The SAQ A Deep Dive: Two QSAs Set the Record Straight (ep. 6) episode artwork

EPISODE · Apr 28, 2026 · 20 MIN

The SAQ A Deep Dive: Two QSAs Set the Record Straight (ep. 6)

from Practical Cybersecurity with Jen Stone · host SecurityMetrics

This episode of Practical Cybersecurity moves past the standard PCI checklist to focus on the operational realities, common misconceptions, and "stealth" requirements that define SAQ A in the PCI DSS v4.0.1 era. The Eligibility FoundationMost merchants skip the Eligibility Criteria, which is the actual foundation of the assessment.Total Data Outsourcing: To qualify, a merchant must not store, process, or transmit any electronic account data on their own systems or premises. Call Center Exception: Merchants can still qualify for SAQ A if you use a third-party call center to handle payments on your behalf.Paper Ghosts: While the standard includes criteria for paper records, our experts have virtually never seen a modern SAQ A merchant that actually handles card data on paper in 15 years of assessments.The Iframe ParadoxA significant "stealth" requirement exists for merchants using iframes to capture payments.Susceptibility by Design: Iframes are "by definition" susceptible to scripting attacks, where malicious code scrapes data directly from the customer's browser."Hidden" Controls: To prove you aren't susceptible, the Council essentially requires you to meet requirements 6.4.3 and 11.6.1—technical controls for script inventory and integrity that are not technically listed in the body of the SAQ A document.Tips for Completing Your SAQ A:The SNMP Trap: When hardening servers (Requirement 2.2.2), administrators frequently overlook SNMP community strings, which often serve as easily searchable default "passwords" for attackers.Break-Glass Strategy: Requirement 8 now accommodates emergency "break-glass" accounts. If your lead admin ("Lisa") wins the lottery and disappears, your organization needs a documented, management-approved protocol to get the new hire ("Bob") into the system securely.The Staff Turnover Gap: Quarterly ASV scans often fail because the one person responsible for them leaves the company, and the new hire is unaware the scans are even occurring. Redundancy—where management also receives scan results—is a critical operational fix.Compliance is Not Inherited: Just because AWS is compliant does not mean your implementation of it is.Responsibility Matrix: You must utilize your provider's Security Responsibility Matrix to identify exactly which controls are managed by the vendor, which are shared, and which are your sole responsibility.And More!Resources:Download the SAQ A: Official PCI SSC SAQ A 4.0.1 PDF List of PCI ASVs: Approved Scanning Vendors AWS Responsibility MatrixAzure Responsibility MatrixA note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/ 

This episode of Practical Cybersecurity moves past the standard PCI checklist to focus on the operational realities, common misconceptions, and "stealth" requirements that define SAQ A in the PCI DSS v4.0.1 era. The Eligibility Foundation Most merchants skip the Eligibility Criteria, which is the actual foundation of the assessment. Total Data Outsourcing: To qualify, a merchant must not store, process, or transmit any electronic account data on their own systems or premises. Call ...

NOW PLAYING

The SAQ A Deep Dive: Two QSAs Set the Record Straight (ep. 6)

0:00 20:45

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

MG Show MG Show The MG Show, hosted by Jeffrey Pedersen and Shannon Townsend, is a leading alternative media platform dedicated to uncovering the truth behind today’s most pressing political issues. Launched in 2019, the show has grown exponentially, offering unfiltered insights, comprehensive research, and real-time analysis. With a commitment to independent journalism and factual integrity, the MG Show empowers its audience with knowledge and encourages active participation in the political discourse. French Your Way Jessica: Native French teacher founder of French Your Way Boost your French listening skills and test your comprehension with this one of a kind series of podcasts. Get the chance to listen to a real conversation between native speakers talking at normal speed AND customise your learning experience through carefully designed sets of questions (2 levels of difficulty) available for download at www.frenchvoicespodcast.com. All interviews also come with the transcript. French teacher Jessica interviews native speakers of French from around the world who share a bit of their life and passion. Where else would you meet in one same place a French yoga teacher based in Melbourne, a soap manufacturer from Provence, or a couple cycling around the world? That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting!

Frequently Asked Questions

How long is this episode of Practical Cybersecurity with Jen Stone?

This episode is 20 minutes long.

When was this Practical Cybersecurity with Jen Stone episode published?

This episode was published on April 28, 2026.

What is this episode about?

This episode of Practical Cybersecurity moves past the standard PCI checklist to focus on the operational realities, common misconceptions, and "stealth" requirements that define SAQ A in the PCI DSS v4.0.1 era. The Eligibility FoundationMost...

Can I download this Practical Cybersecurity with Jen Stone episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!