-A.
Structure and Requirements
The SAQ A includes a streamlined set of PCI DSS requirements tailored to this merchant profile, covering:
System security configurations (e.g., default account management)
Protection of paper records containing cardholder data
Web server security for redirection mechanisms
Access controls and authentication procedures
Vulnerability scanning and tamper detection
Information security policies and third-party management
Notable Updates (v4.0)
Expanded guidance for web server redirection responsibilities.
Inclusion of new requirements like change/tamper detection for iframe-based payment forms and stricter password rules (effective March 2025).
Enhanced third-party provider oversight requirements.