Payment Page and SAQ A eligibility

In September the PCI Council published an FAQ to clarify the definition of a payment page and the eligibility use of SAQ A by the merchant. According the FAQ the PCI Council defines that all elements of the payment page delivered to the cardholder’s browser must originate only and directly from a PCI DSS validated third-party service provider. The term “payment page” refers to a collection of web elements used to collect and/or process payment card data. Payment pages can exist as a standalone web page or be embedded into another web page using an iframe. If additional information is displayed inside of the payment page, such as the list of items being purchased, shipping information, and promotional materials, these information is also considered part of the payment page. If at least one of these elements is provided by the merchant systems/website, the merchant is not eligible for SAQ A anymore. This also includes configuration parameters or style sheets influencing the layout of a payment page. These must not be delivered from the merchant’s system

More details are available in the FAQ article from the des PCI Council’s website

external link to the FAQ at PCI Council