By Source Defense
With the introduction of PCI DSS 4.0, merchants are now grappling with new requirements that aim to enhance the security of cardholder data. At a recent roundtable hosted by Source Defense, industry veterans gathered to dissect these changes and their implications for businesses of all sizes.
Understanding the New Requirements
PCI DSS 4.0 introduces two pivotal requirements—6.4.3 and 11.6.1—that focus on the security of payment pages. Compliance with these requirements is mandatory by March 2025 for all organizations handling online payments. These requirements mandate that merchants ensure the authorization and integrity of scripts on their payment pages and monitor any changes to the content or headers associated with these pages.
Matt McGuirk, Solution Architect at Source Defense, emphasized the significance of these requirements in the context of evolving cyber threats. “We saw the rise in what I would call a Magecart or client-side attacks…a kind of cybersecurity attack that occurs within the web page, not in the web app, not on the server, not in databases, but at runtime as the customer’s making their purchase. And so, it’s a new gap to fill,” McGuirk explained.
“There’s lots of stuff in DSS about securing your servers, files at rest, even TLS SSL as things are going back and forth. But there was really no consideration of the browser as its own kind of unique execution environment,” he said. “The idea here is that on a web page where card data is present, a merchant must have a mechanism to make sure that those scripts are authorized to be there… a mechanism to ensure the integrity of those scripts and an inventory maintained of all of those scripts,” McGuirk said.
Broadening the Scope
One of the most debated topics during the roundtable was the scope of these new requirements, especially how they extend to third-party and even fourth-party service providers. This expansion of scope reflects a more holistic “payment flow” approach to securing online transactions.
Jeff Man, QSA at Online Business Systems, highlighted the intent behind this broader scope. “The intention is very clearly in version 4 that at least part of what is being looked at is… the web pages that are at the merchant site,” Man said. “Even the pages that are doing a redirect to a third-party payment process or serving up an iframe. So very much the intention of version 4 is what we used to call the e-commerce server, the e-commerce page, and not just what I would call the payment page which is the checkout function.”
The Role of Automated Tools
Given the complexity of managing these new security requirements manually, the panelists advocated for the adoption of automated tools that can streamline compliance and enhance security.
Richard Haag, Vice President of Compliance Services at Intersec Worldwide, emphasized the necessity of automation. “We’re really kind of encouraging our clients to go with the tools,” Haag said. “I think a lot of our larger clients, they’re looking at tools that automate this to some extent and capture that authorization and document what’s happening. These scripts and these pages change, and trying to keep track of stuff like that in a spreadsheet is just not going to happen.”
“An in-depth understanding of your site and what is running on it becomes much more manageable when automated tools can analyze, identify, and classify all those scripts,” McGuirk said. “Along with a workflow for justification, these tools should ensure the integrity of scripts in a way that’s efficient and reduces the overall workload.”
The panel discussed the various technological solutions that merchants could adopt to comply with PCI DSS 4.0 requirements, specifically Content Security Policy (CSP) and Subresource Integrity (SRI). These technologies are designed to enhance the security of web pages by controlling which scripts can run and ensuring the integrity of those scripts.
However, Sully Perella, Technical Director at Schellman highlighted that CSP, while intended to secure the execution environment of a web page, often causes functional issues. This is particularly problematic for large websites that rely heavily on dynamic content and third-party integrations, which are common in marketing and sales applications.
“CSP is a directive to the browser that tends to break stuff quite often,” Perella said. “A lot of our larger sites might try it and they get some pushback, particularly from marketing and sales, and that’s the end of that.”
Perella also highlighted the role automated tools play in maintaining and responding to changes, highlighting their importance in simplifying compliance and ensuring consistent security management. “We see a lot of organizations going to solutions, and then as a QSA, we just want to see that that is consistently maintained and responded to if something flags or triggers,” Perella said. “What’s your after action? We see the change control for that, which shows their responsiveness, that it addresses what we know to be the scope of those pages, and it definitely simplifies the whole process, that’s for sure.”
The takeaway is that behavior-based solutions, which offer real-time monitoring and blocking of unauthorized script behaviors, are more effective than traditional methods like Content Security Policy (CSP) and Subresource Integrity (SRI).
Challenges for Small Merchants
While larger organizations may have the resources to tackle these new requirements head-on, smaller merchants face significant hurdles. The roundtable discussion underscored the disproportionate impact on smaller businesses and the need for tailored solutions.
Robert Davidson, National Practice Lead at AT&T Cybersecurity, expressed concern for smaller entities. “For the small guys… I think that’s going to be a challenge for most of the implementation of these requirements,” he said. “The smaller the organization, the greater this pain is.”
“Small merchants that have never done anything before… are now having to do something and not only are they having to come up with something to meet 6.4.3 and 11.6.1, they’re also now subject to ASV scans,” Man added. “And that’s not a new requirement, so they didn’t even get a grace period for that. I’ve got clients right now that are not necessarily the small merchants, but the larger merchants that sort of partition off their e-commerce so that they can do an SAQ A or SAQ A equivalent requirements. They’re freaking out a little bit, to be quite honest.”
Sully Perella underscored the importance of seeking expert guidance, particularly for smaller merchants. “If your server is providing it and it’s executing on your customer’s browser, the intent is you know what that is,” Perella explained. “Even if it’s a third-party or fourth-party, you need to have control and knowledge of what’s being executed in your customer’s browser.”
Moving Forward with Payment Page Security
The roundtable concluded with a consensus that while these new requirements may pose challenges, they are crucial for advancing payment page security and protecting cardholder data. The panelists agreed that continuous monitoring, leveraging automation, and seeking expert guidance are essential steps for compliance and security.
Kyle Hinterberg, Manager at LBMC summed up the broader implications. “The edge is disappearing. It used to be requirement one around network security controls was your edge; now it’s requirement six,” he said. “The reality is this stuff is super important to do all over your site. What we’re talking about right now is like the minimum standard, right? The very minimum standard.”
Richard Haag highlighted the importance of adopting a continuous security approach, saying, “At the end of the day, it’s great to meet a deadline, but if you get breached, that is just a horrible thing for any merchant to go through.” Haag said. “We’ve even seen small merchants that really can’t afford it quite frankly. You know, they get put out of business, and if your site is distributing malware or keystroke loggers or e-skimmers and stealing data, it has an impact on you financially.”
Navigating the new requirements of PCI DSS 4.0 presents significant challenges, particularly in ensuring the authorization, integrity, and monitoring of scripts on payment pages to prevent eSkimming attacks. As discussed by industry experts at our recent roundtable, manually managing these requirements can be complex and overwhelming, especially for smaller merchants. Traditional methods like Content Security Policy (CSP) and Subresource Integrity (SRI) often fall short, proving difficult to implement and maintain.
Source Defense offers a comprehensive solution to these problems. As a pioneer in client-side security, Source Defense provides proven automated tools that streamline compliance, ensure real-time monitoring and blocking of unauthorized script behaviors, and reduce the overall workload. Trusted by over 1,000 leading brands and endorsed by the PCI Council, Source Defense delivers an efficient 90-day action plan to help businesses of all sizes achieve compliance. By leveraging Source Defense’s advanced solutions, merchants can safeguard their e-commerce platforms against evolving cyber threats and navigate the complexities of PCI DSS 4.0 with confidence.
For more insights on how to comply with PCI DSS 4.0, explore Source Defense’s guide or reach out for a free analysis of your payment page security.
Start with our FREE PCI Compliance Dashboard – we’ll give you an outside in view of your current situation and work with you to develop a plan for implementing the required controls in a matter of weeks, not months!