The PCI Security Standards Council (PCI SSC) is developing guidance to help stakeholders understand and implement the new e-commerce security requirements included in PCI Data Security Standard (PCI DSS) v4.x. Stakeholders have indicated that these requirements are complex for many entities to implement (including merchants validating to Self-Assessment Questionnaire (SAQ) A). To that end, the Council has engaged with industry experts to establish an E-commerce Guidance Task Force with the sole objective of developing guidance focusing on PCI DSS v4.x Requirements 6.4.3 and 11.6.1.
The upcoming guidance document will provide:Â
- Clear and actionable guidance about how entities can meet these two requirements. Â
- Guidance for how third-party service providers can assist their customers in meeting these requirements. Â
- Practical implementation strategies rather than a theoretical framework.Â
The new E-commerce Guidance Task Force brings together expertise from across the payment security ecosystem including PCI SSC staff, payment brand representatives, and members of the Board of Advisors/Technical Advisory Board, Global Executive Assessor Roundtable (GEAR), and Small Merchant Business (SMB) Task Force. Â
Merchants and service providers should continue familiarizing themselves with Requirements 6.4.3 and 11.6.1 while awaiting this additional guidance, as these controls are fundamental to addressing recent e-commerce breaches and securing e-commerce environments. Requirements 6.4.3 and 11.6.1 are part of the 64 future-dated requirements of PCI DSS v4.x, which are effective as of 31 March 2025. The new guidance document for stakeholders on how to meet these PCI DSS v4.x e-commerce requirements is expected in early 2025.Â
About Author
