Blog PCI DSS Compliance

PCI DSS 4: Compliance Guide for SAQ A-EP Merchants to comply with Requirements 6.4.3 and 11.6.1

February 16, 2025

1. Introduction

As an SAQ A-EP merchant, you face unique compliance challenges because you control elements of your payment page, even though you don’t directly process card data. This makes you a prime target for attacks like Magecart, which specifically target payment page scripts.

Common Misconceptions

Many merchants believe:
  • “We’re safe because we use a payment provider’s iframe”
  • “Our payment provider handles all PCI compliance”
  • “We don’t store card data, so we have minimal requirements”

These assumptions are incorrect and dangerous under PCI DSS 4.0.1.

2. Business Models and Compliance Challenges

Examples of companies that commonly fall under PCI DSS Merchant SAQ A-EP:

  • SaaS and Subscription-Based web applications
  • Online Retailers with interactive Checkout flow
  • Travel Booking or Reservation Websites
  • Online Gaming
  • Online Food Ordering and Delivery Services
  • Charities and Non-Profit Organizations (Online Donations)
  • Utility and Bill Payment Services

Common Payment Implementations:

  • Direct Post: Your website creates the payment form
  • JavaScript Integration: Your site loads payment provider scripts
  • Hybrid Solutions: Combination of iframes and custom code
  • Custom Checkout Flows: Interactive payment experiences

3. Key PCI DSS 4.0.1 Requirements

Requirement 6.4.3: Script Management

You must:
  • Track all scripts on payment pages
  • Document each script’s business purpose
  • Monitor for unauthorized changes
  • Maintain script integrity
Estimated Implementation:
  • Initial script inventory: 2-3 weeks
  • Documentation setup: 1-2 weeks
  • Monitoring solution: 2-4 weeks

Requirement 11.6.1: Change Detection

Required actions:
  • Monitor payment page content
  • Track HTTP header changes
  • Detect unauthorized modifications
  • Document all changes
Implementation timeline:
  • Solution setup: 2-3 weeks
  • Testing period: 1-2 weeks
  • Full deployment: 1-2 weeks

4. Script Security Deep Dive

Real-World Risks

Recent examples of attacks:
  • British Airways (380,000 cards stolen)
  • Ticketmaster (millions affected)
  • Various SaaS platforms (ongoing attacks)
Required Controls:
  • Script Inventory
    • List all scripts on payment pages
    • Document purpose and owner
    • Regular review and updates
  • Integrity Monitoring
    • Hash verification
    • Change detection
    • Alert system

5. Change Detection Implementation

Required Components:

  • Automated Monitoring
    • Payment page content
    • HTTP headers
    • Script changes
  • Documentation System
    • Change logs
    • Approval workflows
    • Audit trails

Schedule a Demo

You will see how to easily automate PCI-DSS 4.0.1 compliance for Requirements 6.4.3 and 11.6.1 in minutes.

 

  • Autonomously and continuously maintain inventory of scripts, assure integrity, and confirm scripts are authorized.
  • Automatically detect and prevent unexpected script activities.
  • Get alerted of unauthorized scripts and unexpected script activities.
  • Easily provide reports to your teams and QSA.
  • Keep your company protected.


6. Practical Implementation Steps

  • Initial Assessment (2-3 weeks)
    • Map payment flows
    • Inventory scripts
    • Document current state
  • Tool Selection (2-3 weeks)
    • Evaluate solutions
    • Compare costs
    • Check integration requirements
  • Implementation (4-6 weeks)
    • Deploy monitoring
    • Set up alerts
    • Train staff

7. Maintaining Compliance

Regular Tasks:

  • Weekly script reviews
  • Monthly compliance checks
  • Quarterly security assessments
  • Annual comprehensive audits

Required Documentation:

  • Script inventory
  • Change logs
  • Incident reports
  • Audit trails

8. Common Pitfalls to Avoid

  • Inadequate Script Management
    • Missing script inventory
    • Undocumented changes
    • Poor version control
  • Weak Change Control
    • Unauthorized modifications
    • Missing documentation
    • Delayed detection
  • Insufficient Monitoring
    • Incomplete coverage
    • Poor alert response
    • Missing audit trails

9. Recommendations

Essential Actions:

  • Implement automated monitoring
  • Maintain detailed documentation
  • Regular security testing
  • Staff training
  • Incident response planning

Success Metrics:

  • 100% script documentation
  • < 24 hour detection time
  • Zero unauthorized changes
  • Full audit trail reports

By following this guide, SAQ A-EP merchants can build a robust compliance program that protects their payment pages and meets PCI DSS 4.0.1 requirements. Remember, while the initial investment may seem significant, it’s far less costly than a breach.

Meet the PCI DSS 4.0.1 March 2025 Deadline Future-proof and automate your website compliance and security today!

Schedule a Demo

Next Readings: