PCI 4 for SAQ-A & SAQ-A-EP: Everything Merchants Need to Know to Master PCI DSS 4 Compliance

PCI DSS 4 introduces new requirements for SAQ-A and SAQ-A-EP Merchants. Key new changes are Requirements 6.4.3 and 11.6.1. While these requirements play a crucial role in preventing and detecting e-commerce skimming attacks they also require merchants to implement and operate new technical capabilities on payment webpages.

Requirements 6.4.3 and 11.6.1 apply to all scripts executed in a consumer's browser on payment pages, defined as web-based interfaces that capture or submit account data. This guide explores these requirements in depth and provides actionable steps to achieve compliance.

Core New Pillars of Compliance with Requirements 6.4.3 and 11.6.1

Detailed breakdown of requirement 6.4.3

Requirement 6.4.3: Ensuring Script Management on Payment Pages

Requirement 6.4.3 focuses on the management of all payment page scripts, whether they originate from the entity's environment or from third and fourth parties. It mandates a three-pronged approach for compliance with PCI DSS Requirements:

Authorization

• Implement a method to confirm that each script is authorized as per PCI DSS Requirements.

• Prevent unauthorized scripts from being added to the payment page without proper approval.

• Confirm authorization as soon as possible if prior approval is impractical.

Integrity

• Ensure the integrity of each script to meet PCI DSS 4.0 JavaScript Monitoring requirements.

• Prevent tampering that could lead to unauthorized behavior, such as cardholder data skimming.

Inventory

• SAQ-A and SAQ-A-EP merchants are required to maintain an accurate inventory of all scripts on payment page with an exception of scripts loaded inside of TPSP's iFrame, if webpage uses a third-party service provider iFrame for collecting payment card information.

• Include a written business or technical justification for each script to ensure it is necessary for operations.

• Regularly review and update the inventory to reduce potential vulnerabilities.

The primary goal is to ensure only authorized and necessary scripts are executed on payment pages, reducing the risk of malicious activity and ensuring compliance with PCI DSS Requirements.

Requirement 11.6.1: Detecting Unauthorized Changes

Requirement 11.6.1 is centered on the detection and response to unauthorized changes on payment pages, a critical aspect of PCI DSS 4.0 JavaScript Monitoring.

Monitoring the Consumer Browser

• Monitor the consumer browser as the payment page is constructed and all JavaScript is interpreted.

• Compare current versions of HTTP headers and active content with prior or known versions to detect unauthorized changes that might indicate skimming attacks.

Detection Mechanisms Include

Content Security Policy (CSP) Violations:

• CSP limits where scripts can load or transmit account data, ensuring compliance with PCI DSS Requirements.

Script Analysis:

• Analyze scripts for known indicators of compromise or behaviors typical of skimming, aligning with PCI DSS 4.0 JavaScript Monitoring standards.

This requirement ensures that any unauthorized modifications to the payment page are identified and addressed promptly, helping to prevent data breaches and ensure compliance with Requirement 11.6.1.

Key Compliance Checkpoints and Deadlines

• Both Requirement 6.4.3 and Requirement 11.6.1 are currently best practices under SAQ-A PCI DSS Requirements until March 31, 2025.

• After this date, these requirements will become mandatory during PCI DSS assessments.

• Implementing measures in advance ensures a smooth transition and full compliance.

Essential Components for Full Compliance

JavaScript Inventory Management System

An accurate script inventory management system is critical for SAQ-A's compliance with Requirement 6.4.3. Key components include:

• A comprehensive list of all scripts used on payment pages.

• Written business or technical justification for each script’s necessity.

• Regular reviews and updates to reflect changes in script usage.

• Script Integrity management that validate that every script has not been tampered with, ensuring integrity under PCI DSS 4.0 JavaScript Monitoring requirements. Techniques like Sub-Resource Integrity (SRI) can help but SRI is limited only a small percentage of scripts—somewhere in the single-digit range—are loaded with SRI's adoption is very limited. Only a small percentage of scripts—somewhere in the 3-15%t range—are loaded with SRI. In other words, the vast majority of JavaScript resources on the web still do not use Sub-Resource Integrity. Therefore, reliance on SRI as the only method to ensure script integrity will leave 85 to 97% of scripts vulnerable and exposed.

Script Behavior Monitoring Implementation

Monitoring script behavior is vital for PCI DSS 4.0 JavaScript Monitoring under Requirement 11.6.1. Effective methods include:

Content Security Policy (CSP):

• Restricts sources for script loading and data transmission, supporting compliance.

Proprietary Script/Tag Management Systems:

• Prevents unauthorized or malicious scripts from executing.

Detection and Reporting Mechanisms:

• Detects changes to headers and payment page content.

Required Documentation and Audit Trails

Comprehensive documentation is critical for demonstrating compliance with PCI DSS 4 Requirements 6.4.3 and 11.6.1. It includes:

• Policies and procedures for managing payment page scripts to meet compliance .

• Inventory of all scripts with written justifications.

• Logs of script authorizations, integrity checks, and detected changes.

• Evidence of monitoring mechanisms used for JavaScript Monitoring.

• Security policies that are kept up to date and communicated effectively.

Compliance Validation and Reporting

Required Report Types and Frequencies

Requirement 6.4.3:

• Regularly review and update the script inventory to ensure accuracy in alignment with PCI DSS Requirements.

Requirement 11.6.1:

• Generate periodic reports of detected unauthorized changes and responses to support compliance.

External Vulnerability Scans:

• Conduct scans at least once every three months or after significant changes to meet PCI DSS 4.0 JavaScript Monitoring standards.

Evidence Collection and Retention Strategies

Establishing a system for collecting and retaining evidence is essential for PCI DSS Requirements compliance. Evidence may include:

• Screenshots of system configurations.

• Logs of script activities and monitoring results.

• Reports from vulnerability scans and remediation efforts.

• Proof of Continuous Compliance with PCI DSS 4 Requirements 6.4.3 and 11.6.1.