Blog Articles

The Payment Card Industry Data Security Standard (PCI DSS) provides a comprehensive framework to ensure the security of card transactions and the protection of cardholder data. Recent updates to PCI DSS reflect some of the new challenges and attack vectors that have affected online retailers. 

Many merchants choose to use the payment provider's hosted payment pages in order to reduce PCI compliance requirements down to the most basic Self Assessment Questionnaire A. Importantly, no card data is transmitted or stored in electronic format by the merchant with all account and card data outsourced to compliant payment providers. 

Merchant Eligibility Criteria for Self-Assessment Questionnaire A
Self-Assessment Questionnaire (SAQ) A includes only those PCI DSS requirements applicable to merchants with account data functions completely outsourced to PCI DSS validated and compliant third parties, where the merchant retains only paper reports or receipts with account data.
SAQ A merchants may be either e-commerce or mail/telephone-order merchants (card-not-present) and do not store, process, or transmit any account data in electronic format on their systems or premises.

Unfortunately hosted payment pages no longer exempts a merchant from actively protecting their own website pages. Cyber criminals have been targeting redirects and iframe pages directly on merchant websites before they even reach the hosted payment processor. This has forced card companies to expand the security requirements to mitigate those attack vectors. Here are just some of the more important changes:-

Updated and New Requirements

Requirement 6.4.3

Note: For SAQ A, Requirement 6.4.3 applies to a merchant’s website(s) that includes a TPSP’s/payment processor’s embedded payment page/form (for example, an inline frame or iFrame).

All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows: A method is implemented to confirm that each script is authorized. A method is implemented to assure the integrity of each script. An inventory of all scripts is maintained with written justification as to why each is necessary. This requirement applies to all scripts loaded from the entity’s environment and scripts loaded from third and fourth parties. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Requirement 11.3.2

Note: For SAQ A, Requirement 11 applies to merchant webservers that host the page(s) that either 1) redirects customers from the merchant website to a TPSP/payment processor for payment processing (for example, with a URL redirect) or 2) includes a TPSP’s/payment processor’s embedded payment page/form (for example, an inline frame or iFrame).

External vulnerability scans are performed as follows: At least once every three months. By PCI SSC Approved Scanning Vendor (ASV). Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met. Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.

Requirement 11.6.1

Note: For SAQ A, Requirement 11.6.1 applies to a merchant’s website that includes a TPSP’s/payment processor’s embedded payment page/form (for example, an inline frame or iFrame).

Unauthorized changes on payment pages are detected and responded to. A change- and tamper-detection mechanism is deployed as follows: To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser. The mechanism functions are performed as follows: At least once every seven days.

The intention of this requirement is not that an entity installs software in the systems or browsers of its consumers, but rather that the entity uses techniques such as those described under Examples in the PCI DSS Guidance column (of PCI DSS Requirements and Testing Procedures) to prevent and detect unexpected script activities. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Implementation Timeline

While some requirements became effective immediately upon the release of PCI DSS v4.0, others have future-dated deadlines. Merchants need to prioritize implementing controls that are immediately required for 2024 assessments and prepare for additional requirements that will come into force by 2025.