UPDATE:
PCISecurityStandards has suspended the requirements of 6.4.3 en 11.6.1 among others, for SAQ-A online stores.
See also https://blog.pcisecuritystandards.org/important-updates-announced-for-merchants-validating-to-self-assessment-questionnaire-a
As a PSP or online store, according to the latest PCI DSS v4.0.1 standard, you must be able to prove that scripts in your shopping cart that are also loaded in customers’ browsers were intentionally inserted by you and not unauthorizedly modified by “third parties. As of March 31, 2025, these security requirements are mandatory. A periodic website scan provided with PCI reporting will help you meet this obligation. Time to take action!
Background PCI DSS
Web stores process sensitive customer data, such as payment information, on a daily basis, making them a popular target for cybercriminals. To ensure that Web stores handle payment data, such as card numbers, securely, the Payment Card Industry Data Security Standard (PCI DSS) was created in 2004 by credit card organizations Visa, Mastercard, JCB, American Express and Discover Financial Services).
PCI uses 4 levels to determine whether you should also certify for PCI. Your PSP or acquirer (bank that processes credit card transactions may invite you to complete a PCI-SAQ (Self Assessment Questionnaire). In addition, you may be required to use a PCI Web site vulnerability scan to check the security of your Web site.
The PCI program is constantly being updated to reflect new requirements, matching new developments on the Internet and the techniques used by hackers. For example, consider no longer using TLS 1.0. You can demonstrate this with a quarterly PCI scan, if your PSP asks you to.
What will change with PCI DSS v4.0.1?
What’s new is PCI’s focus on the use of scripts on your checkout page. Because already on the payment page in the shopping cart (shopping cart), a hacker can use a custom script to try to redirect your customers to another website that closely resembles a PSP’s payment page. Card numbers entered there by unsuspecting customers thus fall into the hands of hackers and fraudsters.
PCI 6.4.3 (the ‘prerequisite’)
For all scripts on your payment page that are loaded and executed in the consumer’s browser, you must be able to prove::
- that the script was placed with your approval
- and that the script has not been modified (or deleted) without your approval
For this, you must be able to document which scripts have been placed by you including reporting (of scans) that allows you to prove this verification and integrity of the scripts.
PCI 11.6.1 (the solution)
- You have implemented a control that alerts your company to (unauthorized) changes, including the differences and impact to the http headers as processed by the consumer’s browser.
- The monitoring solution used must be able to evaluate the http header and payment page.
- Monitoring shall take place at least once every seven days or periodically in line with the risk analysis as specified in 12.3.1
In short: To comply with this, you MUST use a PCI scan
You must be able to demonstrate that scripts in your shopping cart, which are also loaded in your customers’ browsers, have been deliberately inserted by you and have not been unauthorizedly modified by “third parties,” including changes at the http level. This means that your website must be scanned periodically and that you must prove via PCI reporting that in a new PCI scan, the scipts have not been altered (either by yourself, but not by anyone else).
PCI DSS v4.0.1 mandatory by March 31, 2025!
Want to know if your webshop meets the latest security requirements?
Request a scan from Trust Guard today and protect your business and your customers.
