Three things you need to know about PCI DSS v4.0

PCI DSS v4.0 is the latest version of the PCI DSS standard, released in March 2022. It contains 64 new requirements that organizations seeking compliance must fulfill. Two of these new requirements are focused on the integrity of pages where payment is taken on an e-commerce website and aim to stop e-commerce skimming (Magecart) attacks.

The PCI DSS (Payment Card Industry Data Security Standard) is a well-known general data security standard for all organizations that store, process, or transmit payment card data.

The Payment Card Industry (PCI) Security Standards Council (SSC) released it in 2006. This joint initiative of the card brands includes brands such as Visa, Mastercard, American Express, Discover, and JCB.

3 Things You Must Know About PCI DSS v4.0

1. What are the two new requirements to prevent and detect e-commerce skimming attacks?
   
   

2. How can E-commerce websites meet the new requirements?
   
   

3. The business impact of version 4.0: Why should companies worry now?
   
   

Below, we detail the three things we consider mandatory to know about PCI DSS V4.0 to facilitate your PCI DSS compliance.

What are the two new requirements to prevent and detect e-commerce skimming attacks?

1: Requirement 6.4.3  (Preventative)

The first new requirement is designed to minimize the attack surface and manage all JavaScript present on the payment page by requiring an approval process and justification for each script added to the payment page.

It is designed to ensure that all JavaScript included in the payment page is actively managed. Additionally, the requirement wants a way of validating the integrity of a script to be defined to ensure that malicious scripts are not placed on the payment page.

2: Requirement 11.6.1 (Detective)

The second new requirement aims to detect tampering or unauthorized changes to the payment page, which can indicate a skimming-type attack.

In addition to detecting changes, the requirement demands that an alert be generated when such changes are detected. There is no requirement to block changes or malicious activity, just to send an alert.

How can E-commerce websites meet the new requirements?

To meet these two new requirements, e-commerce companies must focus on:

• Gaining visibility of the JavaScript that’s loaded into their webpages

• Managing the risk associated with each script: Where does it come from? What does it do?

• Having control of JavaScript so that malicious scripts can be blocked or deactivated

The business impact of version 4.0: Why should companies worry now?

Any organization that wants to accept a transaction with a payment card issued by a PCI SSC participating card brand is required to sign a contract that will contain references to the card brand’s rules, which will specify that:

• The organization has to comply with PCI DSS.

• The organization has to make sure that all of their third-party service providers that can affect the security of cardholder data comply with PCI DSS.

The latest version of PCI DSS was released in March 2022 and will replace version 3.2.1. These two new requirements are labeled “best practice until March 31, 2025”. This means that they will not be evaluated in a formal PCI DSS assessment until "after March 31, 2025".

Although it seems there is still a long way to go until then, it’s highly recommended that companies do not delay the implementation of the new security requirements as these E-commerce skimming attacks continue to be increasingly popular today and all e-commerce websites are at risk.

It is imperative that merchants gain visibility, risk management, and control over JavaScript before the standard requires it in order to protect payment card data and guarantee compliance with the new PCI DSS requirements.

Jscrambler’s Solution to Help Achieve PCI DSS v4.0 Compliance

Jscrambler’s Solution allows companies to achieve compliance with the new requirements of PCI DSS v4.0, developed to prevent and detect e-commerce (e.g., Magecart) skimming attacks.

More specifically, we are helping Merchants achieve compliance with requirements 6.4.3 and 11.6.1 of PCI DSS v4.0 and QSAs to validate compliance. Our solution provides merchants with visibility, risk management, and control of all JavaScript running on their websites.  

The new requirements mandate that e-commerce businesses maintain a full inventory of every script on their payment page. Businesses are also expected to validate the integrity of every script to ensure that those loaded into the consumer’s browser haven’t been tampered with.

Jscrambler goes one step further than the new requirements and can be configured to automatically block all attempts to skim cardholder data from e-commerce transactions.