Greetings to our podcast series known as Coffee with the Council. I am Alicia Malone, overseeing Communications and Public Relations at the PCI Security Standards Council. As many of our audience members are informed, the deadline for implementing the upcoming requirements of PCI DSS version 4.0.1 looms closer on March 31st, 2025. Over the last year, the Council has received feedback indicating the need for more direction to properly integrate certain e-commerce security criteria, particularly Requirements 6.4.3 and 11.6.1. Consequently, the Council has issued multiple guidance materials this year, including updates to Self-Assessment Questionnaire A, an FAQ regarding SAQ A qualifying conditions, and crucially, guidance put together by our E-commerce Guidance Task Force. With me today to delve into this new guidance is Lauren Holloway, responsible for Data Security Standards at PCI SSC. Welcome, Lauren.
Lauren Holloway: Thank you, Alicia. It’s delightful to join you today and provide clarity on the recent information released by the Council for our sector.
Alicia Malone: Let’s begin by delving deeper into these upcoming PCI DSS version 4.0.1 requirements and the deadline for their adoption. What are these requirements and what should we understand about this due date?
Lauren Holloway: There are 64 fresh requirements in the updated PCI DSS, with 51 being earmarked for future implementation. As previously mentioned by Alicia, these requirements are set to kick in on March 31, 2025. Included in these forthcoming requisites are Requirements 6.4.3 and 11.6.1, specifically tailored for e-commerce environments. It was brought to our attention that these criteria pose challenges for numerous stakeholders, particularly smaller merchants, in adhering to them. Hence, our goal has been to offer clarity and support resources to aid them in their compliance journey.
The deadline for assimilating these new requirements has been on the horizon for three years now. The introduction of PCI DSS version 4.0 took place in 2022, becoming the sole active version after the retirement of PCI DSS version 3.2.1 on March 31, 2024. The future-dated requirements were labeled as “best practices” until March 31, 2025. Beyond this period, these requirements turn mandatory and must be thoroughly observed during a PCI DSS evaluation.
Alicia Malone: Lauren, why were these two e-commerce criteria incorporated into PCI DSS version 4?
Lauren Holloway: In recent times, instances of data breaches during e-commerce transactions, commonly referred to as e-skimming attacks, have seen a significant rise. With e-commerce platforms growing in complexity and businesses depending more on external scripts in their setups, such attacks have become more prevalent. Scripts executing within a consumer’s browser represent a prime target for malevolent entities looking to pilfer payment card data.
Requirements 6.4.3 and 11.6.1 were introduced in PCI DSS version 4.0 and now in version 4.0.1 to mitigate the risks associated with e-skimming attacks during e-commerce operations. These mandates concentrate on ensuring that payment page scripts are correctly authorized, inspected for integrity, and monitored against tampering, all in a bid to avert unauthorized alterations to web pages.
Alicia Malone: In November last year, the Council revealed the establishment of an E-commerce Guidance Task Force, assembling specialists from the payment security sector, including PCI SSC staff, payment brand representatives, members of the Board of Advisors and Technical Advisory Board, the Global Executive Assessor Roundtable (GEAR), and the Small Merchant Business Task Force. What was the objective of this task force?
Lauren Holloway: Indeed, Alicia, the aim of this task force was to craft guidance focused on PCI DSS Requirements 6.4.3 and 11.6.1. Their specific mission was to produce a guide offering clear directives on how entities can fulfill these requirements, instructions for third-party service providers to assist their clients in meeting these criteria, and concrete strategies for implementation instead of a theoretical approach.
The resultant guidance document was unveiled last week. Titled “Payment Page Security and Preventing E-Skimming – Guidance for PCI DSS Requirements 6.4.3 and 11.6.1”, this document caters to any entity processing payment card transactions through e-commerce via embedded iframes or a web page influencing e-commerce payment security. The document furnishes tailored guidance for merchants and third-party service providers striving to fulfill PCI DSS Requirements 6.4.3 and 11.6.1.
Alicia Malone: It seems like this document has been in development for quite some time. Aside from producing this thorough guidance document, the Council also introduced significant alterations for merchants undergoing Self-Assessment Questionnaire A (SAQ A). What updates can you share regarding these adjustments?
