Finding Solutions to Meet PCI DSS v4.0 Requirements 6.4.3 and 11.6.1

Meeting the new PCI DSS v4.0 JavaScript security requirements 6.4.3 and 11.6.1 involves implementing security management, detection, and response tools and processes later in the software development cycle and extending these into the runtime environment. With the March 2025 compliance deadline looming, organizations must take immediate steps to implement effective client-side security measures.

Understanding the organization's structure and context is necessary to assess the complexity of the client-side attack surface and determine the feasibility of implementing effective solutions for the new PCI DSS v4.0 requirements.

• Small organizations: Security and development teams often work closely together in small organizations, facilitating coordination and security implementation

• Medium organizations: Medium-sized organizations typically have distinct teams, but familiarity between these teams can still enable collaboration

• Large organizations: In large, complex organizations, multiple dispersed teams can complicate visibility and responsibility, making it harder to coordinate and implement security measures

Organizations must evaluate multiple types of risks when choosing a solution to meet PCI DSS v4.0 requirements 6.4.3 and 11.6.1; understanding these risks will guide the decision to build or buy a solution and will also be crucial during vendor evaluations.

• Feasibility risk: Assessing feasibility risk involves determining whether the organization has the resources, time, and expertise required to implement a solution by the compliance deadline. Missing the deadline could lead to severe legal and reputational issues.

• Operational risk: Assessing operational risk involves addressing the ongoing requirements to maintain the solution effectively. This includes integration with existing systems, ease of use, adaptability to new threats, and resources needed for continuous monitoring.

• Business risk: Assessing business risk involves evaluating whether the solution meets compliance requirements and satisfies auditor expectations. It also includes assessing vendor dependency risks and the solution's ability to adapt to evolving compliance standards.

Organizations must decide whether to build their own client-side protection solution or to buy an existing one. Each option has specific risks and benefits:

• Feasibility risk: Developing a custom solution requires substantial resources, expertise, and time. Organizations must assess whether they have the skills and resources to build a solution that can address the new PCI DSS v4.0 requirements before the deadline.

• Operational risk: Building a solution also means taking on long-term responsibilities, such as maintaining software, handling updates, fixing bugs, and addressing emerging security threats. 

• Business risk: Custom-built solutions carry a significant risk of misinterpretation by auditors. Since PCI DSS v4.0 requirements are relatively new, a custom solution may only address some required scenarios, leading to compliance gaps.

Organizations that buy a solution have two primary options: external scanners or JavaScript agents. Each solution type has different integration, operation, detection, and mitigation characteristics.

External scanners. External scanners scan target websites’ pages and provide insights into the JavaScript running on those pages. Key aspects include:

• Integration: Integration of external scanners is usually straightforward for simple environments, but it can become challenging for complex applications. Payment pages embedded in dynamic user journeys or in frequently changing content may be difficult for scanners to cover consistently.

• Operation: External scanners are easy to set up but might need frequent updates to keep up with changes in web pages. Regular maintenance is required to align the scanner with any application modifications.

• Detection and mitigation: The detection capabilities of external scanners are limited because they only interact with the payment page during simulated workflow. This means behaviors that occur during real user interactions may be missed, leading to potential security blind spots. External scanners are primarily passive — they can alert organizations to potential problems but cannot actively prevent attacks.

JavaScript agents. JavaScript agents operate at runtime by embedding directly within webpages as they execute in end-users’ browsers, providing deep insights into client-side activities. Key aspects include:

• Integration: JavaScript agents require embedding into the application, which often means an integration process for each deployment, to ensure comprehensive coverage for all pages and user interactions. The complexity of the integration varies and depends most on the specific vendor solution.

• Operation: JavaScript agents provide real-time, continuous monitoring and can dynamically adapt as users interact with the application. This makes them particularly effective at identifying threats that emerge during specific user activities.

• Detection and mitigation: Detection capabilities are robust, allowing agents to observe threats such as script injections and unauthorized data collection as they occur. The real-time nature of these agents enables a comprehensive view of potential threats. JavaScript agents offer proactive defense by actively blocking or quarantining malicious activity in real time.

When evaluating vendors for a PCI DSS v4.0 compliance solution, organizations must consider several critical risk factors in addition to general evaluation criteria:

• Feasibility risk: Purchasing a solution can mitigate feasibility risks, as existing solutions are often ready for deployment. However, selecting the wrong vendor or choosing a solution that does not fit well with the organization's infrastructure can still lead to challenges.

• Operational risk: Integrating a third-party solution into an organization's existing systems can be complex, especially in larger or more dynamic environments. Achieving comprehensive coverage may require significant adjustments, and maintaining the solution may be challenging as environments evolve.

• Business risk: Third-party solutions may reduce risks related to audits but introduce other business risks. Organizations need to ensure that the solution is well-documented and meets their auditor's expectations. Vendor dependency is another crucial risk — if a vendor's solution does not evolve in line with changing compliance needs or if vendor support is inadequate, compliance could be jeopardized.

Additional factors to consider during vendor evaluation include:

• Solution maturity: The maturity of the solution is crucial. Established solutions that have been implemented across different environments are more stable and reliable in meeting compliance requirements.

• Vendor credibility and support: The quality of support the vendor provides is a major factor. Organizations should evaluate the vendor's track record of providing timely support and effectively addressing issues.

• Adaptability and roadmap: The vendor's commitment to evolving their solution to meet future compliance changes is essential. Organizations should verify that the vendor has a clear roadmap aligned with upcoming PCI DSS updates and can adapt to new security threats.