Organizations Must Act Now

As the deadline for Payment Card Industry Data Security Standard (PCI DSS) v4.0 compliance rapidly approaches, organizations face a critical juncture in their payment security journey. This latest version introduces significant changes, mandating stricter measures to protect payment card information. It includes more than 50 new requirements – one of which introduces never before seen requirements around eCommerce security. Specifically, the requirements for eSkimming protections under 6.4.3 and 11.6.1.  With March 31, 2025, marked as the official compliance deadline, industry experts are sounding the alarm for immediate action. The time has long passed for evaluation – this is the time for ACTION! 

The Clock is Ticking

Michael Aminzade, Vice President of Compliance & Risk Services at VikingCloud, emphasizes the urgency of the situation in a recent blog post by the PCI Security Standards Council:

“It is not early anymore. There are only eight months left for merchants to plan and prepare for the changes in PCI DSS v4.x. We have actively encouraged VikingCloud’s customers to perform gap assessments against the future-dated requirements in preparation for next year.“

This sense of urgency is well-founded. PCI DSS v4.0 represents the most substantial update to the standard in over a decade, introducing 64 new requirements, 51 of which WERE future-dated but the future is about to be the PRESENT. The scope and complexity of these changes demand immediate attention and action from organizations.

The Advantages of Early Adoption

Understanding the significant changes in PCI DSS v4.0 is crucial for effective planning. The new standard introduces several important updates across various aspects of payment security.

One of the most notable changes affects e-commerce merchants completing Self-Assessment Questionnaire (SAQ) A. “E-commerce merchants completing Self-Assessment Questionnaire (SAQ) A are now expected to undertake vulnerability scans at least once every three months by an Approved Scanning Vendor (ASV),” Aminzade said. This new requirement emphasizes the importance of regular security assessments for online businesses.

The standard also emphasizes securing the digital supply chain. The dozens of partners running JavaScript in an unmonitored, unmanaged, uncontrolled fashion at current must be addressed under requirements 6.4.3 and 11.6.1. Tackling the problem is easy if you get moving now and use automated solutions like Source Defense – but every day you delay is a day you leave the organization exposed to the risk of breach AND increase chances of non-compliance come April 1st 2025.

The standard also heavily emphasizes a focus on Third-Party Service Providers (TPSPs). Aminzade highlights the importance of this aspect. “Criminals utilize weaknesses within the supply chain to gain access to insert malware,” he said. “So, using PCI-compliant TPSPs within your supply chain reduces the risk of a data breach.” This underscores the need for organizations to ensure their partners and vendors are also compliant with PCI DSS standards.

Another significant change in PCI DSS v4.0 is the introduction of new requirements that clearly define and document organizational roles and responsibilities. “One of the factors that has stood out to us is that many of the new requirements focus on roles and responsibilities. This simply means that staff know and have been trained in the roles and activities they undertake,” Aminzade said. This change ensures that all staff members are well-prepared to handle their security responsibilities effectively.

Lastly, the new standard mandates an annual scope confirmation exercise. Aminzade supports this addition: “Organizations do need to validate all parts of their PCI DSS scope every year. Because in this ever-evolving world of payments, things are changing all the time.” This requirement ensures that organizations regularly review and update their compliance scope to keep pace with changes in their payment environments.

These key changes collectively represent a significant shift in the PCI DSS landscape, requiring organizations to take a more proactive and comprehensive approach to payment security.

The Challenge of eSkimming (Client-Side) Security

Securing client-side interactions is one of the most significant hurdles in achieving PCI DSS v4.0 compliance. This is particularly challenging because payment page scripts and forms run on the client side, limiting website owners’ ability to detect their behavior, especially dynamically loaded code.

Section 6.4.3 of the new standard establishes script authorization, inventory, and integrity regulations. Manual implementation of these requirements can be extremely resource-intensive and complex. So much so that many of the world’s leading QSAs from organizations like CoalFire, VikingCloud, IBM, A-Lign, TrustedSec and more, have advised clients to avoid homegrown solutions and instead turn to organizations like Source Defense.

Leveraging Technology for Compliance

Given the complexities of eSkimming (client-side) security and the stringent requirements of PCI DSS v4.0, many organizations are turning to specialized solutions to ensure compliance. These solutions can help automate many aspects of client-side security, significantly reducing the time and resources required to achieve and maintain compliance.

Key features to look for in such solutions include:

1. Push button compliance – with assessment dashboards, ongoing management and reporting built in 
2. Automated script management – with out of the box policies that reduce management overhead 
3. Real-time monitoring of client-side activity
4. Third-party risk management capabilities
5. Customizable security policies

Conclusion

The transition to PCI DSS v4.0 presents both a significant challenge and an opportunity for organizations to significantly improve their payment security and customer data protection. 

By taking action now, organizations can ensure compliance and strengthen their overall security posture, protect their reputation, and build trust with their customers. The key to success lies in understanding the new requirements, assessing your current state, and leveraging powerful tools to address complex challenges such as client-side security.

Remember, while the deadline may seem distant, the time to act is NOW. Don’t wait until it’s too late – start your PCI DSS v4.0 compliance journey today.

Source Defense has a solution that can be turned on OVERNIGHT – we can literally get you compliant after a single meeting. 

How Source Defense Can Help

Source Defense offers a comprehensive solution to address critical PCI DSS requirements, particularly 6.4.3 and 11.6.1 while enhancing web application security. Here’s how Source Defense can assist organizations in meeting PCI compliance and protecting against client-side threats:

1. Advanced Script Management
   * Identifies and neutralizes potentially compromised first-party scripts.
   * Manages and secures third-party scripts commonly used in modern websites
   * Goes beyond simple blacklisting or whitelisting by identifying out-of-pattern behaviors
2. Behavior-Based Defense
   * Utilizes behavioral based controls to detect and prevent unauthorized script usage
   * Monitors authorized script integrity in real-time
   * Detects sophisticated attack vectors aimed at exploiting client-side vulnerabilities
3. Proactive Threat Prevention
   * Prevents potentially harmful actions such as unauthorized information siphoning
   * Stops attacks before they can affect websites or customers
4. Real-Time Client-Side Security
   * Implements client-side sandboxing and permissions-based isolation
   * Restricts script access to web page elements and controls script behavior
   * Monitors and manages data flow from the page to external sources
5. Operational Efficiency
   * Provides comprehensive dashboards for easy management.
   * Offers automated tools for script inventory management and justification. workflows
   * Streamlines compliance demonstration with minimal administrative burden.
6. Addressing PCI DSS Requirements
   * Specifically addresses requirements 6.4.3 and 11.6.1.
   * Helps achieve compliance with Requirement 6.5 by addressing vulnerabilities in third-party applications and integration.

By implementing Source Defense, organizations can significantly enhance their defense against eSkimming attacks, ensure PCI DSS compliance, and protect sensitive cardholder data from emerging threats in the digital payment ecosystem.

We have a proven track record in helping more than 1,000 of the world’s largest brands. We can get you moving THIS WEEK – schedule a free consultation and get on the path to compliance.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.

Download the Guide