Welcome to our informative podcast series named Coffee with the Council. I am Alicia Malone, overseeing Communications and Public Relations at the PCI Security Standards Council. As most of our audience is informed, we are fast approaching the cutoff to enforce the upcoming obligations of PCI DSS version 4.0.1 on April 1, 2025. Throughout the past year, the Council has received feedback indicating the necessity for further explanations to correctly implement certain e-commerce security obligations within the standard, particularly Requirements 6.4.3 and 11.6.1. Therefore, the Council has issued a variety of guidance materials this year, encompassing updates to Self-Assessment Questionnaire A, an FAQ regarding SAQ A eligibility criteria, and notably, the eagerly awaited counsel developed by our E-commerce Guidance Task Force. Today, we are joined by Lauren Holloway, the Data Security Standards Director at PCI SSC, who will guide us through this batch of new information.
Lauren Holloway: Thank you, Alicia. It’s truly a pleasure to be here today and bring clarity to the latest releases by the Council for our sector.
Alicia Malone: Let’s start by delving deeper into the upcoming obligations in PCI DSS version 4.0.1 and the compliance deadline. What do we need to familiarize ourselves with regarding these obligations and the cutoff date?
Lauren Holloway: In total, there are 64 fresh obligations introduced in the updated PCI DSS, out of which 51 are future-dated. The obligations set for the future are enforceable, as Alicia mentioned, from April 1, 2025. The e-commerce-specific Requirements 6.4.3 and 11.6.1, as highlighted by her, are part of these future-dated obligations. Feedback we received suggested that these obligations pose challenges to many stakeholders, especially smaller merchants, in their compliance efforts. Hence, we aimed to offer clear guidance and aids to support them during the validation process.
The due date for adopting these fresh obligations has been a focal point for discussion over the past three years. PCI DSS version 4.0 was rolled out in 2022, becoming the sole active version when PCI DSS version 3.2.1 was retired on March 31, 2024. The future-dated obligations were included in the standard as “best practices” until March 31, 2025. After this deadline, these obligations become mandatory and must be thoroughly considered during PCI DSS assessments.
Alicia Malone: Lauren, why were these two e-commerce obligations integrated into PCI DSS version 4.0?
Lauren Holloway: In recent times, instances of data breaches during e-commerce transactions, commonly known as e-skimming attacks, have witnessed a significant rise. With e-commerce platforms becoming increasingly intricate and businesses more reliant on external scripts in their e-commerce environments, these attacks have become rampant. Scripts operating in a consumer’s browser now present high-value targets for malicious entities looking to pilfer payment card information.
Thus, Requirements 6.4.3 and 11.6.1 were incorporated into PCI DSS version 4.0 initially, and now in version 4.0.1, to mitigate the risks of e-skimming attacks during e-commerce transactions. These obligations focus on ensuring the proper authorization, integrity verification, and tampering monitoring of payment page scripts, in addition to averting unauthorized modifications to web pages.
Alicia Malone: Fascinating. The Council revealed its establishment of an E-commerce Guidance Task Force last November, which pooled expertise from various corners of the payment security realm, including insights from PCI SSC personnel, representatives from payment brands, members of the Board of Advisors and Technical Advisory Board, the Global Executive Assessor Roundtable (GEAR), and the Small Merchant Business Task Force. What was the mandate of this task force?
Lauren Holloway: Alicia, the fundamental mission of that task force was to devise guidance primarily centered on PCI DSS Requirements 6.4.3 and 11.6.1. Specifically, their objective was to craft a guidance handbook offering lucid and actionable directions on how entities can fulfill these two obligations, guidance for how third-party service providers can assist their clients in meeting these standards, and practical strategies for implementation rather than theoretical concepts.
The newly unveiled guidance document was recently made available. It possesses a descriptive title: “Payment Page Security and E-Skimming Prevention – Guidance for PCI DSS Requirements 6.4.3 and 11.6.1”. This document caters to any entity conducting payment card transactions through e-commerce using embedded iframes or a webpage impacting the security of e-commerce payments. The supplementary information delivers specific guidance for merchants and third-party service providers striving to adhere to PCI DSS Requirements 6.4.3 and 11.6.1.
