The Payment Card Industry Data Security Standard (PCI DSS) has seen some changes over the last 12 months, not least the adoption of a new version of the standard, version 4.0. This is the set of controls that must be observed when assessing a payment environment for suitable levels of security and management, as the previous standard fell by the wayside on 31st March 2024. Some clarifications to this standard have now resulted in version 4.0.1 being released in June 2024.
So, what does this mean for a large number of merchants and entities looking to the standard for guidance?
One of the most common methods for meeting compliance with the PCI DSS and keeping the cardholder data footprint as small as possible is to make use of a PCI-approved payment gateway and integrate this into the checkout process to ensure that all code used to collect and transmit card information originates from the payment provider. This method allows the lowest number of controls to be utilised for PCI compliance but the new version of the standard has bolstered these controls and added some new ones to keep these high risk websites more secure.
New Requirements in SAQ A for E-Commerce Businesses
In the commonly used Self-Assessment Questionnaire A for e-commerce users, some new requirements have been introduced to help combat the threat of attacks on personal data via the merchant website.
According to the new version of the PCI DSS, merchants using SAQ A will need to perform external vulnerability scans now, where previously this was not mandated. This is a quarterly check, and must use an approved scan vendor, so make sure that the service comes with the correct “PCI ASV” accreditation. All e-commerce sites using this method to attest compliance will need to engage with an approved scan vendor.
In addition to vulnerability scanning, a new requirement for checking scripts that are loaded and executed on the consumer’s browser has been introduced. This is to ensure that only genuine, authorised scripts are running during checkout. The threat of data loss via malicious scripts running in the browser has grown significantly in recent years, and this malware is pretty much available ‘off the shelf’ nowadays for most popular content management systems.
The last significant change is some form of integrity check on the payment pages themselves. The HTTP headers and contents of payment pages are now required to be monitored for unauthorised changes, which must be performed at least once a week.
What Are the Vulnerability Scanning Requirements for PCI Version 4?
In more detail, the vulnerability scanning must meet the following requirements.
- Perform External vulnerability scans at least every 3 months,
- A PCI SSC Validated Approved Scan Vendor (ASV) must be used,
- Any vulnerabilities with a CVSS score higher than 4.0 must be resolved,
- A rescan must be performed following on from a failed scan to demonstrate that all vulnerabilities higher than a CVSS score of 4.0 have been remediated,
- In addition to the quarterly scans, an ad hoc scan must be performed after a significant change,
- The Ad hoc scan does not necessarily have to be completed by an ASV, and can be done internally.
Note – See requirement 11.3.2 for the published details.
What Are the Payment Page Script Requirements for PCI Version 4?
With regard to the monitoring and tracking of payment page scripts, the details are as follows:
- All payment page scripts that are loaded and executed in the consumer’s browser must be detailed in an inventory
- The entity must provide supporting justification for the use of each script,
- The scripts must also be authorised to ensure only permitted scripts are running on the site,
- The Integrity of the script must also be validated periodically to ensure that it has not been compromised or replaced,
- These controls are considered best practice until 31st March 2025, when they will become mandatory.
Note – See requirement 6.4.3 for the published details.
Looking for Help With the New PCI DSS Requirements?
If you are struggling with any of these new requirements, it really does pay to talk to a QSA about how they may affect your scope of assessment. Here at 3B Data Security, we have helped lots of our clients get up to speed with these new requirements, and many of them were working towards this last year, ensuring that they are fully understood and embedded before they become mandatory.
