Say Hello PCI DSS v4

For two years, PCI DSS v4, the latest version of the PCI DSS standard, has been at the forefront of professionals from the payment industry. Version 4 was first released in March 2022, with two years of transition for v3.2.1.

As of March 31, 2024, we’ve officially waved goodbye to this latest iteration and the clock keeps ticking. Like many new requirements in the standard, the ones designed to defeat E-commerce skimming attacks will only become mandatory after April 1, 2025. Until that date, they are described as best practices.

This means they will not be evaluated in a formal PCI DSS assessment until "after March 31, 2025".

Although it seems there is still some time left to worry about it, it’s highly recommended that companies do not delay the implementation of the new security requirements as these E-commerce skimming attacks continue to be increasingly popular today and all e-commerce websites are at risk.

The requirements in PCI DSS v4

The fourth iteration of the standard contains 64 new requirements that organizations seeking compliance must fulfill. Two of these new requirements are focused on the integrity of pages where payment is taken on an e-commerce website and aim to stop e-commerce skimming (Magecart) attacks.

PCI DSS applies to all businesses that accept cards, regardless of how they trade. Let's explore these two requirements:

Requirement 6.4.3  (Preventative)

The first new requirement is designed to minimize the attack surface and manage all JavaScript present on the payment page by requiring an approval process and justification for each script added to the payment page.

It is designed to ensure that all JavaScript included in the payment page is actively managed. Additionally, the requirement wants a way of validating the integrity of a script to be defined to ensure that malicious scripts are not placed on the payment page.

Requirement 11.6.1 (Detective)

The second new requirement aims to detect tampering or unauthorized changes to the payment page, which can indicate a skimming-type attack.

In addition to detecting changes, the requirement demands that an alert be generated when such changes are detected. There is no requirement to block changes or malicious activity, to send an alert.

The business impact of V4

Any organization that wants to accept a transaction with a payment card issued by a PCI SSC participating card brand is required to sign a contract that will contain references to the card brand’s rules, which will specify that:

• The organization has to comply with PCI DSS.

• The organization must ensure that all of their third-party service providers that can affect the security of cardholder data comply with PCI DSS.

  
  

Merchants must gain visibility, risk management, and control over JavaScript before the standard requires it to protect payment card data and guarantee compliance with the new PCI DSS requirements.

Jscrambler’s Solution to Help Achieve PCI DSS v4.0 Compliance

Jscrambler’s Solution allows companies to achieve compliance with the new requirements of PCI DSS v4.0, developed to prevent and detect e-commerce (e.g., Magecart) skimming attacks.

More specifically, we are helping Merchants achieve compliance with requirements 6.4.3 and 11.6.1 of PCI DSS v4.0 and QSAs to validate compliance. Our solution provides merchants with visibility, risk management, and control of all JavaScript running on their websites. 

The new requirements mandate that e-commerce businesses maintain a full inventory of every script on their payment page. Businesses are also expected to validate the integrity of every script to ensure that those loaded into the consumer’s browser haven’t been tampered with.

Jscrambler goes one step further than the new requirements and can be configured to automatically block all attempts to skim cardholder data from e-commerce transactions.

To help clear any questions about PCI DSS v4, join our upcoming webinar on May 2nd, 2024 - Goodbye PCI DSS v3.2.1, Hello PCI DSS v4. Jscrambler's experts will be joined by Jeremy King, Regional Head of Europe at PCI SSC.

Register here.