Alicia Malone: It seems like this document was under development for quite some time. Besides crafting this comprehensive guidance resource, the Council also disclosed crucial adjustments for merchants undergoing validation via Self-Assessment Questionnaire A, commonly denoted as SAQ A. What insights can you provide on these modifications?
Lauren Holloway: Before diving into that, it’s crucial to bear in mind that SAQ A exclusively incorporates PCI DSS standards relevant to merchants whose account data operations are entirely outsourced to PCI DSS compliant third parties, with the merchants preserving merely paper documents or receipts containing account data. SAQ A merchants are either e-commerce or mail/telephone order merchants, essentially constituting card-not-present merchants. These merchants don’t retain, process, or relay any account data electronically on their systems or premises. Hence, the recent adjustments to SAQ A aimed to eliminate the two PCI DSS Requirements 6.4.3 and 11.6.1 pertaining to payment page security. Additionally, Requirement 12.3.1 for a targeted risk analysis was removed as this analysis solely supported Requirement 11.6.1.
We also introduced an eligibility criterion for merchants to affirm that their website isn’t vulnerable to attacks from scripts that could jeopardize the security of the merchant’s e-commerce systems. Regarding this eligibility criterion, we received numerous queries, leading us to produce an FAQ, as highlighted by Alicia, to offer clarity on what this criterion entails and how a merchant can verify their website’s immunity to script-based assaults that might compromise their e-commerce systems. In the FAQ, we clarify that merchants can confirm this through techniques, including but not limited to those outlined in PCI DSS Requirements 6.4.3 and 11.6.1, to safeguard the merchant’s webpage against scripts targeting account data.
These techniques could be implemented by the merchant themselves or a third party. Alternatively, the merchant could procure confirmation from their PCI DSS compliant third-party service provider or payment processor providing the embedded iframe. With this confirmation, upon implementation per the third party’s instructions, the solution incorporates techniques shielding the merchant’s payment page from script attacks. We also specified that a third-party script provider isn’t considered a third-party service provider (TPSP) for SAQ A purposes if their sole service pertains to scripts unrelated to payment processing and lacking an impact on.the protection of account payment data. It’s worth highlighting that these criteria have solely been eliminated from SAQ A, while they remain part of the standard.
Alicia Malone: That is a valuable distinction. There is a wealth of valuable information here. What other recommendations could be beneficial for PCI DSS evaluations?
Lauren Holloway: As we are all aware, artificial intelligence is currently a trending topic, and we have been diligently working on providing fresh advice on incorporating artificial intelligence into PCI assessments. Recently, we have unveiled this fresh advice designed to help assessors adopt best practices, covering crucial areas such as client notification of AI usage, securing client consent, and ensuring the confidentiality of client data as well as the precision of assessment outcomes. These guidelines also encompass the role of AI in reviewing artifacts, compiling work documents, conducting virtual interviews, and producing final assessment reports. It also emphasizes the significance of data handling methodologies, validation of AI systems, ethical application, and routine updates to maintain the security and accuracy of results.
It is crucial to remember from this advice that AI functions as a tool and not as a reviewer. Human evaluators retain accountability for all findings and concluding judgments, ensuring that AI is leveraged to enhance expertise rather than substitute it.
Alicia Malone: This introduction of AI guidance is truly thrilling. I believe these fresh guidelines will serve as a valuable resource for assessors navigating the new AI landscape. Lauren, where can our audience access all this new guidance?
Lauren Holloway: All this guidance, including the AI guidance, SAQ A, the latest FAQ, and the recent guidance on implementing e-commerce security standards, can be accessed on the Council’s official website. Most of this content can be found in our Document Library; however, I recommend checking out the FAQ section on our site as well. The new FAQ is identified as number 1588. Subscribing to the Council’s PCI Perspectives blog will ensure you receive the most recent updates directly to your email inbox as soon as they are released.
Alicia Malone: Wonderful. Thank you for joining us on Coffee with the Council, Lauren. It’s enlightening to delve into this new guidance, and I believe our vendors and assessor organizations will greatly appreciate this information.
Lauren Holloway: It’s my pleasure, Alicia. Delighted to be part of today’s conversation. Hopefully, these clarifications and new guidance will prove beneficial.
Enjoyed what you heard? Stay updated with PCI SSC’s podcast “Coffee with the Council” via various platforms such as Apple Podcasts, Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, Stitcher, Audible, Overcast, or Pandora.
About Author