Lauren Holloway: Prior to delving into that, it’s crucial to note that SAQ A encompasses solely the PCI DSS requirements applicable to merchants with account data functions entirely delegated to PCI DSS compliant third parties, where the merchant retains solely paper records or receipts containing account data. SAQ A merchants could be e-commerce retailers or mail order, telephone order merchants. Typically, they fall under card-not-present merchants. The recent changes made to SAQ A were the exclusion of PCI DSS Requirements 6.4.3 and 11.6.1 for payment page security. Moreover, Requirement 12.3.1 for a specific risk analysis was removed, given that this risk analysis was solely supporting Requirement 11.6.1.
We also introduced eligibility criteria for merchants to confirm that their site is impervious to script-based attacks potentially compromising the merchant’s e-commerce systems. Regarding this new eligibility check, numerous queries emerged, and we consequently rolled out an FAQ to elucidate the exact meaning of this criterion and how merchants can certify that their website is safe from script-based threats jeopardizing their e-commerce systems. In this FAQ, we specify that merchants can confirm this through various techniques, such as those outlined in PCI DSS Requirements 6.4.3 and 11.6.1, aimed at safeguarding the merchant’s web page from scripts targeting account data.
These techniques could be implemented either by the merchant themselves or by a third party. Alternatively, the merchant can seek verification from their PCI DSS compliant third-party service provider or payment processor delivering the embedded iframe. This verification would affirm that when deployed according to the third party’s instructions, the solution incorporates measures shielding the merchant’s payment page from script attacks. Furthermore, we clarified that a provider of third-party scripts does not fall under the third-party service provider category for SAQ A purposes if their services exclusively entail scripts unrelated to payment processing, scripts that have no impact on the merchant’s payment systems.the protection of payment account details. It’s worth noting that these prerequisites were only eliminated from SAQ A, yet they are still present in the standard.
Alicia Malone: That is a crucial distinction to emphasize. The abundance of information provided here is truly valuable. What other recommendations could prove beneficial for PCI DSS assessments?
Lauren Holloway: As we are all aware, artificial intelligence is currently a trending subject. We have diligently worked on developing fresh advice related to integrating artificial intelligence into PCI assessments. This recent guidance has been freshly released and covers best practices for evaluators. It includes critical areas such as notifying clients of AI involvement, acquiring consent from clients, and assuring the security of client data and the precision of evaluation results.
Another important aspect is utilizing AI for artifact review, producing work documents, conducting remote interviews, and forming final assessment reports. The advice also highlights the significance of data management protocols, AI system authentication, ethical application, and regular enhancements to maintain the accuracy and security of outcomes.
An essential point to bear in mind from this guidance is that AI should be viewed as a tool rather than an evaluator. Human evaluators retain the responsibility for all conclusions and ultimate decisions, ensuring that AI enhances expertise rather than replaces it.
Alicia Malone: This introduction of the new AI guidance is incredibly thrilling. Undoubtedly, these recent guidelines will be an advantageous reference for evaluators navigating the evolving realm of AI. So, Lauren, where can our audience access all this new guidance?
Lauren Holloway: All the guidance, including the AI assistance, SAQ A, the updated FAQ, and the new tips concerning implementing the e-commerce security prerequisites, are accessible on the Council’s website. Most of this is available in our Document Library, but it’s advisable to also explore our FAQ page. The latest FAQ is numbered as 1588. I recommend subscribing to the Council’s PCI Perspectives blog for prompt updates directly to your inbox.
Alicia Malone: That’s fantastic. Thank you for being a part of Coffee with the Council, Lauren. Gaining insight into this new guidance is extremely valuable, and I’m confident that our merchants and assessment companies will find this information highly beneficial.
Lauren Holloway: It was my pleasure to join you, Alicia. Delighted to be here today. Hopefully, all these explanations and fresh guidance prove to be beneficial.
If you found this content interesting, don’t forget to subscribe to PCI SSC’s “Coffee with the Council” podcast on various platforms: Apple Podcasts, Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, Stitcher, Audible, Overcast, or Pandora.
About Author
