PCI-DSS Got an Update – What Does Version 4.0 Mean for Your Compliance Requirements?
PCI-DSS is going through some changes! The Payment Card Industry standards are one of the most important compliance regulations for any business that takes online payments, and it’s been 4 long years since the last update. If you don’t feel like reading through the 360 page document yourself – we’ve got your back!
Join us while we summarize some of the main changes you need to be aware of, that will amend what you need to do to remain compliant on the checkout pages of your website.
Catch me up – what is PCI DSS?
Just in case you want a quick refresher to share with less compliance-savvy colleagues, PCI is the Payment Card Industry, and DSS stands for Data Security Standard. The rules enforce technical and operational requirements to protect user data and ensure that a consistent approach is used for data security around the world. If you take payment information from your customers and handle their payment card data – you need to be PCI DSS compliant.
Existing requirements for website payment pages
The risks of payment and checkout pages are hardly front-page news. Attackers have been targeting online businesses for some time, launching web skimming attacks (often by MageCart groups) which inject malicious codes or scripts into a website that steal user’s financial data. Section 6.4.3 of the PCI DSS enforces the following rules for organizations:
All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
- A method is implemented to confirm that each script is authorized.
- A method is implemented to assure the integrity of each script.
- An inventory of all scripts is maintained with written justification as to why each is necessary.
These requirements enforce best-practice visibility over all third (and fourth) party digital applications on your website.
What’s new in version 4.0?
With the introduction of version 4.0 of PCI DSS, the gold standard of payment data security is upping the ante and providing clearer instructions to support organizations in protecting user data. Organizations will now need to have enhanced insight into the behavior of these third-party apps. The following new requirements will involve more granular visibility into digital applications.
Access The Essential PCI Compliance Checklist here.
Manage all vulnerabilities
Under the section of PCI DSS where the rules for vulnerability scans are laid out, there is now a new requirement to perform internal vulnerability scans, and to use authenticated scanning for this process. This includes documenting all the systems which are unable to accept authenticated scanning, as this is clearly marked out as the best practice. In addition, businesses must be able to visualize and manage even those vulnerabilities which are not ranked as high-risk or critical.
220.127.116.11: New requirement to manage all other applicable vulnerabilities (those not ranked as high-risk or critical) found during internal vulnerability scans.
18.104.22.168 New requirement to perform internal vulnerability scans via authenticated scanning.
Implement change and tamper detection
Visibility via scanning is just step one. Organizations must now be aware of all changes that are happening on payment pages, including modifications to HTTP headers or any contents on the page on the consumer browser. This is a clear attempt to solve the challenge of web-skimming and other attacks that steal data on the client side, out of the reach of classic security solutions.
Attacks of this kind leverage the knowledge that external domains and third-party applications are not on a business’ radar as a potential source of cyber threat. These expand the attack surface and security teams are left without real visibility for runtime changes.
11.6.1 New requirement to deploy a change-and-tamper detection mechanism to alert for unauthorized modifications to the HTTP headers and contents of payment pages as received by the consumer browser.
The PCI DSS update outlines “By comparing the current version of the HTTP header and the active content of payment pages as received by the consumer browser with prior or known versions, it is possible to detect unauthorized changes that may indicate a skimming attack. Additionally, by looking for known indicators of compromise and script elements or behavior typical of skimmers, suspicious alerts can be raised.”
Regularly document and review
By 2025, you’ll also need to be fully compliant with the following evolving requirements. Organizations should document and review all the protocols, cryptography and other algorithms that are in use on their websites at least annually, as well as any hardware and software technology. The PCI SSC is aware of the need to stay on top of end-of-life plans, protocol changes, and anything else occurring with third-party vendors and partners. Left unchecked and unmonitored, this could impact the security of an organization’s own environment.
12.3.3 New requirement to document and review cryptographic cipher suites and protocols in use at least once every 12 months.
12.3.4 New requirement to review hardware and software technologies in use at least once every 12 months.
- Source PCI Security Standards Blog
A smart roadmap for today’s organizations
With new rules coming into action just a few months from now, and evolving requirements on the horizon that will require an annual PCI audit – businesses that handle payment card data need a more advanced monitoring solution to meet the growing risk.
Effortlessly prepared for the new regulations, Reflectiz uses authenticated scanning for internal vulnerability scanning, and ranks all outcomes clearly from low-risk to critical. The moment an unauthorized change occurs, (even from a trusted domain or application) your security teams know about it. You can even set up a defensive baseline so that “unusual” is defined according to your exact business context. While PCI DSS is focused on the payment pages – we ensure that you’re covered website-wide, including login pages and post-authentication scans.
Best of all? Reflectiz is totally unobtrusive, showing value in hours without installing a single line of code.
Ready to check “PCI-DSS compliance” off your to-do list from now-2025 and beyond? Let’s schedule a call and we can show you how it works.