How to Meet Key New PCI DSS 4.0 Requirements

Alastair Stewart
Senior Consultant at URM
21 Nov

Table of Contents

For any organisation which takes card payments through an e-commerce page, protecting customers’ sensitive cardholder data is naturally of vital importance, and it is the Payment Card Industry Data Security Standard (PCI DSS) which provides the de facto guidelines and requirements to follow.  The latest version, PCI DSS v4.0, brings a number of important changes to the table.  Requirement 6.4.3, for example, focuses on ensuring the integrity of all scripts on the payment page, protecting against potential vulnerabilities that could be exploited by attackers.  Another key change is Requirement 11.6.1, which focuses on deploying change and tamper detection mechanisms on the headers and contents of payment pages.  In this blog, we will explore how your organisation can meet these two requirements and effectively secure your payment pages.

Understanding PCI DSS v4.0 Requirement 6.4.3

PCI DSS Requirement 6.4.3 states that you must maintain the integrity of scripts on your payment pages.  This requirement is crucial in protecting cardholder data from malicious scripts or tampering which could compromise the security of online transactions.

Scripts on a payment page can be vulnerable to various attacks, including cross-site scripting (XSS) and data injection.  These attacks can lead to the theft of cardholder data and financial loss.  Ensuring the integrity of scripts is essential in preventing these vulnerabilities, and avoiding the reputational and financial damage associated with cardholder data breaches.  

Meeting Requirement 6.4.3

To meet PCI DSS v4.0 Requirement 6.4.3 and ensure the integrity of scripts on payment pages, you will need to follow a series of best practices:

Implement strong content security policies (CSPs)

Content security policies (CSPs) are a vital part of ensuring script integrity.  CSPs define which scripts are allowed to execute on a web page.  By implementing CSPs, you can control the sources from which scripts can be loaded.  This helps prevent malicious scripts from being injected into your payment page.

Employ input validation and sanitisation

One of the primary ways that attackers inject malicious scripts into payment pages is by manipulating user inputs.  As such, you need to implement strict input validation and sanitisation measures to ensure that user inputs are clean and free from potentially harmful scripts.  This can prevent the execution of malicious code that might be injected through input fields.

Regular code reviews

Performing regular code reviews on the payment page's scripts is essential.  This includes reviewing both front-end and back-end code to identify any vulnerabilities or potential weaknesses.  Code reviews will help you identify security issues before they can be exploited by attackers.

Secure third-party integrations

Many payment pages rely on third-party integrations for services such as payment gateways or analytics tools.  You need to ensure that any third-party scripts used on your payment page are from trusted sources and are regularly audited for security.  Additionally, you should maintain a list of authorised third-party scripts to prevent unauthorised additions.

Monitor and audit scripts

It is important that you regularly monitor and audit the scripts used on your payment pages.  This includes version control, change tracking, and continuous monitoring for unauthorised changes or alterations.  It is recommended that automatic alerts are set up to notify you of any script changes.

Conduct regular security assessments

Routine security assessments, including vulnerability scanning and penetration testing, can help you uncover potential script integrity issues. By conducting these assessments, you can identify vulnerabilities before attackers can exploit them.

Develop a patch management plan

Scripting languages and libraries can have vulnerabilities that may need patching.  Therefore, you will need to maintain a robust plan for patch management to ensure that all scripts on your payment page are up to date and secure.

Implement web application firewalls (WAF)

Web application firewalls (WAFs) can help you identify and block malicious scripts or attacks aimed at your payment page.  WAFs can provide an additional layer of security and prevent unauthorised scripts from running.

Understanding PCI DSS v4.0 Requirement 11.6.1

This is one of the crucial new requirements of PCI DSS v4.0 and specifically addresses the need to deploy change and tamper detection mechanisms on payment page headers and contents. Change and tamper detection mechanisms are essential components of a secure payment environment, as they can identify unauthorised alterations or manipulations of payment pages. By ensuring the integrity of payment pages, your organisation is able to mitigate risks associated with malicious actors attempting to compromise the payment process.

Meeting Requirement 11.6.1

To meet requirement 11.6.1, you will need to deploy effective change and tamper detection mechanisms on payment page headers and contents. The following are essential steps and considerations that will allow you to do so more effectively:

Identify payment pages  

Your starting point is the identification of all payment pages within your environment.  These can include web pages, mobile applications, or other channels through which cardholder data is processed.  It's imperative to have a comprehensive understanding of where these pages exist.  Then look to consolidate them all in a single location, if possible, as this will facilitate your monitoring of them.

