As the Payment Card Industry Data Security Standard (PCI DSS) compliance standards continue to evolve, our team has been fielding a number of questions about the changes to 4.0, how to interpret them and ultimately how to get or remain compliant. We decided to create a blog series covering some of these recent changes with practical, actionable tips for getting started.

Many organizations subject to PCI-DSS may not be aware that the latest version, PCI 4.0.1 has been released. This new version includes clarification enhancements to Requirements 3, 6, 8 and 12. However, in this blog series, we will focus on changes to Requirement 6.4.3 and the effort by the PCI Council to refine and clarify.

Before we get into the changes and what to expect, it’s important to point out a couple of critical path timelines. PCI DSS 4.0.1 will replace 4.0 effective December 31, 2024 and full compliance with PCI DSS in general terms is required by March 31, 2025. Many organizations are still developing their strategy for full compliance including monitoring all forms, webpages and script activity where sensitive customer payment data is handled, the ongoing effort of collecting evidence, and reporting that evidence to the OSA.

By proactively addressing the changes in PCI 4.0.1 before the deadline, organizations can demonstrate their commitment to data security, reduce the risk of costly data breaches and the subsequent fines, and maintain their ability to securely process payments. Compliance is not just a compliance obligation but will strategically safeguard your online customers and their data.

Let’s dig into the two most important Requirement 6 changes:

• There is a softening of the timeline for patching and the severity of the vulnerabilities covered in the Requirement. In PCI 4.0, Requirement 6.3.3 mandates that patches or updates for critical and high severity vulnerabilities had to be installed within one month of release. V 4.0.1 reverted back to the PCI DSS v3.2.1 language requiring organizations to install patches or updates within 30 days and only for critical severity vulnerabilities.

• Requirement 6.4.3 addresses how to manage payment page scripts that are loaded and executed in the consumer’s browser. In PCI DSS 4.0, it was not clear if that Requirement applied to a merchant embedding payment pages of forms from third-party service providers or the payment processors themselves. This left the interpretation to individual organizations who attempted to monitor and collect evidence on both. v4.0.1 clarifies this management only applies to merchants, but that script compliance is split between the merchant and the third party provider. The merchant owns scripts and headers not embedded in the third-party provider’s iframe and the third-party provider owns the scripts embedded inside the third-party iframe. PCI’s clarification on this Requirement is a welcome relief for monitoring, collecting and documenting evidence script evidence.

If you are an organization tackling the implementation of  PCI DSS or interpreting the latest modifications, the Feroot team can help. Our experience and knowledge of the Requirements combined with purpose built tools for monitoring script activities, on webpages page and their behaviors on web form, automating evidence collection and reporting makes compliance with Requirement 6.4.3 easy and hands-off.

Here’s how you can get ahead of the December 31, 2024 and March 31, 2025 PCI DSS deadlines:

1. Familiarize yourself with the new 4.0.1 requirements. PCI DSS 4.0.1, Requirement 6.4.3 has better clarification around compliance and what qualifies under that Requirement but depending on the context, can still leave a few gray areas. The Feroot team can assist with interpretation and applying that to your organization’s specific circumstance.

2. Work with a trusted PCI compliance partner. Our team has been helping organizations comply with PCI DSS for many years. You will get a compliance program tailored to your needs and you will use Feroot’s purpose built compliance platform to make it easy for you to monitor scripts on payment webpages and form with Card Holder’s Data (CHD) in real time as well as collect and report evidence to the OSA.

3. Get A Free Assessment. See how easy it is to achieve compliance. One, quick 30 minute call will show you how to get up and running as quickly as possible.

4. Don’t Wait Until the Last Minute. With only a few months left before the enforcement date, start planning and budgeting now. Work with our PCI experts to navigate the updated standard and ensure your business is fully prepared. Contact us today to learn more.