PCI DSS version 4.0 has introduced two key new requirements to add further protection to online payment pages. These requirements are contained within the shortest questionnaire SAQ-A so apply to all ecommerce payment pages where an embedded form such as iFrame is used.
These requirements apply to both merchants and service providers, therefore a merchant cannot outsource this responsibility to their payment gateway as both entities have obligations. These requirements state:
All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
A change-and-tamper detection mechanism is deployed as follows:
Whilst you can use mechanisms such as Sub-resource integrity(SRI) and Content Security Policy (CSP), use of these tools can be challenging and manual regular auditing and management is required plus a high level of expertise.
Using a vendor solution that is specifically tailored to meeting these requirements with minimal disruption to your business is our recommendation.
We researched offerings for months and ultimately decided to partner with industry leader Source Defense to offer a solution that meets the requirements in an efficient manner that requires minimal ongoing management. Two solutions are offered:
Scanning, detection and alerting which is an external implementation and provides visibility into client-side security incidents by extending security to the browser.
An automated protection mechanism deployed as two lines of code on your website. This is more a ‘set and forget’ option and provides out of the box security and compliance.
To obtain more information including a list of FAQs please register using the form. Or you can get in touch and we can discuss directly.
Fill out the form below and a representative from PCI Consulting Australia will reply as soon as possible.
