PCI DSS v4.0: Meeting Emerging Needs for Script Monitoring and Management
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally.
The Payment Card Industry standards are one of the most important compliance regulations for any business that accepts online payments, and it has been four years since they were last updated. PCI standards were created to protect credit card data from fraud and misuse. The standards apply to any merchant or organization that stores, processes, or transmits cardholder data.
What makes PCI DSS v4.0 so different?
This major revision (v4.0) of the PCI DSS was released in March 2022. And there are new standards and recommendations that change the game for customers that want to stay compliant. Those standards involve the need to monitor and manage browser scripts, which are the core capabilities of Akamai Client-Side Protection & Compliance.
PCI DSS v4.0 also adds new requirements for digital commerce providers to build better defenses against JavaScript-based card-skimming attacks, making the client-side security of the checkout and payment page more critical than ever.
Script monitoring becomes a necessity
Although the new requirements are not yet enforced — the deadline is 2025 — monitoring and addressing changes in script behaviors will become a daily requirement, instead of simply being of interest to customers after sporadic Magecart attacks.
Client-Side Protection & Compliance meets the emerging needs for PCI DSS v4.0 compliance, which makes it even more essential for our customers.
The following table outlines some of the upcoming relevant changes and explains how Client-Side Protection & Compliance meets them.
How Client-Side Protection & Compliance helps meet PCI DSS v4.0 compliance
PCI DSS v4.0 section |
Requirement |
How Client-Side Protection & Compliance can help |
|---|---|---|
6.4.3 |
A method is implemented to confirm that each script is authorized. |
Client-Side Protection & Compliance provides various options to confirm that each script is authorized by triggering events or using Script Intelligence to monitor specific predefined authorized behaviors. |
6.4.3 |
A method is implemented to assure the integrity of each script. |
Client-Side Protection & Compliance provides various options to confirm each script’s integrity by triggering events or using Script Intelligence to monitor specific predefined authorized behaviors. |
6.4.3 |
An inventory of all scripts is maintained with written justification as to why each is necessary. |
Client-Side Protection & Compliance’s Script Intelligence collects, analyzes, and logs the customer’s scripts inventory by default, and helps customers with the task of “written justification as to why each is necessary.”
|
11.6 |
Unauthorized changes on payment pages are detected and responded to. E-commerce skimming code or techniques cannot be added to payment pages as received by the consumer browser without a timely alert being generated. Anti-skimming measures cannot be removed from payment pages without a prompt alert being generated. |
Client-Side Protection & Compliance protects websites from web skimming and Magecart attacks, and provides immediate, actionable alerts that empower security teams to rapidly understand and block script-based threats. |
What should you do now?
Evaluate your existing capabilities to monitor and manage scripts on your sites today. Keep in mind that the requirement will be for ongoing monitoring, not just for periodic reviews. And make sure you have the inventory of scripts and their roles on your site so you can build the justification documentation.
Reach out to your Akamai representative or email info@akamai.com to find out more about Client-Side Protection & Compliance and how it can help you meet the new requirements.
