By Source Defense
With the March 2025 deadline for PCI DSS 4.0 compliance rapidly approaching, organizations are under increasing pressure to meet the new requirements, particularly the eSkimming (client-side security) requirements found under 6.4.3 and 11.6.1. As businesses prepare for these changes, gaining insights from Qualified Security Assessors (QSAs) on compliance expectations and necessary documentation is crucial. These experts offer valuable guidance on navigating the complexities of PCI DSS 4.0, ensuring that organizations are fully prepared when the deadline arrives.
Source Defense, the pioneer in eSkimming Security, recently hosted another of its QSA Roundtables where top industry experts discussed crucial aspects of ensuring compliance with PCI DSS v4.0, specifically focusing on requirements 6.4.3 and 11.6.1.
The panel featured:
- Gil Eng, Executive Consultant, IBM Cybersecurity Services
- Aaron Getchius, PCI Practice Lead, Insight Assurance
- Dustin Rich, Director, PCI Practice Lead, A-Lign
- Ty Huelle, Technical Manager, PCI Advisory Services, Optiv
- Matt McGuirk, Head of Field Engineering, Source Defense
The Growing Importance of eSkimming / Client-Side Security
One of the most significant developments in PCI DSS v4.0 is the heightened emphasis on eSkimming security. As web applications have become more sophisticated, so too have the methods attackers use to exploit vulnerabilities. JavaScript, the backbone of modern web applications, is at the center of this issue.
“The real flaw… is that JavaScript has no inherent security model within the browser,” said Matt McGuirk, Head of Field Engineering at Source Defense. “There’s no notion of permission or control or even really reporting by default out of the browser about what the front end of a web application does.” This lack of built-in security in browsers makes JavaScript an attractive target for cybercriminals looking to steal sensitive data directly from users’ browsers through eSkimming and formjacking.
eSkimming, also known as a Magecart attack, involves injecting malicious JavaScript into a web page to capture user payment information. These attacks are often silent and difficult to detect, making them particularly dangerous. Formjacking, another common method, manipulates web forms to collect data without the user’s knowledge. These attack vectors underscore the critical need for robust client-side security measures, which PCI DSS v4.0 seeks to address.
Expanding the Scope: PCI DSS v4.0 Requirements
The introduction of PCI DSS v4.0 has broadened the scope of compliance, particularly concerning eCommerce security. This expansion means that even websites that previously relied on iframes or redirects to third-party payment processors must now implement controls to monitor and secure client-side scripts.
“Now, if you’ve got any kind of administrative capability on a web server platform with an iframe or redirection link, you need a product like Source Defense to do this,” said Dustin Rich, Director and PCI Practice Lead at A-Lign. This change reflects the growing recognition that all elements of a web application, including those on the client side, must be secured to protect against sophisticated attacks.
The discussion also emphasized the challenges that come with this expanded scope. Organizations that previously considered themselves out of scope due to their use of third-party payment processors are now finding that they must take additional steps to ensure compliance. This includes monitoring scripts on their websites, even if the payment processing is handled externally.
Implementation Challenges: Navigating the New Requirements
Implementing the new requirements of PCI DSS v4.0 presents significant challenges, particularly for organizations managing dynamic and complex web environments. One core challenge discussed was maintaining an up-to-date inventory of active scripts on payment pages, ensuring that each script is authorized and its integrity is verified.
“I had one customer who said they spent six months trying to inventory all the scripts on their payment pages and authorizing them… and they’re still not done,” said Aaron Getchius, PCI Practice Lead for Insight Assurance. This anecdote highlights the immense workload of manually tracking and managing script inventories, especially in environments where scripts are frequently updated or dynamically loaded.
Maintaining script inventories is complicated by the need to verify their integrity. The PCI DSS v4.0 requirements mandate that organizations ensure that the scripts on their payment pages have not been tampered with. This is particularly challenging for third-party scripts, which are often outside the organization’s direct control and can change frequently.
