Greetings to our podcast show, Coffee Chat with the Board. I am Alicia Malone, in charge of Communications and Public Relations at the PCI Security Standards Council. With the approaching deadline for implementing the future-oriented stipulations of PCI DSS version 4.0.1 by March 31, 2025, we are here to provide guidance. In response to feedback indicating the need for more assistance in complying with certain e-commerce security measures in the standard, particularly Requirements 6.4.3 and 11.6.1, the Council has issued various guidance resources this year. These include updates to Self-Assessment Questionnaire A, an FAQ concerning SAQ A eligibility criteria, and the much-awaited guidance from our E-commerce Guidance Task Force. Today, accompanying us to delve into this new guidance is Lauren Holloway, the Director of Data Security Standards at PCI SSC. Welcome, Lauren.
Lauren Holloway: Many thanks, Alicia. I’m thrilled to be here today to shed light on the recent information released by the Council for our industry.
Alicia Malone: Let’s initiate the discussion by delving deeper into the upcoming requirements in PCI DSS version 4.0.1 and the deadline for their implementation. Can you elaborate on these requirements and what we need to be aware of regarding this due date?
Lauren Holloway: Indeed, PCI DSS unveiled 64 new requirements, out of which 51 are set to take effect in the future. These future-dated measures go live, as mentioned by Alicia, on March 31, 2025. Among these future-dated stipulations are Requirements 6.4.3 and 11.6.1 concerning e-commerce settings. It was observed that many stakeholders, especially smaller merchants, found these requirements challenging to implement. Thus, our aim was to offer clear information and tools to aid them in their compliance journey.
The due date for embracing these new requirements has been a topic of discussion over the past three years. PCI DSS version 4.0 was introduced in 2022, marking the sole active version after the retirement of version 3.2.1 on March 31, 2024. The future-dated requirements have been a part of the standard since March 2022 as “best practices” until March 31, 2025. Post this 2025 date, adherence to these requirements becomes mandatory and must be fully accounted for during a PCI DSS assessment.
Alicia Malone: So, Lauren, what spurred the addition of these two e-commerce requirements to PCI DSS version 4?
Lauren Holloway: In recent years, there has been a notable surge in data breaches during e-commerce transactions, commonly referred to as e-skimming attacks. With e-commerce platforms becoming more intricate and businesses increasingly depending on external scripts in their e-commerce environments, such attacks have become prevalent. Scripts operating in a consumer’s browser are now a prime target for cybercriminals aiming to pilfer payment card details.
Hence, Requirements 6.4.3 and 11.6.1 were integrated into PCI DSS version 4.0 initially, now in version 4.0.1, to mitigate the risk of e-skimming attacks during e-commerce transactions. These requirements emphasize on ensuring that payment page scripts are duly authorized, scrutinized for integrity, and monitored for tampering, in addition to thwarting unauthorized alterations to web pages.
Alicia Malone: Fascinating. The Council revealed last November the formation of an E-commerce Guidance Task Force, which amalgamated expertise from various facets of the payment security domain. The task force comprised PCI SSC personnel, representatives from payment brands, members of the Board of Advisors and Technical Advisory Board, the Global Executive Assessor Roundtable (GEAR), and the Small Merchant Business Task Force. What was the mandate of this task force?
Lauren Holloway: Alicia, the primary objective of this task force was to craft guidance centered on PCI DSS Requirements 6.4.3 and 11.6.1. Specifically, the focus was on producing a comprehensive guidance manual offering lucid and actionable advice on meeting these two requirements, guiding third-party service providers in assisting their clients in meeting them, and furnishing practical implementation strategies rather than a theoretical framework.
This fresh guidance document was just published. Titled “Payment Page Security and Preventing E-Skimming – Guidance for PCI DSS Requirements 6.4.3 and 11.6.1,” this document caters to entities processing payment card transactions through e-commerce using embedded iframes or web pages impacting e-commerce payment security. The supplement delivers precise instructions for merchants and third-party service providers aiming to fulfill PCI DSS Requirements 6.4.3 and 11.6.1.
