Vectra's Blog

Countdown to Compliance: Navigating the New PCI DSS 4.0 Standards

Written by Kelvin Heath | 19/03/25 10:03 PM
Time is running out to become compliant with new PCI DSS 4.0 standards

The new PCI DSS 4.0 standard introduces many new requirements to properly secure Cardholder Data (CHD) and Sensitive Authentication Data (SAD). It becomes effective on March 31, 2025, and is the only active version of the standard. This blog outlines the challenges and solutions to help you become compliant with the strict requirements of PCI DSS 6.4.3 and 11.6.1.

What is the new standard trying to address:

The primary goal of these new standards are to tackle the increasing threat of client-side attacks. These attacks include cross-site scripting (XSS), form-jacking and e-commerce skimming, as found in Magecart attacks. Such attacks entail embedding malicious scripts into payment pages to steal sensitive user data. These scripts can function in real-time, capturing payment card information and personal identifiable information (PII) as the consumer inputs it.

Who needs to comply:

Any organisation who has a payment page on their website needs to attest that they’ve adhered to the standard yearly. IT environments are constantly changing. There is an expectation that organisations will monitor their environments periodically throughout the year.

How to comply:

Outsourcing all site transactions to a PCI Compliance service provider is often not practical as most merchants manage the customer experience and the function of their own website. Depending on the level of integration with the payment provider, you will still need to adhere to the new standards.

What could happen if you do not comply:
  • You could get compromised and lose cardholder data
  • Your acquirer will ask questions and ask to resolve, and then you will be subject to fines
  • Your company may be stopped from processing credit card transactions
What are the penalties for non-compliance:

Accepting the risk is not a recommended option, as the fines from the major credit card companies (VISA, AMEX, Mastercard, etc.) are recurrent and increased in value until the business becomes compliant with the standard.

What does Vectra offer:

We provide a leading solution for addressing threats and risks originating from the increased use of JavaScript, third-party vendors, and open-source code in your web properties.

We can help you:

  • Become PCI DSS 4.01 compliant, and specifically address the requirements of 6.4.3 and 11.61 by performing JavaScript monitoring
  • Strengthen your web page integrity
  • Stop malicious scripts from running on your transaction pages

You'll be able to:

  • Identify all active scripts on your website and assess the risks they may pose, including whether they are transmitting data, accessing PII/PCI data, or retrieving credentials. Quickly see those scripts at highest risk.
  • Be alerted to any scripts known to be malicious.
  • To further protect your website, it additionally allows you to block scripts from unauthorised access.
  • Use this dashboard to inform your pentesting regime to ensure no script leaves you exposed.
  • Fulfill the demanding requirement of weekly integrity monitoring.
  • See all your organisation's environments in one simple to understand dashboard.
  • Generate one-click reports to share findings and enrich broader compliance activities.
Let’s get you started:

We can you with a free trial for your website. This will enable you to understand your position with an assessment of your current environment.

Visit our webpage here to https://info.vectra-corp.com/javascript-monitoring-for-pci-dss-4.0 to sign up for a complimentary assessment for your environment.

About Vectra:

Vectra has over 4,000 PCI DSS clients, ranging from Australian telcos, banks, airlines, and many midsize organisations and SMBs through their banking partner. As the pioneer in PCI DSS compliance in Australia, we’re specialists helping organisations address regulatory change. As a PCI Participating Organisation, we assisted in the DSS 4.0 development process and can help you navigate these changes and ensure your payment environment is secure.

The details:

You should adhere to two new requirements.

PCI DSS 6.4.3 requirements focus on managing payment page scripts that are loaded and executed in the consumer's browser. Here are the key points:

  • Authorisation: Implement a method to confirm that each script is authorised.
  • Integrity: Implement a method to assure the integrity of each script.
  • Inventory: Maintain an inventory of all scripts with written justification for why each is necessary.

These measures are designed to protect against client-side attacks, such as those involving malicious scripts that can steal sensitive user data directly from the browser.

PCI DSS 11.6.1 requirements focus on change and tamper detection mechanisms for payment pages. Here are the key points:

  1. Change Detection: Implement mechanisms to detect unauthorised changes to payment pages.
  2. Tamper Detection: Implement mechanisms to detect tampering with payment pages.
  3. Modification Alerts: Ensure that alerts are generated for any detected modifications.

These measures are designed to protect against client-side attacks by ensuring that any unauthorized changes or tampering with payment pages are promptly detected and addressed.

For merchants completing SAQ-A, using an iFrame can affect your compliance. Websites outsourced to third parties (often multiple providers) should check they have successfully implemented the necessary measure to protect against client-side attacks and unauthorised changes to payment pages. Make sure you have time to meet the requirements before the deadline.
View full post