Practical Solutions: Tools and Automation
Given the challenges of manual script management, the panelists strongly advocated using automated tools to help organizations comply with PCI DSS v4.0. These tools can significantly reduce organizations’ burden by automating the processes of script inventory, authorization, and integrity checks.
“The challenge with Subresource Integrity is that you need to have a valid hash of the file, or it won’t load in the browser,” McGuirk said. “That’s really difficult to do in front-end JavaScript using a stripped file differential or… hashing technique.” Subresource Integrity (SRI) and Content Security Policy (CSP) are technologies that are mentioned in the PCI DSS v4.0 guidance on the issue – but they are not always practical for complex, dynamic web applications.
For instance, CSP allows organizations to define which scripts can run on their web pages, while SRI ensures that only scripts with a specific, pre-approved hash can be executed. However, these technologies can be difficult to implement in environments where scripts change frequently or third-party scripts are used extensively.
In such cases, automated tools that monitor script behavior in real-time and alert organizations to potential security issues can be invaluable. These tools go beyond simply checking whether a script matches a predefined hash; they analyze script behavior to detect suspicious activities, such as attempts to access sensitive data or communicate with unauthorized servers.
Industry Trends and Future Outlook
As the PCI DSS v4.0 compliance deadline approaches, organizations increasingly recognize the importance of client-side security. However, many are still in the early stages of implementing the necessary controls, with some expressing frustration over the additional requirements.
“There’s a lot of customers out there that say that they’ll be compliant with the requirement by the time that their next assessment rolls around, but then I remind them that this goes into effect April 1st,” Getchius said. “You don’t have until September of 2025 to become compliant with it. You need to start working on it now in order to get it in place by the time that the requirement goes into effect.“
This sense of urgency is echoed across the industry, with many organizations now actively seeking solutions to meet the new standards. The panelists observed that while awareness of the requirements is high, actual implementation lags behind. This is partly due to the complexity of the requirements and the time needed to evaluate and implement effective solutions.
“If I had to put a word on how our entities are trying to comply with these extra requirements, yeah, they’re scared,” said Gil Eng, Executive Consultant at IBM Cybersecurity Services. This fear is not unwarranted; the new requirements represent a significant change in how organizations must approach web security, and the potential consequences of non-compliance are severe.
However, despite the challenges, the panelists agreed that these new requirements will ultimately lead to stronger security for organizations and their customers. By addressing the vulnerabilities inherent in client-side scripts, PCI DSS v4.0 aims to close a critical gap in web application security, reducing the risk of devastating attacks like eSkimming.
Conclusion: Preparing for the Future of Web Security
As the discussion made clear, the introduction of PCI DSS v4.0 marks a pivotal moment in the evolution of web application security. The new requirements emphasize client-side security, addressing the vulnerabilities that have long plagued web applications.
The path to compliance may be challenging for organizations, but the benefits are undeniable. By securing client-side scripts, organizations can protect themselves and their customers from the growing threat of eSkimming and other client-side attacks.
The key takeaway from the roundtable is the importance of proactive, automated solutions. While manual compliance efforts are possible, they are often impractical, given the dynamic nature of modern web applications. Automated tools that can continuously monitor, analyze, and secure client-side scripts are essential for meeting the demands of PCI DSS v4.0.
“We don’t want any risk… you’re going to need a tool such as Source Defense to do it,” Eng said. The time to start preparing is now. By doing so, organizations can ensure they are ready to meet the challenges of PCI DSS v4.0 and protect their customers from the ever-evolving threats in the digital landscape.
To learn more about the insights shared during the QSA Roundtable, you can watch the full recording of the QSA Roundtable webinar here. Additionally, explore what the experts from Coalfire and VikingCloud have to say in their detailed white papers on the crucial role of client-side security in PCI DSS v4.0 compliance. These resources offer invaluable guidance as you prepare for the upcoming compliance deadlines, ensuring your organization is fully equipped to meet the new standards.