Alicia Malone: This seems to be a culmination of significant effort over time. Alongside developing this extensive guidance document, the Council also introduced vital modifications for merchants undergoing Self-Assessment Questionnaire A (SAQ A). Can you share insights into these alterations?
Lauren Holloway: Prior to delving into that, it’s crucial to bear in mind that SAQ A encompasses only the PCI DSS requirements pertinent to merchants whose account data functions are entirely outsourced to PCI DSS compliant third parties, retaining solely paper reports or receipts with account data. SAQ A merchants could be e-commerce vendors or mail order, telephone order merchants, all of whom operate as card-not-present merchants. These merchants do not house, handle, or transmit any account data electronically on their systems or premises. The recent amendments made to SAQ A involved the exclusion of PCI DSS Requirements 6.4.3 and 11.6.1 for payment page security, as well as Requirement 12.3.1 for a targeted risk analysis, which was supportive of Requirement 11.6.1.
We also introduced an eligibility criterion for merchants to confirm that their website is not susceptible to script-based attacks jeopardizing their e-commerce systems. In relation to this new eligibility criterion, a detailed FAQ was rolled out to elucidate the exact meaning of this requirement and how merchants can validate that their site is impervious to script-based attacks that could compromise their e-commerce system. As elucidated in the FAQ, merchants can affirm this by employing techniques such as those delineated in PCI DSS Requirements 6.4.3 and 11.6.1 to shield their webpage from scripts targeting account data.
These techniques can be implemented by the merchant themselves or a third party. Alternatively, merchants can seek an affirmation from their PCI DSS compliant third-party service provider or payment processor supplying the embedded iframe. This affirmation signifies that, upon adherence to the third party’s directives, their solution integrates techniques safeguarding the merchant’s payment page from script attacks. Moreover, it was clarified that a provider of third-party scripts not related to payment processing will not be deemed a third-party service provider (TPSP) under the purview of SAQ A if their services do not impact.the protection of payment account information. It is worth noting that these requirements have been solely eliminated from SAQ A, while they remain a part of the standard.
Alicia Malone: This differentiation is important to mention. The wealth of valuable information shared here is truly remarkable. Are there any other suggestions that could be beneficial for PCI DSS assessments?
Lauren Holloway: Undoubtedly, artificial intelligence is currently a trending topic, and efforts have been dedicated to developing fresh guidance on integrating artificial intelligence into PCI assessments. This recent guidance has been just released and addresses essential best practices for assessors, covering crucial aspects such as notifying clients about AI involvement, obtaining client consent, and offering guarantees about the security of client data and the accuracy of assessment outcomes.
Another critical aspect covered involves leveraging AI for reviewing materials, crafting work documents, conducting remote interviews, and producing final assessment reports. The guidance emphasizes the significance of data management procedures, AI system validation, ethical utilization, and regular updates to maintain the reliability and accuracy of outputs.
An essential point highlighted in this guidance is that AI functions as a tool and not a rater. Human assessors retain accountability for all findings and ultimate decisions, ensuring that AI’s purpose is to complement expertise rather than replace it.
Alicia Malone: The introduction of this new AI guidance is quite exciting. Undoubtedly, this new directive will serve as a valuable resource for assessors maneuvering through the evolving landscape of AI. Lauren, where can our audience access all this fresh guidance?
Lauren Holloway: All this guidance, which includes the AI directive, SAQ A, the updated FAQ, as well as the recent guidance on implementing e-commerce security mandates, can be located on the Council’s website. Most of this information is housed in our Document Library, but it’s also advisable to explore the FAQ section on our site. The latest FAQ bears the number 1588. I recommend subscribing to the Council’s PCI Perspectives blog to receive the most recent updates directly in your inbox upon release.
Alicia Malone: That’s fantastic. Thank you for being a part of Coffee with the Council, Lauren. It’s enlightening to delve into this new guidance, and I’m confident that our merchants and assessor firms will benefit significantly from this information.
Lauren Holloway: My pleasure, Alicia. Delighted to join you today. I trust that these clarifications and novel guidance will prove useful.
If you enjoyed this content, consider subscribing to PCI SSC’s “Coffee with the Council” podcast on various platforms: Apple Podcasts, Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, Stitcher, Audible, Overcast, or Pandora.
About Author
