Developing A Rapid Action Plan for PCI eSkimming Compliance

by Source Defense

Payment card security faces new challenges as merchants and service providers prepare for the Payment Card Industry Data Security Standard (PCI DSS) 4.0 requirements on eSkimming prevention. With the March 2025 deadline approaching, organizations must act quickly to implement these new mandates. 

Here’s a look at Source Defense’s approach to developing actionable strategies to help you build a rapid compliance action plan.

Understanding the New Requirements

PCI DSS 4.0 introduces two critical requirements: 6.4.3 and 11.6.1. These focus on securing payment pages against client-side attacks, particularly eSkimming. The requirements can be distilled into four main tasks:

1. Inventory payment page scripts
2. Justify the presence of each script
3. Verify the integrity of payment page scripts
4. Monitor script and payment page contents, including HTTP response headers

It’s important to note that the scope of what constitutes a “payment page” has expanded significantly from PCI DSS 3.2 to 4.0. Pages that embed payment iframes, previously considered out of scope, are now included in these requirements.

The Current Landscape

Recent research conducted across 7,000 websites reveals the prevalence and risks associated with third-party scripts on payment pages:

• 98% of websites have some form of JavaScript integration.
• Analytics and tag management tools are the most common and potentially risky integrations.
• 20% of data accessed on payment pages are personally identifiable, with 5% each for credentials and payment data.

Industries such as apparel and fashion, business services, and food and beverage show the highest levels of script integration on payment pages.

Developing Your Action Plan

To rapidly address PCI DSS 4.0 compliance, consider the following steps:

1. Conduct a Comprehensive Inventory: Identify all scripts on your payment pages. Pay particular attention to analytics and tag management tools, as these are both prevalent and potentially risky.
2. Assess and Justify: For each script identified, determine its purpose and justify its presence on payment pages. Consider whether less sensitive alternatives are available.
3. Implement Integrity Verification: Develop a system to verify that payment page scripts are not altered without your knowledge. This may involve a combination of technical controls and operational procedures.
4. Establish Monitoring Protocols: Continuously monitor script behavior and payment page contents. This should include tracking changes to HTTP response headers, which can indicate security control modifications.
5. Review Access Controls: Evaluate who has access to add or modify scripts on payment pages, especially through tag management systems. Implement strict governance around these processes.
6. Consider the Entire Payment Flow: While PCI DSS 4.0 focuses on payment pages, security experts recommend considering the entire payment flow for a more comprehensive security posture.
7. Evaluate Technical Solutions: Assess the applicability of Content Security Policy (CSP) and Subresource Integrity (SRI) for your environment. Be aware of the challenges these technologies present with frequently changing third-party scripts.
8. Prepare for Continuous Compliance: Remember that compliance is not a one-time effort. Develop processes for ongoing monitoring, regular reassessments, and prompt addressing of new vulnerabilities or changes in your payment infrastructure.

Download our 90 Day Action Plan

Challenges and Considerations

While working toward compliance, be mindful of several challenges:

• The dynamic nature of third-party scripts can make implementing traditional integrity verification methods like CSP and SRI challenging.
• Balancing security requirements with business needs for customer insights and marketing tools will require careful consideration.
• The expanded scope of payment pages may significantly increase the complexity of compliance efforts for some organizations.

Conclusion

The new PCI DSS 4.0 requirements for eSkimming prevention represent a significant shift in payment security practices. By understanding the requirements, assessing your current landscape, and methodically addressing each aspect of compliance, your organization can develop a rapid and effective action plan. Remember, the goal is not just achieving compliance but enhancing the overall security of your payment ecosystem to protect both your business and your customers.

As the March 2025 deadline approaches, start your compliance journey now to ensure ample time for implementing, testing, and refining your security measures. 

Take Action Now

Don’t wait until it’s too late. The complexity of e-skimming compliance demands immediate attention and expert guidance. By partnering with Source Defense, you can:

• Rapidly assess your current compliance status
• Develop a comprehensive action plan tailored to your business
• Implement robust client-side security measures
• Ensure ongoing compliance and protection against evolving threats

Next Steps

1. Contact Source Defense: Reach out to their team of experts to discuss your specific compliance needs.
2. Request a Demo: See firsthand how their solutions can address your PCI DSS 4.0 compliance challenges.
3. Start Your Compliance Journey: Begin implementing a robust e-skimming prevention strategy with the guidance of industry leaders.

Remember, achieving and maintaining PCI DSS 4.0 compliance is not just about meeting a deadline—it’s about establishing a strong, ongoing security posture for your e-commerce operations. Let Source Defense be your partner in this crucial endeavor.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.

Download the Guide