PCI DSS v4.0.1: Meeting New Client-Side Security Requirements
Additional editorial and commentary by Emily Lyons
Executive summary
PCI DSS v4.0.1, released in June 2024, introduces essential updates that enhance client-side payment security and ensure comprehensive payment page protection for ecommerce.
The new PCI DSS v4.0.1 updates clarify existing requirements and provide explicit guidance by addressing PCI DSS 4.0 stakeholder feedback.
Akamai Client-Side Protection & Compliance aligns with these new PCI DSS v4.0.1 standards by offering tools that simplify compliance and enhance payment page security.
Introduction
In the ever-evolving payment security landscape, organizations must diligently stay up-to-date on the latest standards and regulations.
The Payment Card Industry Data Security Standard (PCI DSS) has long been an industry pillar in protecting cardholder data transmitted over the internet — and any organization that handles customer payments should strictly adhere to the latest policies.
In June 2024, the PCI Security Standards Council (PCI SSC) released PCI DSS v4.0.1, which introduces several significant changes. Each update is designed to clarify existing requirements and address PCI DSS stakeholder feedback — underlining the importance of continuous learning and adaptation.
Unpacking the latest client-side PCI DSS changes and clarifications
PCI DSS v4.0.1 introduces several pivotal client-side security updates to PCI DSS v4.0 in Section 6.4.3 and Section 11.6.1.
Section 6.4.3
“Where it is impractical for such authorization to occur before a script is changed or a new script is added to the page, the authorization should be confirmed as soon as possible after a change is made.”
This clarification emphasizes that in modern, highly dynamic web application environments, upfront authorization is impractical because it impacts an organization's ability to innovate and evolve. It is therefore expected that new scripts will appear in product environments on an ongoing basis.
In this case, it’s crucial to have a tool that detects new scripts running on payment pages. Once alerted, security teams can analyze the script landscape and decide whether to authorize the new scripts.
"An inventory of all scripts is maintained with written business or technical justification as to why each is necessary.”
This addition urges organizations to explicitly justify all scripts that are executing on payment pages, rather than merely stating that a script is necessary for page execution. It reiterates the crucial need for organizations to have tight security controls over which scripts run on their payment pages, weigh business requirements against security risks and vulnerabilities, and make explicit script decisions.
Section 11.6.1
“A change- and tamper-detection mechanism is deployed … to alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security-impacting HTTP headers and the script contents of payment pages as received by the consumer browser.”
This clarification prescribes a new, customized approach for monitoring HTTP headers. Monitoring and alerting on all header changes is impractical and would result in an overwhelming amount of alert noise.
At the same time, it’s crucial to detect and alert on changes to headers that impact payment page security, as these might be early indicators of a misconfiguration or a client-side attack that could result in the theft of data like customer credit card information.
Applicability notes
“This requirement also applies to entities with a web page(s) that includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes.) …
Scripts in the TPSP’s/payment processor’s embedded payment page/form are the responsibility of the TPSP/payment processor to manage in accordance with this requirement.”
These applicability notes clarify a use case for when an organization’s payment page(s) include(s) a third-party service provider (TPSP), a payment processor’s embedded payment page, or an iframe form.
The new requirement only applies to scripts loaded from the organization’s payment page and inside the TPSP iframe
The organization bears the responsibility of meeting requirement 6.4.3 for scripts loaded on their payment page(s)
The TPSP or payment processor is accountable for fulfilling the requirement for scripts loaded in their embedded payment page(s) or form(s)
Streamline compliance with Akamai Client-Side Protection & Compliance
Client-Side Protection & Compliance streamlines PCI DSS compliance workflows to help organizations easily meet evolving payment script security standards.
This state-of-the-art payment security solution analyzes script activity to detect malicious script behavior in real time, which can safeguard organizations and their customers against end-user data exfiltration and JavaScript threats like web skimming and Magecart attacks.
This Akamai solution’s dedicated PCI DSS capabilities help organizations meet PCI DSS v4.0.1 requirements, including these additional clarifications:
Client-Side Protection & Compliance is designed to run for every real-user interaction, automatically discovering and cataloging all payment page scripts. It detects unauthorized scripts and immediately alerts your security team, allowing them to decide whether to authorize new scripts.
Client-Side Protection & Compliance empowers security teams to specify the necessity of every payment page script and equips them with powerful tools for meeting these requirements.
Client-Side Protection & Compliance monitors and alerts security teams when payment pages’ HTTP security headers like X-XSS-Protection and X-Frame-Options are changed, enabling them to immediately review and address changes.
Strengthen your organization’s security stance with Akamai
PCI DSS v4.0.1’s new additions and clarifications emphasize the security risks that are prevalent when embedding a payment provider iframe, as well as reinforce the need for organizations to have robust client-side protections, regardless of their payment integration model. The takeaway is clear: Organizations can’t delegate PCI DSS responsibilities for these requirements to the payment provider alone.
Client-Side Protection & Compliance gives your organization comprehensive monitoring and protection for all the scripts that are your responsibility, ensuring compliance and security enhancements across both organizational and third-party scripts.
With Akamai as your cybersecurity partner, you can confidently defend against cyberthreats like data breaches and malware — and thwart cybercriminals who are eager to capture critical information from the customers and partners who trust you most.
Find out more
Learn more about Client-Side Protection & Compliance, and discover how this solution can help your business comply with PCI DSS v4.0.1 JavaScript security requirements.
