The Most Significant Change in PCI DSS v4.0?
The PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a standard designed to ensure the secure handling of credit card information by organisations. All organisations that handle card payments are required to comply with PCI DSS, regardless of the number of transactions they process.
The latest version, PCI DSS 4.0, was published in March 2022 and includes more than 50 new requirements and several changes to requirements in version 3.2.1. In this blog we have picked out a few of the changes that we think will have the greatest impact on merchants and service providers.
Requirement 6.4.3 … change with the greatest impact?
In my opinion, one of the new requirements that will have the greatest impact is requirement 6.4: the requirement for public-facing web applications to be protected against attacks. The reason I think this is so significant is that it is a requirement within SAQ-A: the self-assessment questionnaire used by tens of thousands of small merchant retailers for their e-commerce activities that have been “contracted-out” via an i-frame or through a direct link to a payment provider.
Requirement 6.4.3 (on SAQ-A) applies to the page(s) on the merchant’s website(s) that provides the address (the URL) of the TPSP’s payment page/form to the merchant’s customers. i.e. the merchant is responsible for ensuring that it’s web page(s) are compliant with this requirement.
The requirement itself requires that all payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
- A method is implemented to confirm that each script is authorized;
- A method is implemented to assure the integrity of each script;
- An inventory of all scripts is maintained with written justification as to why each is necessary.
The requirement applies to all scripts loaded from the entity’s environment and scripts loaded from third and fourth parties. Now it could be that the payment gateways start providing a service to monitor all of the scripts on their customers’ website(s), or it could be that the merchants engage another third-party to provide this service. My concern is that an SAQ-A applicable merchant needs to know about this requirement before they can determine how to comply with it.
But before anyone starts to panic about this, the requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment so there is time to reach out and discuss what the changes mean and the options for complying with them.
If you would like to sign speak to one of the team directly and discuss the many different ways Data Protection People can support you on your journey with the PCI DSS 4.0 you can contact us here: Contact Us