By Source Defense
Last week Source Defense gathered hundreds of the world’s largest merchants, Payment Service Providers, QSACs and Card Associations to hear from a prominent group of leading thinkers in compliance and data security standards to talk about the upcoming deadline and changes to PCI DSS 4.0.
The resounding advice?
These seasoned professionals, authors of “The Definitive Guide to PCI DSS Version 4: Documentation, Compliance, and Management,” answered audience questions centered around the revamped guidelines.
Understanding Deep Shifts in PCI DSS 4.0
PCI DSS 4.0 introduces fresh requirements and a paradigm shift centering around the sanctity of the protection of data at the point of input – as it is being captured in your online forms!
“Security begins when a customer’s payment journey begins”, said Art Cooper, Security Consultant at TrustedSec. “First and foremost, with 6.4.3, we’re going to start looking at all of the scripts that are running on the payment page. And then with 11.6.1, we’re going to monitor that payment page to make sure that the integrity of it stays the same and that nobody has tampered with it,” Cooper said. “That’s a huge change in scope.”
Cooper’s words echo the need for a holistic security paradigm. It’s no longer sufficient to ensure the conventional payment mechanisms are airtight; attention to both 1st and 3rd party script management (the dozens of services you run on your website – like chat, analytics, multimedia, ad networks, etc.) and client-side security is non-negotiable.
Stay Aware of the Underlying Code
David Mundhenk, an information security governance risk and compliance consultant, underlined the pivotal changes in the compliance framework, particularly in the granular aspects of the payment process.
“Ensure that you review the source code of your payment page and your payment redirection page and make sure you understand exactly what scripts are in there and what they’re doing,” Mundhenk said. “I’m recommending to my clients that whether you’re hosting e-commerce or redirecting e-commerce, essentially, you need to do your homework anyway, do your due diligence, and ensure you understand what’s happening.”
“And products like Source Defense and a methodology that’s consistent with 6.4.3 and 11.6.1, will help you establish your due diligence and make sure that whether you outsource this stuff or if you’re hosting it, you still have your ducks in a row.”
A Tighter Definition for Time Frames
Lee Quinton, a Senior Security Consultant at TrustedSec, broadened the scope of the discussion. According to Quinton, Requirement 11.6.1 seeks to ensure that the integrity of payment pages remains inviolable not just as a point in time but as a persistent vigil against the encroachment of corrupting elements in the payment environment.
“The PCI Council used to have words like periodically, now and then, or sometimes,” Quinton said. “Now, for those nine requirements, you have to do a targeted risk assessment and show why you chose to do it daily, weekly, hourly, or whatever.”
Use An Established Solution
Jeff Hall, Principal Security Consultant at TruVantis, warned against creating custom security plans, saying they can be tricky to manage and might not protect you evenly.
“This isn’t something you toss together on a whim and make it work,” Hall said. “This is real compliance work that will have to be developed. You’ll have to develop the right controls and tests, prove that it all works, and then document the daylights out of it.”
“I am recommending to every client I have to not touch the customized approach with an 800-mile stick,” Cooper said. “My best client – and their damn good – isn’t mature enough to put together a customized approach on their own, validate it, and make sure it’s working.”
CSP Might Not Ensure Actual E-commerce Security
Ben Rothke, Senior Information Security Manager at Experian, called for early and proactive compliance efforts for comprehensive readiness.
“We started talking about 6.4.3 and 11.6.1, and both requirements can be met with a Content Security Policy. Now, that gets you compliance. Does that get you security? Maybe not,” he said. “People forget that when your website gets hacked, and that redirect or iframe starts going somewhere it shouldn’t, that’s not on the payment processor. That’s on the merchant. I can’t tell you how many people I’ve encountered who didn’t know they could be breached that way.”
For more thoughts on why you should avoid CSP as an approach – check out this Solution Cheat Sheet from Source Defense.
Don’t Get Caught in the PCI DSS 4.0 Scramble
All of the experts on the panel urged companies to avoid the frenzied scurry of last-minute adjustments by starting the compliance journey well in advance. This approach not only hedges against unforeseen complications but also affords the luxury of meticulous adherence to the new, more stringent, rigorous standards.
“Don’t wait till the last minute. Start looking at this now”
Jeff Hall said he’s currently dealing with a client who doesn’t want to do anything until April 1st, 2025. “Seriously? Compliance isn’t a game. We’re talking about security here,” Hall said. “When you get breached, don’t come crying to me because I won’t have sympathy.”
“Don’t wait till the last minute. Start looking at this now,” Mundhenk said. “And if you can’t meet this requirement next year, for whatever reason, you need to figure that out now. You need to come up with whatever compensating controls and or customized approach will work. And I firmly recommend people do a targeted risk analysis on this stuff to ensure they haven’t missed anything.”
“When dealing with payment systems, you’re dealing with third parties and fourth parties and lawyers and contracts,” Rothke said. “2025 is right around the corner.”
Possible Consequences of Non-Compliance
Addressing the heart of the matter, the discussion outlined non-compliance penalties, extending beyond mere financial implications to encompass the broader brand reverberations and operational disruptions. Investing in compliance isn’t just about staying legal, it’s smart business. It protects your company and your brand.
The cost and penalties associated with non-compliance with PCI DSS 4.0 include direct financial penalties imposed by card brands on banks, which may be passed to merchants or service providers. Additionally, non-compliant entities may face increased interchange fees.
The overall cost of a data breach extends not only to financial penalties and brand damage, but to forensic analysis charges, compliance re-assessment costs, and possibly being designated as a higher-level merchant with more stringent requirements. This emphasizes the need for robust security and compliance measures.
Act Now for a More Secure Future
The clock is ticking for the new payment security rules, so businesses need to start getting compliant now. This might seem like a big change, but by taking it step-by-step, working together, and sharing knowledge, we can build strong security systems that protect our customers’ data and keep our businesses safe.
The narrative of PCI DSS compliance is at an inflection point, requiring foresight and resilience. Organizations must recognize and seize upon the potential for reinforced trust and unassailable security. The journey toward PCI DSS version 4.0 is a collective obligation that, approached strategically, can elevate industry standards, fortify defense mechanisms, and chart a course toward a safer, more secure digital future.
Source Defense is happy to help you chart that course – we have a number of resources available to you NOW that can help you get moving and close these gaps with virtually no effort.
Start with our FREE PCI Compliance Dashboard – we’ll give you an outside in view of your current situation and work with you to develop a plan for implementing the required controls in a matter of weeks, not months!
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
