PCI DSS v4.0 brings stringent requirements to enhance data security in the face of evolving cyber threats. Notably, requirements 6.4.3 and 11.6.1 introduce critical mandates for monitoring and tamper detection to protect payment pages. These new stipulations are now incorporated into all Self-Assessment Questionnaire types, regardless of how many transactions they process, or whether they utilize a Third Party Service Provider (TPSP). However, merchants can claim to be SAQ A if they have “confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”
Requirement 6.4.3 focuses on the management and integrity verification of payment page scripts and also includes the pages and navigational flows leading up to the payment page. It mandates that “unauthorized code cannot be executed in the payment page as it is rendered in the consumer’s browser,” which requires creating and maintaining a comprehensive inventory of all scripts, and allowing only authorized scripts to be executed throughout the entire payment process.
Requirement 11.6.1 focuses on detecting unauthorized modifications to payment pages, including scripts and HTTP headers. It mandates these detection activities be performed at least once every seven days or at intervals determined by the entity’s targeted risk analysis, marking a significant shift towards proactive security measures.
Failure to comply with these new requirements can result in the suspension of payment processing, increased audit scrutiny, and reputational damage.
DataStealth's eSkimming Protection solution excels in addressing these challenges, offering real-time compliance solutions that go beyond the basic compliance thresholds set by PCI DSS v4.0. DataStealth meets and surpasses these two new requirements by ensuring continuous monitoring and proactive response capabilities, providing a robust framework for safeguarding sensitive payment information against unauthorized access and tampering. Unlike other solutions, DataStealth does not require application or workflow changes, but a simple DNS update. With no additional development work needed for integration, the path to enhanced security and compliance is drastically simplified.
This document is particularly relevant for decision-makers and security professionals within organizations subject to auditing.
PCI DSS v4.0 sets the latest global data security standards for all entities that store, process, or transmit payment card data, including merchants, processors, acquirers, issuers, and service providers. It aims to enhance the security of payment card transactions, protect cardholders against misuse of their personal information, and ensure the integrity of the payment ecosystem.
Submit the form to access the full report.