Choose the right mechanism

You will need to select appropriate change and tamper detection mechanisms.  The choice of technology will depend on your organisation's specific requirements, but common options include web application firewalls (WAFs), intrusion detection systems (IDS’), and security monitoring solutions.  You need to ensure that the chosen mechanisms are capable of monitoring both headers and contents.

Implement real-time monitoring  

It's essential to monitor payment page headers and contents in real-time. This allows you to detect and respond to unauthorised changes immediately, enhancing your ability to prevent data breaches and fraud.

Define baselines

Establishing baseline configurations for payment pages is an important consideration.  These baselines represent the expected state of payment page headers and contents.  Any deviations from these baselines should trigger alerts and investigations.

Set up alerts and notifications  

You will need to configure alerts and notifications within your chosen change and tamper detection mechanisms.  These alerts should be sent to designated personnel within your organisation responsible for monitoring and responding to potential issues.  Timely alerts can help you take proactive measures against the various threats.

Regularly review and update baselines

Payment page structures and content may change over time due to legitimate updates and modifications.  You should be regularly reviewing and updating baseline configurations to reflect these changes.  This ensures that any legitimate alterations do not trigger false positives.

Document and report

Keeping thorough records of your change and tamper detection activities is important and this includes any alerts, investigations, and responses. Documenting these activities is essential for compliance reporting and can also provide valuable evidence in the investigation of any security incident.

Educate and train staff

You will need to ensure all your staff members are well-informed of the importance of change and tamper detection mechanisms and how to respond to alerts.  Security awareness and training programmes can significantly enhance the effectiveness of your change and tamper detection mechanisms.

Closing Thoughts

Ensuring the integrity of scripts on payment pages and deploying change and tamper detection mechanisms on payment page headers and contents are critical aspects of maintaining PCI DSS compliance under the new v4.0.  By following the advice and steps we have detailed above, your organisation can effectively protect cardholder data and remain PCI DSS compliant as it looks to transition to v4.0 of the Standard.

How URM Can Help

Every organisation has unique needs, so will face unique challenges in meeting the key new requirements in PCI DSS v4.0.  URM’s team of PCI DSS consultants are available to discuss your particular situation and concerns, offering a range of services to prepare you for assessment.

Prior to addressing the new requirements, URM’s PCI DSS consultant can help you identify any areas of noncompliance with v4.0 by conducting a gap analysis of your current controls and working practices against the requirements of the Standard.  We can also ease the implementation process by assisting with scope reduction, suggesting various segmentation options for your consideration.  Having identified the required changes and assisted with the selection of an appropriate scope, our QSA can support any implementation and remediation activities necessary for you to achieve PCI compliance.  

When you are completely confident that your current cardholder processing activities and practices meet the new requirements of the Standard, we can also facilitate your assessment.  Our team of QSAs can provide a number of PCI DSS audit services, including a pre-audit readiness assessment, QSA-led PCI Report on Compliance (RoC), QSA supported SAQs and advising you on SAQs you are completing yourself. Following a successful assessment, we can help you maintain your certification by conducting regular penetration testing and vulnerability scanning to assess your network infrastructure and applications, in line with the requirements of the Standard.

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Are you looking for help preparing for a PCI DSS assessment?

As a PCI QSA, URM can assist you with a range of services, including conducting gap analyses, helping you reduce your CDE scope and conducting penetration tests.
Thumbnail of the Blog Illustration
Information Security
Published on
PCI DSS Remediation and Implementation

PCI remediation is an essential activity for any organisation wishing to fully comply.....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
What Are the Service Provider Levels

In this blog, we turn our attention to service providers. The PCI Security Standards Council defines a service provider....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
Pros and Cons of Delaying Your PCI DSS v4.0 Transition

Transitioning to PCI DSS v4.0 sooner rather than later has its advantages and disadvantages, in this article URM explores both sides of the argument.

Read more
Moving from our existing Pen Testers after 10 years was a difficult decision but I am really glad we did. It's been a pleasure working with you. The Pen Testing was extremely thorough and as hoped you were open to a collaborative deeper delve, far beyond what we were required to do for PCI DSS, which has been very useful.
Payment Service Provider
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.